Forum Discussion
Manohar_Mekala
Altostratus
AltostratusWhat file are logs stored for the violations in Security->Event Logs->Protocol->HTTP
Want to check if there is a way to view the information presented in GUI for the violations in Security->Event Logs->Protocol->HTTP. What files are these files stored in. What is the CLI way to filt...
Hello Manohar.
Event logs are stored directly in the DB.
You should query this DB to check these events out.
https://support.f5.com/csp/article/K06821426
Regards,
Dario.
Manohar_MekalaAltostratus
Altostratus
GUI has this...checked the DB to list all tables with column support_id
#mysql -uasm -p`perl -MF5::Cfg -e 'print F5::Cfg::get_mysql_password()'`
----
----
MariaDB [(none)]> SELECT TABLE_NAME FROM information_schema.columns WHERE column_name = 'support_id';
+---------------------------+
| TABLE_NAME |
+---------------------------+
| PL_SUGGESTION_SUPPORT_IDS |
| ACCEPTED_REQUESTS |
| BOT_DEFENSE_EVENT_LOG |
| BOT_INCIDENT_SUPPORT_IDS |
| INCIDENT_SUPPORT_IDS |
| REQUEST_LOG |
+---------------------------+
Looked in each of the tables but couldn't locate the support ID...
Not sure where i am going wrong...
Hello Manohar.
PRX.REQUEST_LOG has a column called "support_id".
# mysql -uasm -p`perl -MF5::Cfg -e 'print F5::Cfg::get_mysql_password()'` -e "select * from PRX.REQUEST_LOG where support_id = 9374597410145173508\G" *************************** 1. row *************************** id: 1 support_id: 9374597410145173508 support_id_suffix: 3508Regards,
Dario.
- Manohar_Mekala
Yes and the support Id from gui is not returned in the cli search. Likewise the support id's in the REQUEST_LOG are not in GUI logs. Probably not the same dB?
Hello Manohar.
In my case, this and event collected from GUI:
Geolocation: Spain Source IP Address: 88.3.223.72:49838 Device ID: N/A Microservice: N/A Username: N/A Session ID: 2b2ab2c1d68399a8 Source IP Intelligence: N/A Host: public.example.es Destination IP Address: 10.40.40.128:443 Client Type: Uncategorized Accept Status: Not Accepted Support ID: 12551088809188504241 Time: 2021-04-27 10:10:18 Violation Rating: 3 Request needs further examination Attack Types: Information Leakage Request Status: Illegal Blocking Exception Reason: N/A Security Policy: security_public Virtual Server: vs_public Method: OPTIONS Response Status Code: 200 Severity: CriticalAnd as you can see, it's reflected correctly in the DB.
# mysql -uasm -p`perl -MF5::Cfg -e 'print F5::Cfg::get_mysql_password()'` -e "select * from PRX.REQUEST_LOG where support_id = 12551088809188504241\G" *************************** 1. row *************************** id: 14240 support_id: 12551088809188504241 support_id_suffix: 4241 policy_id: 4 log_time: 1619518218 src_ip: 88.3.223.72 src_port: 49838 route_domain: 0 dest_ip: 10.40.40.128 dest_port: 443 request_schema: 1 method_code: 3 url: /url/ response_code: 200 username: session_id: 2b2ab2c1d68399a8 device_id: geo_location_country_code: ES severity_id: 2 slot_number: 0 violation_rating: 3 attack_types_mask: 1024 has_violations: 1 viol_set_enforce: viol_set_staging: flg_req_blocked: 0 flg_req_truncated: 0 flg_resp_compressed: 0 flg_resp_truncated: 0 is_unblock_request: 0 response_exclusion_reason: 4 iprep_threat: 0 protobuf_file_id: 4 protobuf_file_seek_pos: 1469980 protobuf_record_size: 835 suggestion_keys: servertech:r2:686155af75a60a0f6e9d80c1f7edd3e9,filetype:r2:570cb2d086023f967bcd4b72436bb33e,method:r2:164dd62adb30ca051b5289672a572f9b,host:r2:bf8d561a3fd3a920d805d2d5555be9ce flg_display: 1 host_header: public.example.es virtual_server_name: /Common/vs_public microservice_url: microservice_host_name: matched_microservice:I will do say that it's the same DB.
Regards,
Dario.
- Manohar_MekalaOkay thank you for all the feedback, I might raise this with support in that case. Regards Manny Mekala. PS: Sent via Outlook for Android<>
