Follow

Q&A: What is the format of Log Export messages? What are some samples or examples for WAF / DDoS / L7 DDoS / Threat Intelligence / iRule logs?

Question

What is the format of log export messages?

  • Log message samples
  • Log message examples
  • Log export message samples
  • Log export message examples 

Environment

  • Silverline WAF
  • Silverline DDoS
  • Silverline Shape Defense
  • Threat Intelligence
  • Log Export

 

Answer

  • F5 Silverline syslog messages are sent in the following formats
    • Syslog (RFC3164 - BSD)
    • Syslog (RFC5424 - Enhanced Syslog)
    • CSV (comma-separated values)
    • JSON
  • If using either Syslog options, in accordance with RFC 3164 and RFC 5424, messages will not include a log message delimiter to delineate log messages.
  • Log message samples included in this article (click link to jump to that section):

 

Log Message Format: DDoS

Sample Message (Actual IP's redacted):

Jan 19 19:45:52 type = mitigation,addr = 192.168.51.30,blacklisted = no,countermeasure = filter,dst_port = 64163,mitigation = 172.16.208.x,prefixes = 172.16.208.0/25,protocol = 17,reason = filtered,rule = 0,src_port = 53

Explanation of Log Message fields:

  • Jan 19 19:45:52 <Timestamp of alert sent>
  • type = mitigation < This is the nature of the DDoS alert. Most if not ALL DDoS alerts would be classified as "type = mitigation", it is the mitigation which delivers the alert. Violation of the mitigation filter generates the log message. >
  • addr = 192.168.51.30 <IP address of client> -- Note: "addr" is the source IP address as it enters the Silverline scrubbing center. 
  • blacklisted = no < Indicates if SRC IP is listed directly in the Silverline blacklist. >
  • countermeasure = filter < Action taken by mitigation. In this case, matched filter and filter dropped. >
  • dst_port = 64163 <Destination Port of packets>
  • mitigation = 172.16.208.x < The "name" of the mitigation, usually denoted by organization name, underscore, and IP or prefix. >
  • prefixes = 172.16.208.0/25 < The "Offramp Prefix" the SOC has decided to mitigate. This can be 1 IP or it can be Many single IPs or it can be entire network ranges.  CIDR any notation accepted. >
  • protocol = 17 < Protocol of request. Protocol = 17 would mean UDP.  For TCP it would be Protocol = 6. >
  • reason = filtered < Reason for log message/cause of alert. In this case a matched filter. >
  • rule = 0 
  • src_port = 53 < Source port of packets>

 

Log Message Format:  WAF

Sample Message (Actual IP's redacted):

Apr 10 22:45:35 123.456.789.xxx 1 2019-04-10T22:45:29Z lab5.f5silverline.com log_export - - - type=waf, attack_type="Information Leakage", date_time="2019-04-10 22:45:28", dest_ip=“123.456.789.xxx”, dest_port="8083", geo_location="US", http_class_name="wafpolicy1", ip_client=“32.123.43.xxx”, method="DELETE", policy_apply_date="2019-03-20 21:29:45", policy_name="wafpolicy1", protocol="HTTP", query_string="", request_status="blocked", response_code="0", severity="Critical", sig_ids="", sig_names="", src_port="4840", support_id="1715xxxxxxxxxx”, uri="/wafpolicy1", username="N/A", violations="Illegal method", web_application_name="wafpolicy1", x_forwarded_for_header_value=“32.123.43.xxx”, staged_sig_ids="", staged_sig_names="", sub_violations="HTTP protocol compliance failed:Host header contains IP address", attack_type="HTTP Parser Attack", violation_details="<?xml version='1.0' encoding='UTF-8'?><BAD_MSG><violation_masks><block>40600000800a58a-c003000000000000</block><alarm>40600000800a58a-c003000000000000</alarm><learn>40200000800a58a-c000000000000000</learn><staging>0-0</staging></violation_masks><request-violations><violation><viol_index>14</viol_index><viol_name>VIOL_HTTP_PROTOCOL</viol_name><http_sanity_checks_status>2048</http_sanity_checks_status><http_sub_violation_status>2048</http_sub_violation_status><http_sub_violation>SG9zdCBoZWFkZXIgd2l0aCBJUCB2YWx1ZTogMTA3LjE2Mi4yMDguNDY=</http_sub_violation></violation></request-violations></BAD_MSG>",host=107.162.100.100

Explanation of Log Message fields:

