Help
Technical Forum
Ask questions. Discover Answers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions
Custom Alert Banner

F5 AppWorld 2024 session proposal deadline extended to Friday, December 8th!

What file are logs stored for the violations in Security->Event Logs->Protocol->HTTP

Go to solution
Manohar_Mekala
Altostratus
Altostratus

‎24-Apr-2021 06:29

Want to check if there is a way to view the information presented in GUI for the violations in Security->Event Logs->Protocol->HTTP.

What files are these files stored in. What is the CLI way to filter the same information? I am using BIG-IP Ver 15.1

Labels:
0 Kudos
1 ACCEPTED SOLUTION

Go to solution
Dario_Garrido
MVP
MVP

‎25-Apr-2021 00:16

Hello Manohar.

Event logs are stored directly in the DB.

You should query this DB to check these events out.

https://support.f5.com/csp/article/K06821426

Regards,

Dario.

Regards,
Dario.

View solution in original post

8 REPLIES 8

Go to solution
Dario_Garrido
MVP
MVP

‎25-Apr-2021 00:16

Hello Manohar.

Event logs are stored directly in the DB.

You should query this DB to check these events out.

https://support.f5.com/csp/article/K06821426

Regards,

Dario.

Regards,
Dario.

Go to solution
Manohar_Mekala
Altostratus
Altostratus

‎25-Apr-2021 04:12

Hi Dario,

Almost there, thank you for pointing me in the right direction.... was not much fun looking up in flat files... :-).

Now on to figuring out the name for of the log table for https violations. the article seems to hint at the request logs...

0 Kudos

Go to solution
Dario_Garrido
MVP
MVP
In response to Manohar_Mekala

‎26-Apr-2021 02:06 - last edited on ‎21-Nov-2022 16:19 by Fog

Hello Manohar.

 

These are the tables available:

# mysql -uasm -p`perl -MF5::Cfg -e 'print F5::Cfg::get_mysql_password()'` -e "SHOW TABLES FROM PRX"
+-----------------------------------+
| Tables_in_PRX                     |
+-----------------------------------+
| ACCEPTED_REQUESTS                 |
| BOT_DEFENSE_ANOMALIES             |
| BOT_DEFENSE_ANOMALY_CATEGORIES    |
| BOT_DEFENSE_EVENT_LOG             |
| BOT_DEFENSE_EVENT_LOG_CLEARED     |
| BOT_DEFENSE_EVENT_LOG_PROPERTIES  |
| BOT_INCIDENTS                     |
| BOT_INCIDENT_ANOMALIES            |
| BOT_INCIDENT_ANOMALY_CATEGORIES   |
| BOT_INCIDENT_SUPPORT_IDS          |
| BOT_INCIDENT_TOP_IPS              |
| BRUTE_FORCE_ATTACK_LOG            |
| BRUTE_FORCE_ATTACK_LOG_PROPERTIES |
| BRUTE_FORCE_LEAKED_CREDENTIALS    |
| BRUTE_FORCE_LOGIN_PAGE_STATUS     |
| BRUTE_FORCE_MITIGATED_DEVICE_IDS  |
| BRUTE_FORCE_MITIGATED_IPS         |
| BRUTE_FORCE_MITIGATED_USERNAMES   |
| CLEANDB_LOG                       |
| INCIDENTS                         |
| INCIDENT_SUPPORT_IDS              |
| INCIDENT_TYPES                    |
| PROXY_LOG_CONSUMERS               |
| REQUEST_LOG                       |
| REQUEST_LOG_CLEARED               |
| REQUEST_LOG_PROPERTIES            |
| REQUEST_LOG_SYNC_FILES            |
| REQUEST_LOG_TAGS                  |
+-----------------------------------+

And these are the incident types:

# mysql -uasm -p`perl -MF5::Cfg -e 'print F5::Cfg::get_mysql_password()'` -e "SELECT incident_type_id,incident_type_name,incident_type_display_name FROM PRX.INCIDENT_TYPES"
+------------------+----------------------------+--------------------------------------------+
| incident_type_id | incident_type_name         | incident_type_display_name                 |
+------------------+----------------------------+--------------------------------------------+
|                1 | INFORMATION_LEAKAGE        | Information Leakage                        |
|                2 | MALICIOUS_SESSION          | Malicious Session                          |
|                4 | VULNERABILITY_SCAN         | Vulnerability Scan                         |
|                5 | DISALLOWED_SOURCE          | Access from Malicious or Disallowed Source |
|                6 | SERVER_SIDE_CODE_INJECTION | Server Side Code Injection                 |
|                7 | COMMAND_EXECUTION          | Command Execution                          |
|                8 | DATA_TAMPERING             | Data Tampering                             |
|                9 | SESSION_HIJACKING          | Session Hijacking                          |
|               10 | AUTH_BYPASS                | Authentication/Authorization Bypass        |
|               11 | MALICIOUS_CONTENT          | Malicious Content                          |
|               12 | MALICIOUS_SCAN             | Malicious Scan                             |
|               13 | THREAT_CAMPAIGN            | Threat Campaign                            |
+------------------+----------------------------+--------------------------------------------+

The rest of the work to deep into those SQL Tables.

 

Please, don't forget to mark my answer as "the best" to help other people to find it.

