What Happened?
What is the format of log export messages?
- Log message samples
- Log message examples
- Log export message samples
- Log export message examples
Environment
- Silverline WAF
- Silverline DDoS
- Silverline Shape Defense
- Threat Intelligence
- Log Export
Resolution/Answer
- F5 Silverline syslog messages are sent in the following formats
- Syslog (RFC3164 - BSD)
- Syslog (RFC5424 - Enhanced Syslog)
- CSV (comma-separated values)
- JSON
- If using either Syslog options, in accordance with RFC 3164 and RFC 5424, messages will not include a log message delimiter to delineate log messages.
-
Log message samples included in this article (click link to jump to that section):
- DDoS logs
- WAF logs
- L7 DDoS logs
- Threat Intelligence logs
- iRule logs (This covers Silverline Shape Defense Logs)
Log Message Format: DDoS
Sample Message (Actual IP's redacted):
Jan 19 19:45:52 type = mitigation,addr = 123.456.789.xxx,blacklisted = no,countermeasure = filter,dst_port = 64163,mitigation = 172.16.208.x,prefixes = 172.16.208.0/25,protocol = 17,reason = filtered,rule = 0,src_port = 53
Explanation of Log Message fields:
- Jan 19 19:45:52 <Timestamp of alert sent>
- type = mitigation < This is the nature of the DDoS alert. Most if not ALL DDoS alerts would be classified as "type = mitigation", it is the mitigation which delivers the alert. Violation of the mitigation filter generates the log message. >
- addr = 123.456.789.xxx <IP address of client> -- Note: "addr" is the source IP address as it enters the Silverline scrubbing center.
- blacklisted = no < Indicates if SRC IP is listed directly in the Silverline blacklist. >
- countermeasure = filter < Action taken by mitigation. In this case, matched filter and filter dropped. >
- dst_port = 64163 <Destination Port of packets>
- mitigation = 172.16.208.x < The "name" of the mitigation, usually denoted by organization name, underscore, and IP or prefix. >
- prefixes = 172.16.208.0/25 < The "Offramp Prefix" the SOC has decided to mitigate. This can be 1 IP or it can be Many single IPs or it can be entire network ranges. CIDR any notation accepted. >
- protocol = 17 < Protocol of request. Protocol = 17 would mean UDP. For TCP it would be Protocol = 6. >
- reason = filtered < Reason for log message/cause of alert. In this case a matched filter. >
- rule = 0
- src_port = 53 < Source port of packets>
Log Message Format: WAF
Sample Message (Actual IP's redacted):
Apr 10 22:45:35 123.456.789.xxx 1 2019-04-10T22:45:29Z lab5.f5silverline.com log_export - - - type=waf, attack_type="Information Leakage", date_time="2019-04-10 22:45:28", dest_ip=“123.456.789.xxx”, dest_port="8083", geo_location="US", http_class_name="wafpolicy1", ip_client=“32.123.43.xxx”, method="DELETE", policy_apply_date="2019-03-20 21:29:45", policy_name="wafpolicy1", protocol="HTTP", query_string="", request_status="blocked", response_code="0", severity="Critical", sig_ids="", sig_names="", src_port="4840", support_id="1715xxxxxxxxxx”, uri="/wafpolicy1", username="N/A", violations="Illegal method", web_application_name="wafpolicy1", x_forwarded_for_header_value=“32.123.43.xxx”, staged_sig_ids="", staged_sig_names="", sub_violations="HTTP protocol compliance failed:Host header contains IP address", attack_type="HTTP Parser Attack", violation_details="<?xml version='1.0' encoding='UTF-8'?><BAD_MSG><violation_masks><block>40600000800a58a-c003000000000000</block><alarm>40600000800a58a-c003000000000000</alarm><learn>40200000800a58a-c000000000000000</learn><staging>0-0</staging></violation_masks><request-violations><violation><viol_index>14</viol_index><viol_name>VIOL_HTTP_PROTOCOL</viol_name><http_sanity_checks_status>2048</http_sanity_checks_status><http_sub_violation_status>2048</http_sub_violation_status><http_sub_violation>SG9zdCBoZWFkZXIgd2l0aCBJUCB2YWx1ZTogMTA3LjE2Mi4yMDguNDY=</http_sub_violation></violation></request-violations></BAD_MSG>",host=107.162.100.100
Explanation of Log Message fields:
- Apr 11 16:39:36 <Timestamp of alert sent>