  • Apr 11 16:39:36  <Timestamp of alert sent>
  • type = waf <Type of alert message>
  • attack_type =  "Information Leakage"  <Detected Attack types>
  • date_time = "2019-04-10 22:45:28" <Timestamp of violation>
  • dest_ip = "123.456.789.xxx"  < Destination IP of request>
  • dest_port = "8083"  <Destination Port of request>
  • geo_location = "US"  <Geo location of the Source IP>
  • http_class_name = "wafpolicy1" <Associated HTTP profile settings for proxy>
  • ip_client = "32.123.43.xxx" <IP address of client>
  • method = "DELETE"  <HTTP method used in request>
  • policy_apply_date = "2019-03-20 21:29:45" <Last update to security policy>
  • policy_name = "wafpolicy1"  < Name of Security Policy>
  • protocol = "HTTP"  <Protocol of request>
  • query_string = ""<Any HTTP query strings detected>
  • request_status = "blocked" < Was requested blocked or allowed>
  • response_code = "0"  <Response code from Server>
  • severity = "Critical"  < Security severity of violation>
  • sig_ids=""  < Attack Signature ID if triggerd>
  • sig_names="" < Attack Signature Name if triggered>
  • src_port = "4840"  < Source port of request>
  • support_id = "1715xxxxxxxxxxx" <Security Support id for violation>
  • uri = "/wafpolicy1" <Targeted URI for the request>
  • username = "N/A"  <Any detected usernames>
  • violations = "HTTP protocol compliance failed" < Detected specific violation types>
  • web_application_name = "wafpolicy1"  <Name of targeted deployed Web application proxy>
  • x_forwarded_for_header_value = "32.123.43.xxx" < Value of x-forwarded-for header>
  • staged_sig_ids="" < staged signature ids >
  • staged_sig_names="" < staged signature names >
  • sub_violations="HTTP protocol compliance failed:Host header contains IP address" < Sub violations of main violation type >
  • attack_type="HTTP Parser Attack" < category of the attack >
  • violation_details="<?xml version='1.0' encoding='UTF-8'?><BAD_MSG><violation_masks><block>40600000800a58a-c003000000000000</block><alarm>40600000800a58a-c003000000000000</alarm><learn>40200000800a58a-c000000000000000</learn><staging>0-0</staging></violation_masks><request-violations><violation><viol_index>14</viol_index><viol_name>VIOL_HTTP_PROTOCOL</viol_name><http_sanity_checks_status>2048</http_sanity_checks_status><http_sub_violation_status>2048</http_sub_violation_status><http_sub_violation>SG9zdCBoZWFkZXIgd2l0aCBJUCB2YWx1ZTogMTA3LjE2Mi4yMDguNDY=</http_sub_violation></violation></request-violations></BAD_MSG>" < XML formatted details that caused the violation. The red text above is the base64 encoded result of what triggered the violation, the attack payload >
  • host=107.162.100.100 < value in the http host header >

 

Log Message Format:  L7 DDoS

Sample Message (Actual IP's redacted):

Jun 11 23:31:47 123.456.789.xxx <134>1 2020-06-11T15:22:04Z sjc1.f5silverline.com log_export - - - type=l7ddos, action=\"browser_challenge\", client_ip_geo_location=\"SE\", client_request_uri=\"/\", errdefs_msgno=\"2300xxxx\", client_ip=\"107.xxx.xxx.xxx\", 
support_id=\"1520945084xxxxxxxxxx\", request_status=\"challenged\", reason=\"No Valid Cookie: Challenge possible because no Referer header arrived\"\r,host=www.example.com

Explanation of Log Message fields:

  • Apr 10 23:31:47  <Timestamp of alert sent>
  • type = l7ddos <Type of alert message>
  • action = "Blocking" < Action taken by the profile >
  • client_ip_geo_location = < Geo location of the Source IP>
  • client_request_uri = <Targeted URI for the request>
  • errdefs_msgno = < Message number>
  • client_ip = < Source IP of the request>
  • support_id = < The unique violation ID associated with the L7 DDoS event>
  • request_status = < What mitigative action was taken, bot defense (challenged), captcha, illegal (ratelimit; tcp_rst)>
  • reason = < The justification for the action taken>
  • DOS Baseline Latency = the avg latency (avg response time) that exists
  • DOS Attack Latency =  the avg latency detected during an elevated DDoS event
  • DOS Baseline TPS = the # of request on avg
  • DOS Attack TPS = the # of requests detected during an elevated DDoS event
  • logs.dos_detection_threshold = the threshold that the entity crossed the TPS relative/minimal threshold
  • logs.dos_mitigate_to_threshold = L7 DDoS profile to apply mitigation until the threshold returns to this rate
  • host = www.example.com < value from the HTTP host header >

 

Log Message Format:  Threat Intelligence

Sample Message (Actual IP's redacted):

