F5 is upgrading its customer support chat feature on My.F5.com. Chat support will be unavailable from 6am-10am PST on 1/20/26. Refer to K000159584 for details.

Forum Discussion

Manohar_Mekala's avatar
Manohar_Mekala
Icon for Altostratus rankAltostratus
Apr 24, 2021
Solved

What file are logs stored for the violations in Security->Event Logs->Protocol->HTTP

Want to check if there is a way to view the information presented in GUI for the violations in Security->Event Logs->Protocol->HTTP. What files are these files stored in. What is the CLI way to filt...
application delivery
ASM Advanced WAF
http protocol security
security
  • Dario_Garrido's avatar
    Dario_Garrido
    Apr 25, 2021

    Hello Manohar.

    Event logs are stored directly in the DB.

    You should query this DB to check these events out.

    https://support.f5.com/csp/article/K06821426

    ā€‹

    Regards,

    Dario.

Dario_Garrido's avatar
Dario_Garrido
Icon for Noctilucent rankNoctilucent
Apr 26, 2021

Hello Manohar.

PRX.REQUEST_LOG has a column called "support_id".

# mysql -uasm -p`perl -MF5::Cfg -e 'print F5::Cfg::get_mysql_password()'` -e "select * from PRX.REQUEST_LOG where support_id = 9374597410145173508\G"
*************************** 1. row ***************************
                       id: 1
               support_id: 9374597410145173508
        support_id_suffix: 3508

Regards,

Dario.

Dario_Garrido's avatar
Dario_Garrido
Icon for Noctilucent rankNoctilucent
Apr 27, 2021

Hello Manohar.

 

In my case, this and event collected from GUI:

Geolocation: Spain
Source IP Address: 88.3.223.72:49838
Device ID: N/A
Microservice: N/A
Username: N/A
Session ID: 2b2ab2c1d68399a8
Source IP Intelligence: N/A
Host: public.example.es
Destination IP Address: 10.40.40.128:443
Client Type: Uncategorized
Accept Status: Not Accepted
Support ID: 12551088809188504241
Time: 2021-04-27 10:10:18
Violation Rating: 3 Request needs further examination
Attack Types: Information Leakage
Request Status: Illegal
Blocking Exception Reason: N/A
Security Policy: security_public
Virtual Server: vs_public
Method: OPTIONS
Response Status Code: 200
Severity: Critical

And as you can see, it's reflected correctly in the DB.

# mysql -uasm -p`perl -MF5::Cfg -e 'print F5::Cfg::get_mysql_password()'` -e "select * from PRX.REQUEST_LOG where support_id = 12551088809188504241\G"
*************************** 1. row ***************************
                       id: 14240
               support_id: 12551088809188504241
        support_id_suffix: 4241
                policy_id: 4
                 log_time: 1619518218
                   src_ip: 88.3.223.72
                 src_port: 49838
             route_domain: 0
                  dest_ip: 10.40.40.128
                dest_port: 443
           request_schema: 1
              method_code: 3
                      url: /url/
            response_code: 200
                 username:
               session_id: 2b2ab2c1d68399a8
                device_id:
geo_location_country_code: ES
              severity_id: 2
              slot_number: 0
         violation_rating: 3
        attack_types_mask: 1024
           has_violations: 1
         viol_set_enforce:
         viol_set_staging:
          flg_req_blocked: 0
        flg_req_truncated: 0
      flg_resp_compressed: 0
       flg_resp_truncated: 0
       is_unblock_request: 0
response_exclusion_reason: 4
             iprep_threat: 0
         protobuf_file_id: 4
   protobuf_file_seek_pos: 1469980
     protobuf_record_size: 835
          suggestion_keys: servertech:r2:686155af75a60a0f6e9d80c1f7edd3e9,filetype:r2:570cb2d086023f967bcd4b72436bb33e,method:r2:164dd62adb30ca051b5289672a572f9b,host:r2:bf8d561a3fd3a920d805d2d5555be9ce
              flg_display: 1
              host_header: public.example.es
      virtual_server_name: /Common/vs_public
         microservice_url:
   microservice_host_name:
     matched_microservice:

I will do say that it's the same DB.

 

Regards,

Dario.