- type = waf <Type of alert message>
- attack_type = "Information Leakage" <Detected Attack types>
- date_time = "2019-04-10 22:45:28" <Timestamp of violation>
- dest_ip = "123.456.789.xxx" < Destination IP of request>
- dest_port = "8083" <Destination Port of request>
- geo_location = "US" <Geo location of the Source IP>
- http_class_name = "wafpolicy1" <Associated HTTP profile settings for proxy>
- ip_client = "32.123.43.xxx" <IP address of client>
- method = "DELETE" <HTTP method used in request>
- policy_apply_date = "2019-03-20 21:29:45" <Last update to security policy>
- policy_name = "wafpolicy1" < Name of Security Policy>
- protocol = "HTTP" <Protocol of request>
- query_string = ""<Any HTTP query strings detected>
- request_status = "blocked" < Was requested blocked or allowed>
- response_code = "0" <Response code from Server>
- severity = "Critical" < Security severity of violation>
- sig_ids="" < Attack Signature ID if triggerd>
- sig_names="" < Attack Signature Name if triggered>
- src_port = "4840" < Source port of request>
- support_id = "1715xxxxxxxxxxx" <Security Support id for violation>
- uri = "/wafpolicy1" <Targeted URI for the request>
- username = "N/A" <Any detected usernames>
- violations = "HTTP protocol compliance failed" < Detected specific violation types>
- web_application_name = "wafpolicy1" <Name of targeted deployed Web application proxy>
- x_forwarded_for_header_value = "32.123.43.xxx" < Value of x-forwarded-for header>
- staged_sig_ids="" < staged signature ids >
- staged_sig_names="" < staged signature names >
- sub_violations="HTTP protocol compliance failed:Host header contains IP address" < Sub violations of main violation type >
- attack_type="HTTP Parser Attack" < category of the attack >
- violation_details="<?xml version='1.0' encoding='UTF-8'?><BAD_MSG><violation_masks><block>40600000800a58a-c003000000000000</block><alarm>40600000800a58a-c003000000000000</alarm><learn>40200000800a58a-c000000000000000</learn><staging>0-0</staging></violation_masks><request-violations><violation><viol_index>14</viol_index><viol_name>VIOL_HTTP_PROTOCOL</viol_name><http_sanity_checks_status>2048</http_sanity_checks_status><http_sub_violation_status>2048</http_sub_violation_status><http_sub_violation>SG9zdCBoZWFkZXIgd2l0aCBJUCB2YWx1ZTogMTA3LjE2Mi4yMDguNDY=</http_sub_violation></violation></request-violations></BAD_MSG>" < XML formatted details that caused the violation. The red text above is the base64 encoded result of what triggered the violation, the attack payload >
- host=107.162.100.100 < value in the http host header >
Log Message Format: L7 DDoS
Sample Message (Actual IP's redacted):
Jun 11 23:31:47 123.456.789.xxx <134>1 2020-06-11T15:22:04Z sjc1.f5silverline.com log_export - - - type=l7ddos, action=\"browser_challenge\", client_ip_geo_location=\"SE\", client_request_uri=\"/\", errdefs_msgno=\"2300xxxx\", client_ip=\"107.xxx.xxx.xxx\",
support_id=\"1520945084xxxxxxxxxx\", request_status=\"challenged\", reason=\"No Valid Cookie: Challenge possible because no Referer header arrived\"\r,host=www.example.com
Explanation of Log Message fields:
- Apr 10 23:31:47 <Timestamp of alert sent>
- type = l7ddos <Type of alert message>
- action = "Blocking" < Action taken by the profile >
- client_ip_geo_location = < Geo location of the Source IP>
- client_request_uri = <Targeted URI for the request>
- errdefs_msgno = < Message number>
- client_ip = < Source IP of the request>
- support_id = < The unique violation ID associated with the L7 DDoS event>
- request_status = < What mitigative action was taken, bot defense (challenged), captcha, illegal (ratelimit; tcp_rst)>
- reason = < The justification for the action taken>
- DOS Baseline Latency = the avg latency (avg response time) that exists
- DOS Attack Latency = the avg latency detected during an elevated DDoS event
- DOS Baseline TPS = the # of request on avg
- DOS Attack TPS = the # of requests detected during an elevated DDoS event
