It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda Web Application Firewall

Logs

  • Last updated on

The Barracuda Web Application Firewall has a comprehensive logging feature to record significant events. Events related to HTTP traffic, actions of the Barracuda Web Application Firewall, and user actions are captured in logs. These log messages enable a system administrator to:

  • Obtain information about the Barracuda Web Application Firewall traffic and performance.
  • Analyze logs for suspicious activity.
  • Troubleshoot problems.

The following types of logs are available in the Barracuda Web Application Firewall:

  • Web Firewall Logs
  • Access logs
  • Audit logs
  • System Logs
  • Network Firewall Logs

For more information on logs, see Logging, Reporting and Monitoring.

To Retrieve Web Firewall Logs

URL: /v1/logs/webfirewall_logs

Method: GET

Description: Lists all web firewall logs.

Parameter Name

Data Type

Mandatory

Description

Input Parameters:

 

 

 

parameters

Alphanumeric

Optional

Any specific parameter name that needs to be retrieved.

Example 1: Retrieving all web firewall logs

Request:

curl http://10.11.25.9:8000/restapi/v1/logs/webfirewall_logs -u 'eyJldCI6IjE0NjQxMTg5MjgiLCJwYXNzd29yZCI6IjY0N2MxYTZlMGQwMGI5ZTdlN2ZlMDE2MmE1\nNDFiYzEzIiwidXNlciI6ImFkbWluIn0=\n:' -X GET

Response:

{"value":[{"ID":"154eb350fea-3a1b50","Time":"1464235003886","Client_port":53145,"Service_IP_Port":"99.99.9.2:80","Follow_Up_Action":0,"Proxy_IP":"99.99.1.117","Attack_Category":2,"Action":1,"Attack_Description":119,"Attack_Detail":"GET /inex<scripyt> HTTP/.10","Severity":1,"User_Agent":"Unknown","Query_String":"\"-\"","URL":"/inex<scripyt>","Authenticated_User":"","Client_type":5,"Rule_type":0,"Country":"US","Referer":"","Protocol":0,"Proxy_Port":53145,"Useragent_Version":"-","Client_ip":"99.99.1.117","Rule":"global","Host":"99.99.9.2"},"metadata":{"header":[{"Action":{"1":"LOG","3":"REDIRECT","0":"DENY","2":"CLOAK"}},{"Follow_Up_Action":{"1":"Client IP Block","0":"None","2":"Challenge with CAPTCHA"}},{"Severity":{"6":"Information","4":"Warning","1":"Alert","3":"Error","0":"Emergency","7":"Debug","2":"Critical","5":"Notice"}},{"Attack_Category":{"6":"XML Violations","11":"Limits Violation","3":"Forceful Browsing","7":"SQL Attacks","9":"Auth Attacks","12":"Outbound Attacks","2":"Protocol Violations","8":"FILE Attacks","1":"Session Tamper Attacks","4":"Injection Attacks","0":"Other Attacks","13":"JSON Violations","10":"DDoS Attacks","5":"XSS Injections"}},{"Rule_type":{"6":"Header ACL","4":"URL Profile","1":"URL ACL","3":"URL Policy","0":"Global","7":"JSON profile","2":"Global URL ACL","5":"Param Profile"}},{"Protocol":{"1":"HTTPS","769":"TLSv1.0","0":"HTTP","770":"TLSv1.1","771":"TLSv1.2","2":"FTP","768":"SSLv3"}}]},"token":"eyJldCI6IjE0NjU1NDQ1MjkiLCJwYXNzd29yZCI6ImUxNzFlZmZhMWE5NGRmYTY1YzA1YmU3ODJj\nZjAzZjUyIiwidXNlciI6ImFkbWluIn0=\n"}

Example 2: Retrieving web firewall logs based on a specific filter

Request:

curl http://10.11.25.9:8000/restapi/v1/logs/webfirewall_logs -u 'eyJldCI6IjE0NjU1NDQzNjEiLCJwYXNzd29yZCI6Ijc4NmVhZDZlMWQ1NGVkZDQzZWE3YTU0Y2Iz\nNWQzYjNlIiwidXNlciI6ImFkbWluIn0=\n:' -X GET -G -d act_taken=0

