Forum Discussion
Manohar_Mekala
Altostratus
AltostratusWhat file are logs stored for the violations in Security->Event Logs->Protocol->HTTP
Want to check if there is a way to view the information presented in GUI for the violations in Security->Event Logs->Protocol->HTTP. What files are these files stored in. What is the CLI way to filt...
Hello Manohar.
Event logs are stored directly in the DB.
You should query this DB to check these events out.
https://support.f5.com/csp/article/K06821426
Regards,
Dario.
Manohar_MekalaAltostratus
AltostratusHi Dario,
Almost there, thank you for pointing me in the right direction.... was not much fun looking up in flat files... :-).
Now on to figuring out the name for of the log table for https violations. the article seems to hint at the request logs...
Hello Manohar.
These are the tables available:
# mysql -uasm -p`perl -MF5::Cfg -e 'print F5::Cfg::get_mysql_password()'` -e "SHOW TABLES FROM PRX"
+-----------------------------------+
| Tables_in_PRX |
+-----------------------------------+
| ACCEPTED_REQUESTS |
| BOT_DEFENSE_ANOMALIES |
| BOT_DEFENSE_ANOMALY_CATEGORIES |
| BOT_DEFENSE_EVENT_LOG |
| BOT_DEFENSE_EVENT_LOG_CLEARED |
| BOT_DEFENSE_EVENT_LOG_PROPERTIES |
| BOT_INCIDENTS |
| BOT_INCIDENT_ANOMALIES |
| BOT_INCIDENT_ANOMALY_CATEGORIES |
| BOT_INCIDENT_SUPPORT_IDS |
| BOT_INCIDENT_TOP_IPS |
| BRUTE_FORCE_ATTACK_LOG |
| BRUTE_FORCE_ATTACK_LOG_PROPERTIES |
| BRUTE_FORCE_LEAKED_CREDENTIALS |
| BRUTE_FORCE_LOGIN_PAGE_STATUS |
| BRUTE_FORCE_MITIGATED_DEVICE_IDS |
| BRUTE_FORCE_MITIGATED_IPS |
| BRUTE_FORCE_MITIGATED_USERNAMES |
| CLEANDB_LOG |
| INCIDENTS |
| INCIDENT_SUPPORT_IDS |
| INCIDENT_TYPES |
| PROXY_LOG_CONSUMERS |
| REQUEST_LOG |
| REQUEST_LOG_CLEARED |
| REQUEST_LOG_PROPERTIES |
| REQUEST_LOG_SYNC_FILES |
| REQUEST_LOG_TAGS |
+-----------------------------------+And these are the incident types:
# mysql -uasm -p`perl -MF5::Cfg -e 'print F5::Cfg::get_mysql_password()'` -e "SELECT incident_type_id,incident_type_name,incident_type_display_name FROM PRX.INCIDENT_TYPES"
+------------------+----------------------------+--------------------------------------------+
| incident_type_id | incident_type_name | incident_type_display_name |
+------------------+----------------------------+--------------------------------------------+
| 1 | INFORMATION_LEAKAGE | Information Leakage |
| 2 | MALICIOUS_SESSION | Malicious Session |
| 4 | VULNERABILITY_SCAN | Vulnerability Scan |
| 5 | DISALLOWED_SOURCE | Access from Malicious or Disallowed Source |
| 6 | SERVER_SIDE_CODE_INJECTION | Server Side Code Injection |
| 7 | COMMAND_EXECUTION | Command Execution |
| 8 | DATA_TAMPERING | Data Tampering |
| 9 | SESSION_HIJACKING | Session Hijacking |
| 10 | AUTH_BYPASS | Authentication/Authorization Bypass |
| 11 | MALICIOUS_CONTENT | Malicious Content |
| 12 | MALICIOUS_SCAN | Malicious Scan |
| 13 | THREAT_CAMPAIGN | Threat Campaign |
+------------------+----------------------------+--------------------------------------------+The rest of the work to deep into those SQL Tables.
Please, don't forget to mark my answer as "the best" to help other people to find it.
Regards,
Dario.