Forum Discussion

Manohar_Mekala's avatar
Manohar_Mekala
Icon for Altostratus rankAltostratus
Apr 24, 2021

What file are logs stored for the violations in Security->Event Logs->Protocol->HTTP

Want to check if there is a way to view the information presented in GUI for the violations in Security->Event Logs->Protocol->HTTP.

What files are these files stored in. What is the CLI way to filter the same information? I am using BIG-IP Ver 15.1

  • Hello Manohar.

    Event logs are stored directly in the DB.

    You should query this DB to check these events out.

    https://support.f5.com/csp/article/K06821426

    ​

    Regards,

    Dario.

  • Hello Manohar.

    Event logs are stored directly in the DB.

    You should query this DB to check these events out.

    https://support.f5.com/csp/article/K06821426

    ​

    Regards,

    Dario.

  • Hi Dario,

    Almost there, thank you for pointing me in the right direction.... was not much fun looking up in flat files... :-).

    Now on to figuring out the name for of the log table for https violations. the article seems to hint at the request logs...

    • Dario_Garrido's avatar
      Dario_Garrido
      Icon for MVP rankMVP

      Hello Manohar.

       

      These are the tables available:

      # mysql -uasm -p`perl -MF5::Cfg -e 'print F5::Cfg::get_mysql_password()'` -e "SHOW TABLES FROM PRX"
      +-----------------------------------+
      | Tables_in_PRX                     |
      +-----------------------------------+
      | ACCEPTED_REQUESTS                 |
      | BOT_DEFENSE_ANOMALIES             |
      | BOT_DEFENSE_ANOMALY_CATEGORIES    |
      | BOT_DEFENSE_EVENT_LOG             |
      | BOT_DEFENSE_EVENT_LOG_CLEARED     |
      | BOT_DEFENSE_EVENT_LOG_PROPERTIES  |
      | BOT_INCIDENTS                     |
      | BOT_INCIDENT_ANOMALIES            |
      | BOT_INCIDENT_ANOMALY_CATEGORIES   |
      | BOT_INCIDENT_SUPPORT_IDS          |
      | BOT_INCIDENT_TOP_IPS              |
      | BRUTE_FORCE_ATTACK_LOG            |
      | BRUTE_FORCE_ATTACK_LOG_PROPERTIES |
      | BRUTE_FORCE_LEAKED_CREDENTIALS    |
      | BRUTE_FORCE_LOGIN_PAGE_STATUS     |
      | BRUTE_FORCE_MITIGATED_DEVICE_IDS  |
      | BRUTE_FORCE_MITIGATED_IPS         |
      | BRUTE_FORCE_MITIGATED_USERNAMES   |
      | CLEANDB_LOG                       |
      | INCIDENTS                         |
      | INCIDENT_SUPPORT_IDS              |
      | INCIDENT_TYPES                    |
      | PROXY_LOG_CONSUMERS               |
      | REQUEST_LOG                       |
      | REQUEST_LOG_CLEARED               |
      | REQUEST_LOG_PROPERTIES            |
      | REQUEST_LOG_SYNC_FILES            |
      | REQUEST_LOG_TAGS                  |
      +-----------------------------------+

      And these are the incident types:

      # mysql -uasm -p`perl -MF5::Cfg -e 'print F5::Cfg::get_mysql_password()'` -e "SELECT incident_type_id,incident_type_name,incident_type_display_name FROM PRX.INCIDENT_TYPES"
      +------------------+----------------------------+--------------------------------------------+
      | incident_type_id | incident_type_name         | incident_type_display_name                 |
      +------------------+----------------------------+--------------------------------------------+
      |                1 | INFORMATION_LEAKAGE        | Information Leakage                        |
      |                2 | MALICIOUS_SESSION          | Malicious Session                          |
      |                4 | VULNERABILITY_SCAN         | Vulnerability Scan                         |
      |                5 | DISALLOWED_SOURCE          | Access from Malicious or Disallowed Source |
      |                6 | SERVER_SIDE_CODE_INJECTION | Server Side Code Injection                 |
      |                7 | COMMAND_EXECUTION          | Command Execution                          |
      |                8 | DATA_TAMPERING             | Data Tampering                             |
      |                9 | SESSION_HIJACKING          | Session Hijacking                          |
      |               10 | AUTH_BYPASS                | Authentication/Authorization Bypass        |
      |               11 | MALICIOUS_CONTENT          | Malicious Content                          |
      |               12 | MALICIOUS_SCAN             | Malicious Scan                             |
      |               13 | THREAT_CAMPAIGN            | Threat Campaign                            |
      +------------------+----------------------------+--------------------------------------------+

      The rest of the work to deep into those SQL Tables.

       

      Please, don't forget to mark my answer as "the best" to help other people to find it.

       

      Regards,

      Dario.

  •  

    GUI has this...checked the DB to list all tables with column support_id

     

    #mysql -uasm -p`perl -MF5::Cfg -e 'print F5::Cfg::get_mysql_password()'`                                                                                             

    ----

    ----

    MariaDB [(none)]> SELECT TABLE_NAME FROM information_schema.columns WHERE column_name = 'support_id';

    +---------------------------+

    | TABLE_NAME               |

    +---------------------------+

    | PL_SUGGESTION_SUPPORT_IDS |

    | ACCEPTED_REQUESTS        |

    | BOT_DEFENSE_EVENT_LOG    |

    | BOT_INCIDENT_SUPPORT_IDS |

    | INCIDENT_SUPPORT_IDS     |

    | REQUEST_LOG              |

    +---------------------------+

    Looked in each of the tables but couldn't locate the support ID...

    Not sure where i am going wrong...

    • Dario_Garrido's avatar
      Dario_Garrido
      Icon for MVP rankMVP

      Hello Manohar.

      PRX.REQUEST_LOG has a column called "support_id".

      # mysql -uasm -p`perl -MF5::Cfg -e 'print F5::Cfg::get_mysql_password()'` -e "select * from PRX.REQUEST_LOG where support_id = 9374597410145173508\G"
      *************************** 1. row ***************************
                             id: 1
                     support_id: 9374597410145173508
              support_id_suffix: 3508

      Regards,

      Dario.

      • Manohar_Mekala's avatar
        Manohar_Mekala
        Icon for Altostratus rankAltostratus

        Yes and the support Id from gui is not returned in the cli search. Likewise the support id's in the REQUEST_LOG are not in GUI logs. Probably not the same dB?