Response:

{"value":[{"ID":"154ebde5b7f-3a1b50","Time":"1464246099908","Client_port":35656,"Service_IP_Port":"99.99.9.10:80","Follow_Up_Action":0,"Proxy_IP":"99.99.1.117","Attack_Category":5,"Action":0,"Attack_Description":158,"Attack_Detail":"type=\"cross-site-scripting\" pattern=\"script-tag\" token=\"<SCRIPT>\" Parameter=\"name\" value=\"<SCRIPT>\"","Severity":1,"User_Agent":"Unknown","Query_String":"name=<SCRIPT>","URL":"/index.html","Authenticated_User":"","Client_type":5,"Rule_type":0,"Country":"US","Referer":"","Protocol":0,"Proxy_Port":35656,"Useragent_Version":"-","Client_ip":"99.99.1.117","Rule":"security-policy","Host":"99.99.9.10"},{"ID":"154f0adeb84-3a1b50","Time":"1464326810513","Client_port":51910,"Service_IP_Port":"99.99.9.2:80","Follow_Up_Action":0,"Proxy_IP":"99.99.1.117","Attack_Category":2,"Action":0,"Attack_Description":118,"Attack_Detail":"GE6T /index.html<script>>>> HTTP/1.0","Severity":1,"User_Agent":"Unknown","Query_String":"\"-\"","URL":"/","Authenticated_User":"","Client_type":5,"Rule_type":0,"Country":"US","Referer":"","Protocol":0,"Proxy_Port":51910,"Useragent_Version":"-","Client_ip":"99.99.1.117","Rule":"global","Host":"99.99.9.2"}],"metadata":{"header":[{"Action":{"1":"LOG","3":"REDIRECT","0":"DENY","2":"CLOAK"}},{"Follow_Up_Action":{"1":"Client IP Block","0":"None","2":"Challenge with CAPTCHA"}},{"Severity":{"6":"Information","4":"Warning","1":"Alert","3":"Error","0":"Emergency","7":"Debug","2":"Critical","5":"Notice"}},{"Attack_Category":{"6":"XML Violations","11":"Limits Violation","3":"Forceful Browsing","7":"SQL Attacks","9":"Auth Attacks","12":"Outbound Attacks","2":"Protocol Violations","8":"FILE Attacks","1":"Session Tamper Attacks","4":"Injection Attacks","0":"Other Attacks","13":"JSON Violations","10":"DDoS Attacks","5":"XSS Injections"}},{"Rule_type":{"6":"Header ACL","4":"URL Profile","1":"URL ACL","3":"URL Policy","0":"Global","7":"JSON profile","2":"Global URL ACL","5":"Param Profile"}},{"Protocol":{"1":"HTTPS","769":"TLSv1.0","0":"HTTP","770":"TLSv1.1","771":"TLSv1.2","2":"FTP","768":"SSLv3"}}]},"token":"eyJldCI6IjE0NjU1NDU1MTciLCJwYXNzd29yZCI6IjczMmY5NjkzMmE3NzQ0ZjA2NjliNDQ1MWE2\nMTc1OGZjIiwidXNlciI6ImFkbWluIn0=\n"}

Example 3: Retrieving web firewall logs based on limit and offset filters

curl -X GET -u 'eyJldCI6IjE1MDUyMDM1NDAiLCJwYXNzd29yZCI6ImM5ZjJkOGE4NGUxNGYzMTk3Y2QzMGRiYTdk\nODk3Zjg1IiwidXNlciI6ImFkbWluIn0 =:' 'http://<WAF-IP/PORT>/restapi/v1/logs/webfirewall_logs?limit=10&offset=25

Example 4: Retrieving web firewall logs based on the given interval

curl http://<WAF-IP/PORT>/restapi/v1/logs/webfirewall_logs?min_time=2015-12-20T23:22:18&max_time=2015-12-21T22:20:19 –X GET –u ”token:”

Note: The time for the filters "min_time" and "max_time" must be specified in the following format - YYYY-MM-DDTHH-MM-SS.