 

Regards,

Dario.

Regards,
Dario.

Go to solution
Manohar_Mekala
Altostratus
Altostratus

‎26-Apr-2021 07:16

 

GUI has this...0691T00000CncDdQAJ.pngchecked the DB to list all tables with column support_id

 

#mysql -uasm -p`perl -MF5::Cfg -e 'print F5::Cfg::get_mysql_password()'`                                                                                             

----

----

MariaDB [(none)]> SELECT TABLE_NAME FROM information_schema.columns WHERE column_name = 'support_id';

+---------------------------+

| TABLE_NAME               |

+---------------------------+

| PL_SUGGESTION_SUPPORT_IDS |

| ACCEPTED_REQUESTS        |

| BOT_DEFENSE_EVENT_LOG    |

| BOT_INCIDENT_SUPPORT_IDS |

| INCIDENT_SUPPORT_IDS     |

| REQUEST_LOG              |

+---------------------------+

Looked in each of the tables but couldn't locate the support ID...

0691T00000CncGmQAJ.pngNot sure where i am going wrong...

0 Kudos

Go to solution
Dario_Garrido
MVP
MVP
In response to Manohar_Mekala

‎26-Apr-2021 07:29 - last edited on ‎04-Jun-2023 20:56 by Fog

Hello Manohar.

PRX.REQUEST_LOG has a column called "support_id".

# mysql -uasm -p`perl -MF5::Cfg -e 'print F5::Cfg::get_mysql_password()'` -e "select * from PRX.REQUEST_LOG where support_id = 9374597410145173508\G"
*************************** 1. row ***************************
                       id: 1
               support_id: 9374597410145173508
        support_id_suffix: 3508

Regards,

Dario.

Regards,
Dario.
0 Kudos

Go to solution
Manohar_Mekala
Altostratus
Altostratus
In response to Dario_Garrido

‎26-Apr-2021 14:47

Yes and the support Id from gui is not returned in the cli search. Likewise the support id's in the REQUEST_LOG are not in GUI logs. Probably not the same dB?

0 Kudos

Go to solution
Dario_Garrido
MVP
MVP
In response to Dario_Garrido

‎27-Apr-2021 03:41 - last edited on ‎21-Nov-2022 16:18 by Fog

Hello Manohar.

 

In my case, this and event collected from GUI:

Geolocation: Spain
Source IP Address: 88.3.223.72:49838
Device ID: N/A
Microservice: N/A
Username: N/A
Session ID: 2b2ab2c1d68399a8
Source IP Intelligence: N/A
Host: public.example.es
Destination IP Address: 10.40.40.128:443
Client Type: Uncategorized
Accept Status: Not Accepted
Support ID: 12551088809188504241
Time: 2021-04-27 10:10:18
Violation Rating: 3 Request needs further examination
Attack Types: Information Leakage
Request Status: Illegal
Blocking Exception Reason: N/A
Security Policy: security_public
Virtual Server: vs_public
Method: OPTIONS
Response Status Code: 200
Severity: Critical

And as you can see, it's reflected correctly in the DB.

# mysql -uasm -p`perl -MF5::Cfg -e 'print F5::Cfg::get_mysql_password()'` -e "select * from PRX.REQUEST_LOG where support_id = 12551088809188504241\G"
*************************** 1. row ***************************
                       id: 14240
               support_id: 12551088809188504241
        support_id_suffix: 4241
                policy_id: 4
                 log_time: 1619518218
                   src_ip: 88.3.223.72
                 src_port: 49838
             route_domain: 0
                  dest_ip: 10.40.40.128
                dest_port: 443
           request_schema: 1
              method_code: 3
                      url: /url/
            response_code: 200
                 username:
               session_id: 2b2ab2c1d68399a8
                device_id:
geo_location_country_code: ES
              severity_id: 2
              slot_number: 0
         violation_rating: 3
        attack_types_mask: 1024
           has_violations: 1
         viol_set_enforce:
         viol_set_staging:
          flg_req_blocked: 0
        flg_req_truncated: 0
      flg_resp_compressed: 0
       flg_resp_truncated: 0
       is_unblock_request: 0
response_exclusion_reason: 4
             iprep_threat: 0
         protobuf_file_id: 4
   protobuf_file_seek_pos: 1469980
     protobuf_record_size: 835
          suggestion_keys: servertech:r2:686155af75a60a0f6e9d80c1f7edd3e9,filetype:r2:570cb2d086023f967bcd4b72436bb33e,method:r2:164dd62adb30ca051b5289672a572f9b,host:r2:bf8d561a3fd3a920d805d2d5555be9ce
              flg_display: 1
              host_header: public.example.es
      virtual_server_name: /Common/vs_public
         microservice_url:
   microservice_host_name:
     matched_microservice:

I will do say that it's the same DB.

 

Regards,

Dario.

Regards,
Dario.
0 Kudos

Go to solution
Manohar_Mekala
Altostratus
Altostratus
In response to Dario_Garrido

‎27-Apr-2021 15:33

Okay thank you for all the feedback, I might raise this with support in that case. Regards Manny Mekala. PS: Sent via Outlook for Android<>
0 Kudos
Copyright © 2023 Khoros, LLC