- logs.dos_detection_threshold = the threshold that the entity crossed the TPS relative/minimal threshold
- logs.dos_mitigate_to_threshold = L7 DDoS profile to apply mitigation until the threshold returns to this rate
- host = www.example.com < value from the HTTP host header >
Log Message Format: Threat Intelligence
Sample Message (Actual IP's redacted):
Jun 7 14:56:43 type=ipi,action=Accept,attack_type=custom_category,bigip_mgmt_ip= ,context_name= ,date_time=Jun07201814:56:43,dest_ip= ,dest_port=80,errdefs_msg_name=IPIntelligenceEvent,errdefs_msgno=23003142,flow_id=0000000000000000,ip_intelligence_policy_name=ipi-Threat-Intel-Log-Only,ip_intelligence_threat_name= [scannerswindows_exploitsspam_sources],ip_protocol=TCP,route_domain=0,sa_translation_pool= ,sa_translation_type= ,severity=5,source_ip= ,source_port=24276,translated_dest_ip= ,translated_dest_port= ,translated_ip_protocol= ,translated_route_domain= ,translated_source_ip= ,translated_source_port= ,translated_vlan=
Explanation of Log Message fields:
- Jun714:56:43<Timestamp of alert sent>
- type=ipi<Type of alert message>
- action=Accept<???>
- attack_type=custom_category
- bigip_mgmt_ip=<Source IP of message originator>
- context_name=<Name of proxy bound to TI policy>
- date_time=<Timestamp of alert generated>
- dest_ip=< Destination IP of request>
- dest_port=< Destination IP Port of request>
- errdefs_msg_name=<IP Intelligence Event>
- errdefs_msgno=23003142 <???>
- flow_id=0000000000000000 <???>
- ip_intelligence_policy_name=ipi-Threat-Intel-Log-Only <Name of IP Intelligence Policy>
- ip_intelligence_threat_name= [scannerswindows_exploitsspam_sources] <Threat identifier>
- ip_protocol=TCP <Communication protocol>
- route_domain=0
- sa_translation_pool=
- sa_translation_type=
- severity=5 < Severity can range from 10 to 0; 10 being the highest and 0 being the lowest>
- source_ip < Source IP of the client>
- source_port=24276 < Source Port of the client>
- translated_dest_ip=
- translated_dest_port=
- translated_ip_protocol=
- translated_route_domain=
- translated_source_ip=
- translated_source_port=
- translated_vlan=
Log Message Format: iRule
Sample Message (Actual IP's redacted):
Apr 11 16:39:36 123.456.789.xxx 1 2019-04-11T16:39:32Z lab5.f5silverline.com log_export - - - type=irule, client_ip=“321.654.xxx.xxx”, client_port=436xx, data="{\"action\":\"IP blocked\",\"request\":\"GET / HTTP/1.1\\r\\nUser-Agent: curl/7.29.0\\r\\nHost: 123.456.321.xxx:8083\\r\\nAccept: */*\\r\\nX-Forwarded-For:321.654.xxx.xxx\\r\\nVia: 1.1 lab5-bit6\\r\\n\\r\\n\"}", irule="test2_IPs", irule-version="2", log_type="irule", loglevel=6, msg_type="kvp", proxy_id="5472", request_side="true", server_ip=, server_port=, service_id="7257", snat_ip=, snat_port=, tmm_unit=3, virtualserver="/Common/qastats001-5472_7257.app/qastats001-5472_wafPolicyProxy-IPv4-HTTP-TCP-8083", vs_ip=“123.456.321.xxx”, vs_port=8083
Explanation of Log Message fields:
- Apr 11 16:39:36 <Timestamp of alert sent>
- type=irule <Type of alert message>
- client_ip=“321.654.xxx.xxx” < Client IP>
- client_port=4360 < Client Port>
- data="{\"action\":\"IP blocked\",\"request\":\"GET / HTTP/1.1\\r\\nUser-Agent: curl/7.29.0\\r\\nHost: 123.456.321.xxx:8083\\r\\nAccept: */*\\r\\nX-Forwarded-For:321.654.xxx.xxx\\r\\nVia: 1.1 lab5-bit6\\r\\n\\r\\n\"}" < Action taken or log message>
- irule="test2_IPs" < iRule Name>
- irule-version="2" < iRule Version; this is hardcoded in the iRule>
- log_type="irule" < log type which would be an iRule>
- loglevel=6
- msg_type="kvp"
- proxy_id="5472" < The associated proxy ID with the iRule enabled/attached>
- request_side="true" < Is this an iRule event that is check HTTP request?>
- server_ip= < Backend server IP>
- server_port= < Backend server port>
- service_id="7257"
- snat_ip=
- snat_port=
- tmm_unit=3
- virtualserver="/Common/qastats001-5472_7257.app/qastats001-5472_wafPolicyProxy-IPv4-HTTP-TCP-8083". < Virtual sever name>
- vs_ip=“123.456.321.xxx” < Virtual Server IP>
- vs_port=8083 < Virtual Server Port>
Additional Information