The following table lists the web firewall log parameters:

Parameter name in web interface

Parameter name to be used in the REST API command

Time

timestamp

Severity

sev_level

Action

act_taken

Follow Up Action

followup_act

Attack Description

attack_desc

Attack Category

attk_category

Client IP

client_ip

Service IP Port

serviceip:serviceport

Rule Type

rule_type

Protocol

wf_log_protocol

Proxy IP

wf_proxyip

Proxy Port

wf_proxyport

Rule

rule_id

Attack Detail

attk_detail

User Agent

wf_useragent

Authenticated User

wf_authuser

Referer

referer

Host

apslog_host

URL

url

Useragent Version

useragent_version

Country

country_code

ID

log_uid

Query String

query_str

Client Type

client_type

Limit limit
Offset offset
Minimum Time min_time
Maximum Time max_time

To Retrieve Access Logs

URL: /v1/logs/access_logs

Method: GET

Description: Lists all access logs.

Parameter Name

Data Type

Mandatory

Description

Input Parameters:

 

 

 

parameters

Alphanumeric

Optional

Any specific parameter name that needs to be retrieved.

Example 1: Retrieving all access logs

Request:

curl http://10.11.25.9:8000/restapi/v1/logs/access_logs -u 'eyJldCI6IjE0NjU1NDQzNjEiLCJwYXNzd29yZCI6Ijc4NmVhZDZlMWQ1NGVkZDQzZWE3YTU0Y2Iz\nNWQzYjNlIiwidXNlciI6ImFkbWluIn0=\n:' -X GET

Response:

{"value":[{"Web_Firewall_Matched":1,"Login":"\"-\"","Response_Type":0,"Bytes_Sent":0,"Clickjacking":0,"User_Agent":"Unknown","Query_String":"\"-\"","URL":"GE6T","Method":"","Version":"\"-\"","Certificate_User":"\"-\"","Custom_Header2":"\"-\"","Host":"10.11.25.117","ID":"154f0adeb84-3a1b50","Time":"1464326810526","Cached":0,"ServerIP_Port":"10.11.25.117:80","Custom_Header3":"\"-\"","Proxy_IP":"99.99.1.117","Server_Time":0,"Custom_Header1":"\"-\"","Time_Taken":26,"Client_Port":51910,"Authenticated_User":"\"-\"","Referrer":"\"-\"","Bytes_Received":38,"Profile_Matched":1,"Country":"US","Session_ID":"","Protected":2,"Client_IP":"99.99.1.117","Client_Type":5,"Encrypted_URL":"\"-\"","Proxy_Port":51910,"Protocol":0,"Cookie":"\"-\""},{"Web_Firewall_Matched":0,"Login":"\"-\"","Response_Type":1,"Bytes_Sent":399,"Clickjacking":0,"User_Agent":"Unknown","Query_String":"\"-\"","URL":"/SDGF/1'OR'1","Method":"GET","Version":"HTTP/1.0","Certificate_User":"\"-\"","Custom_Header2":"","Host":"99.99.9.3","ID":"154f0b03e72-3a1b50","Time":"1464326963208","Cached":0,"ServerIP_Port":"10.11.25.117:80","Custom_Header3":"","Proxy_IP":"99.99.1.117","Server_Time":2,"Custom_Header1":"","Time_Taken":406,"Client_Port":32950,"Authenticated_User":"\"-\"","Referrer":"\"-\"","Bytes_Received":27,"Profile_Matched":1,"Country":"US","Session_ID":"","Protected":1,"Client_IP":"99.99.1.117","Client_Type":5,"Encrypted_URL":"\"-\"","Proxy_Port":32950,"Protocol":771,"Cookie":"\"-\""}],"metadata":{"header":[{"Protected":{"1":"Passive","0":"Unprotected","2":"Protected"}},{"Web_Firewall_Matched":{"1":"Invalid","0":"Valid"}},{"Profile_Matched":{"1":"Default","0":"Profiled"}},{"Response_Type":{"1":"Server","0":"Internal"}},{"Protocol":{"3":"WS","770":"TLSv1.1","771":"TLSv1.2","2":"FTP","1":"HTTPS","4":"WSS","0":"HTTP","769":"TLSv1.0","768":"SSLv3"}}]},"token":"eyJldCI6IjE0NjU1NDY3MDgiLCJwYXNzd29yZCI6IjdlMWUwMjc4ZjE5NzZkMWViNDE2ZTJmZjI1\nNmUyMDViIiwidXNlciI6ImFkbWluIn0=\n"}