Jun 7 14:56:43 type=ipi,action=Accept,attack_type=custom_category,bigip_mgmt_ip= ,context_name= ,date_time=Jun07201814:56:43,dest_ip= ,dest_port=80,errdefs_msg_name=IPIntelligenceEvent,errdefs_msgno=23003142,flow_id=0000000000000000,ip_intelligence_policy_name=ipi-Threat-Intel-Log-Only,ip_intelligence_threat_name= [scannerswindows_exploitsspam_sources],ip_protocol=TCP,route_domain=0,sa_translation_pool= ,sa_translation_type= ,severity=5,source_ip= ,source_port=24276,translated_dest_ip= ,translated_dest_port= ,translated_ip_protocol= ,translated_route_domain= ,translated_source_ip= ,translated_source_port= ,translated_vlan= 

Explanation of Log Message fields:

  • Jun714:56:43<Timestamp of alert sent>
  • type=ipi<Type of alert message> 
  • action=Accept<???>
  • attack_type=custom_category
  • bigip_mgmt_ip=<Source IP of message originator>
  • context_name=<Name of proxy bound to TI policy>
  • date_time=<Timestamp of alert generated>
  • dest_ip=< Destination IP of request>
  • dest_port=< Destination IP Port of request>
  • errdefs_msg_name=<IP Intelligence Event>
  • errdefs_msgno=23003142 <???>
  • flow_id=0000000000000000 <???>
  • ip_intelligence_policy_name=ipi-Threat-Intel-Log-Only <Name of IP Intelligence Policy>
  • ip_intelligence_threat_name= [scannerswindows_exploitsspam_sources] <Threat identifier>
  • ip_protocol=TCP <Communication protocol>
  • route_domain=0
  • sa_translation_pool= 
  • sa_translation_type= 
  • severity=5 < Severity can range from 10 to 0; 10 being the highest and 0 being the lowest>
  • source_ip < Source IP of the client>
  • source_port=24276 < Source Port of the client>
  • translated_dest_ip= 
  • translated_dest_port= 
  • translated_ip_protocol= 
  • translated_route_domain= 
  • translated_source_ip= 
  • translated_source_port= 
  • translated_vlan= 

 

Log Message Format: iRule

Sample Message (Actual IP's redacted):

Apr 11 16:39:36 123.456.789.xxx 1 2019-04-11T16:39:32Z lab5.f5silverline.com log_export - - - type=irule, client_ip=“321.654.xxx.xxx”, client_port=436xx, data="{\"action\":\"IP blocked\",\"request\":\"GET / HTTP/1.1\\r\\nUser-Agent: curl/7.29.0\\r\\nHost: 123.456.321.xxx:8083\\r\\nAccept: */*\\r\\nX-Forwarded-For:321.654.xxx.xxx\\r\\nVia: 1.1 lab5-bit6\\r\\n\\r\\n\"}", irule="test2_IPs", irule-version="2", log_type="irule", loglevel=6, msg_type="kvp", proxy_id="5472", request_side="true", server_ip=, server_port=, service_id="7257", snat_ip=, snat_port=, tmm_unit=3, virtualserver="/Common/qastats001-5472_7257.app/qastats001-5472_wafPolicyProxy-IPv4-HTTP-TCP-8083", vs_ip=“123.456.321.xxx”, vs_port=8083

 

Explanation of Log Message fields:

  • Apr 11 16:39:36 <Timestamp of alert sent>
  • type=irule <Type of alert message> 
  • client_ip=“321.654.xxx.xxx” < Client IP>
  • client_port=4360 < Client Port>
  • data="{\"action\":\"IP blocked\",\"request\":\"GET / HTTP/1.1\\r\\nUser-Agent: curl/7.29.0\\r\\nHost: 123.456.321.xxx:8083\\r\\nAccept: */*\\r\\nX-Forwarded-For:321.654.xxx.xxx\\r\\nVia: 1.1 lab5-bit6\\r\\n\\r\\n\"}" < Action taken or log message>
  • irule="test2_IPs"  < iRule Name>
  • irule-version="2" < iRule Version; this is hardcoded in the iRule>
  • log_type="irule"  < log type which would be an iRule>
  • loglevel=6
  • msg_type="kvp"
  • proxy_id="5472" < The associated proxy ID with the iRule enabled/attached>
  • request_side="true" < Is this an iRule event that is check HTTP request?>
  • server_ip= < Backend server IP>
  • server_port= < Backend server port>
  • service_id="7257"
  • snat_ip=
  • snat_port=
  • tmm_unit=3
  • virtualserver="/Common/qastats001-5472_7257.app/qastats001-5472_wafPolicyProxy-IPv4-HTTP-TCP-8083".  < Virtual sever name>
  • vs_ip=“123.456.321.xxx”  < Virtual Server IP>
  • vs_port=8083 < Virtual Server Port>

 

Related Content

Was this article helpful?
1 out of 1 found this helpful
Have more questions? Submit a request