Forum Discussion
Greg_33558
Nimbostratus
NimbostratusWhere to find raw HTTP Request for ASM violations?
Where can I find the raw HTTP Request that is logged with ASM violations?
The version that is printed to the browser in Security->Event Logs->Application->Requests appears to be inserting a Re...
gowenfawrNimbostratus
NimbostratusI have found the raw HTTP request in a file on the F5:
/var/adm/request_log/0000000001
This file appears to be a binary format which contains the raw requests and various other recognizable information about the request. For example, among a lot of binary character mush I can see 'no_ext', the URI, and the IP address of the virtual involved as well as the raw HTTP request. Clearly this file contains info about multiple requests, one after the other, with associated data.
It was possible to pull out the raw request and find what I suspected was true - the request contained a 0xe2 byte, which is a valid UTF-8 multibyte prefix, but without valid multibyte data following it (in fact, the next characters are the '
I would love to see tools or documentation for dissecting this file, but for my purposes it was sufficient to go in and search for the string I needed to extract and write out the lines of the HTTP request.