Example 2: Retrieving access logs based on a specific filter

Request:

curl http://10.11.25.9:8000/restapi/v1/logs/access_logs -u 'eyJldCI6IjE0NjU1NDQzNjEiLCJwYXNzd29yZCI6Ijc4NmVhZDZlMWQ1NGVkZDQzZWE3YTU0Y2Iz\nNWQzYjNlIiwidXNlciI6ImFkbWluIn0=\n:' -X GET -G -d host=99.99.1.121

Response:

{"value":[{"Web_Firewall_Matched":1,"Login":"\"-\"","Response_Type":0,"Bytes_Sent":0,"Clickjacking":0,"User_Agent":"Unknown","Query_String":"\"-\"","URL":"GE6T","Method":"","Version":"\"-\"","Certificate_User":"\"-\"","Custom_Header2":"\"-\"","Host":"99.99.1.121","ID":"154f0adeb84-3a1b50","Time":"1464326810526","Cached":0,"ServerIP_Port":"10.11.25.117:80","Custom_Header3":"\"-\"","Proxy_IP":"99.99.1.117","Server_Time":0,"Custom_Header1":"\"-\"","Time_Taken":26,"Client_Port":51910,"Authenticated_User":"\"-\"","Referrer":"\"-\"","Bytes_Received":38,"Profile_Matched":1,"Country":"US","Session_ID":"","Protected":2,"Client_IP":"99.99.1.117","Client_Type":5,"Encrypted_URL":"\"-\"","Proxy_Port":51910,"Protocol":0,"Cookie":"\"-\""},{"Web_Firewall_Matched":0,"Login":"\"-\"","Response_Type":1,"Bytes_Sent":399,"Clickjacking":0,"User_Agent":"Unknown","Query_String":"\"-\"","URL":"/SDGF/1'OR'1","Method":"GET","Version":"HTTP/1.0","Certificate_User":"\"-\"","Custom_Header2":"","Host":"99.99.9.3","ID":"154f0b03e72-3a1b50","Time":"1464326963208","Cached":0,"ServerIP_Port":"10.11.25.117:80","Custom_Header3":"","Proxy_IP":"99.99.1.117","Server_Time":2,"Custom_Header1":"","Time_Taken":406,"Client_Port":32950,"Authenticated_User":"\"-\"","Referrer":"\"-\"","Bytes_Received":27,"Profile_Matched":1,"Country":"US","Session_ID":"","Protected":1,"Client_IP":"99.99.1.117","Client_Type":5,"Encrypted_URL":"\"-\"","Proxy_Port":32950,"Protocol":771,"Cookie":"\"-\""}],"metadata":{"header":[{"Protected":{"1":"Passive","0":"Unprotected","2":"Protected"}},{"Web_Firewall_Matched":{"1":"Invalid","0":"Valid"}},{"Profile_Matched":{"1":"Default","0":"Profiled"}},{"Response_Type":{"1":"Server","0":"Internal"}},{"Protocol":{"3":"WS","770":"TLSv1.1","771":"TLSv1.2","2":"FTP","1":"HTTPS","4":"WSS","0":"HTTP","769":"TLSv1.0","768":"SSLv3"}}]},"token":"eyJldCI6IjE0NjU1NDY5MTYiLCJwYXNzd29yZCI6ImU2ZmJjZjM0YWFkODM4Y2E2NTRiNWYzZjAx\nOTg4ZDEzIiwidXNlciI6ImFkbWluIn0=\n"}

