Forum Discussion
AltostratusWhat file are logs stored for the violations in Security->Event Logs->Protocol->HTTP
Want to check if there is a way to view the information presented in GUI for the violations in Security->Event Logs->Protocol->HTTP.
What files are these files stored in. What is the CLI way to filter the same information? I am using BIG-IP Ver 15.1
Hello Manohar.
Event logs are stored directly in the DB.
You should query this DB to check these events out.
https://support.f5.com/csp/article/K06821426
Regards,
Dario.
8 Replies
Dario_GarridoNoctilucent
Hello Manohar.
Event logs are stored directly in the DB.
You should query this DB to check these events out.
https://support.f5.com/csp/article/K06821426
Regards,
Dario.
Manohar_MekalaHi Dario,
Almost there, thank you for pointing me in the right direction.... was not much fun looking up in flat files... :-).
Now on to figuring out the name for of the log table for https violations. the article seems to hint at the request logs...
- Dario_Garrido
Hello Manohar.
These are the tables available:
# mysql -uasm -p`perl -MF5::Cfg -e 'print F5::Cfg::get_mysql_password()'` -e "SHOW TABLES FROM PRX" +-----------------------------------+ | Tables_in_PRX | +-----------------------------------+ | ACCEPTED_REQUESTS | | BOT_DEFENSE_ANOMALIES | | BOT_DEFENSE_ANOMALY_CATEGORIES | | BOT_DEFENSE_EVENT_LOG | | BOT_DEFENSE_EVENT_LOG_CLEARED | | BOT_DEFENSE_EVENT_LOG_PROPERTIES | | BOT_INCIDENTS | | BOT_INCIDENT_ANOMALIES | | BOT_INCIDENT_ANOMALY_CATEGORIES | | BOT_INCIDENT_SUPPORT_IDS | | BOT_INCIDENT_TOP_IPS | | BRUTE_FORCE_ATTACK_LOG | | BRUTE_FORCE_ATTACK_LOG_PROPERTIES | | BRUTE_FORCE_LEAKED_CREDENTIALS | | BRUTE_FORCE_LOGIN_PAGE_STATUS | | BRUTE_FORCE_MITIGATED_DEVICE_IDS | | BRUTE_FORCE_MITIGATED_IPS | | BRUTE_FORCE_MITIGATED_USERNAMES | | CLEANDB_LOG | | INCIDENTS | | INCIDENT_SUPPORT_IDS | | INCIDENT_TYPES | | PROXY_LOG_CONSUMERS | | REQUEST_LOG | | REQUEST_LOG_CLEARED | | REQUEST_LOG_PROPERTIES | | REQUEST_LOG_SYNC_FILES | | REQUEST_LOG_TAGS | +-----------------------------------+And these are the incident types:
# mysql -uasm -p`perl -MF5::Cfg -e 'print F5::Cfg::get_mysql_password()'` -e "SELECT incident_type_id,incident_type_name,incident_type_display_name FROM PRX.INCIDENT_TYPES" +------------------+----------------------------+--------------------------------------------+ | incident_type_id | incident_type_name | incident_type_display_name | +------------------+----------------------------+--------------------------------------------+ | 1 | INFORMATION_LEAKAGE | Information Leakage | | 2 | MALICIOUS_SESSION | Malicious Session | | 4 | VULNERABILITY_SCAN | Vulnerability Scan | | 5 | DISALLOWED_SOURCE | Access from Malicious or Disallowed Source | | 6 | SERVER_SIDE_CODE_INJECTION | Server Side Code Injection | | 7 | COMMAND_EXECUTION | Command Execution | | 8 | DATA_TAMPERING | Data Tampering | | 9 | SESSION_HIJACKING | Session Hijacking | | 10 | AUTH_BYPASS | Authentication/Authorization Bypass | | 11 | MALICIOUS_CONTENT | Malicious Content | | 12 | MALICIOUS_SCAN | Malicious Scan | | 13 | THREAT_CAMPAIGN | Threat Campaign | +------------------+----------------------------+--------------------------------------------+The rest of the work to deep into those SQL Tables.
Please, don't forget to mark my answer as "the best" to help other people to find it.
Regards,
Dario.
- Manohar_Mekala
GUI has this...checked the DB to list all tables with column support_id
#mysql -uasm -p`perl -MF5::Cfg -e 'print F5::Cfg::get_mysql_password()'`
----
----
MariaDB [(none)]> SELECT TABLE_NAME FROM information_schema.columns WHERE column_name = 'support_id';
+---------------------------+
| TABLE_NAME |
+---------------------------+
| PL_SUGGESTION_SUPPORT_IDS |
| ACCEPTED_REQUESTS |
| BOT_DEFENSE_EVENT_LOG |
| BOT_INCIDENT_SUPPORT_IDS |
| INCIDENT_SUPPORT_IDS |
| REQUEST_LOG |
+---------------------------+
Looked in each of the tables but couldn't locate the support ID...
Not sure where i am going wrong...
- Dario_Garrido
Hello Manohar.
PRX.REQUEST_LOG has a column called "support_id".
# mysql -uasm -p`perl -MF5::Cfg -e 'print F5::Cfg::get_mysql_password()'` -e "select * from PRX.REQUEST_LOG where support_id = 9374597410145173508\G" *************************** 1. row *************************** id: 1 support_id: 9374597410145173508 support_id_suffix: 3508Regards,
Dario.
- Manohar_Mekala
Yes and the support Id from gui is not returned in the cli search. Likewise the support id's in the REQUEST_LOG are not in GUI logs. Probably not the same dB?