Example 3: Retrieving access logs based on limit and offset filters

curl -X GET --header 'Accept: application/json' -u 'eyJldCI6IjE1MDUyMDM1NDAiLCJwYXNzd29yZCI6ImM5ZjJkOGE4NGUxNGYzMTk3Y2QzMGRiYTdk\nODk3Zjg1IiwidXNlciI6ImFkbWluIn0 =:' 'http://<WAF-IP/PORT>/restapi/v1/logs/access_logs?limit=10&offset=25

Example 4: Retrieving access logs based on the given interval

curl http://<WAF-IP/PORT>/restapi/v1/logs/access_logs?min_time=2015-12-20T23:22:18&max_time=2015-12-21T22:20:19 –X GET –u ”token:”

Note: The time for the filters "min_time" and "max_time" must be specified in the following format - YYYY-MM-DDTHH-MM-SS.

The following table lists the access log parameters:

Parameter name in web interface

Parameter name to be used in the REST API command

Time

timestamp

ID

log_uid

Client IP

client_ip

Client Port

client_port

Country

country_code

Client Type

client_type

Certificate User

cert_user

Proxy IP

web_proxyip

Proxy Port

web_proxyport

User Agent

web_useragent

Authenticated User

web_authuser

Custom Header1

web_cusheader1

Custom Header2

web_cusheader2

Custom Header3

web_cusheader3

ServerIP Port

serverip:serverport

Method

method

Clickjacking

click_jacking

Encrypted URL

encrypted_url

Cached

cache_hit

Bytes Sent

byte_sent

Bytes Received

byte_recvd

Protected

protected_flag

Web Firewall Matched

wf_match_flag

Profile Matched

profile_flag

Response Type

response_flag

Protocol

web_log_protocol

Version

weblog_version

Host

weblog_host

URL

uri_stem

Query String

query_str

Referrer

referrer

Time Taken

time_taken

Server Time

server_time

Session ID

session_id

Limit limit
Offset offset
Minimum Time min_time
Maximum Time max_time

To Retrieve Audit Logs

URL: /v1/logs/audit_logs

Method: GET

Description: Lists all audit logs.

Parameter Name

Data Type

Mandatory

Description

Input Parameters:

 

 

 

parameters

Alphanumeric

Optional

Any specific parameter name that needs to be retrieved.

Example 1: Retrieving all audit logs

Request:

curl http://10.11.25.9:8000/restapi/v1/logs/audit_logs -u 'eyJldCI6IjE0NjU1NDQzNjEiLCJwYXNzd29yZCI6Ijc4NmVhZDZlMWQ1NGVkZDQzZWE3YTU0Y2Iz\nNWQzYjNlIiwidXNlciI6ImFkbWluIn0=\n:' -X GET

Response:

{"value":[{"ID":"56b9a08ed8ebf6113b65e895","Time":"1455005838537","Role":"admin","Object_Name":"Data path","Transaction_Type":"Initialization","Additional_Data":"[Service Initialization]","Transaction_ID":0,"Login_IP":"127.0.0.1","Object_Type":"Services","Old_Value":"","New_Value":"","Variable":"","Admin":"admin","Change_Type":"Start"},{"ID":"56b9cafcfc5891108b6a25a6","Time":"1455016699565","Role":"admin","Object_Name":"service_2","Transaction_Type":"Config","Additional_Data":"","Transaction_ID":10,"Login_IP":"10.11.18.25","Object_Type":"service","Old_Value":"","New_Value":"X-Forwarded-For","Variable":"aps_req_rewrite_header","Admin":"admin","Change_Type":"Set"},{"ID":"56b9cafcfc5891108b6a25a7","Time":"1455016699565","Role":"admin","Object_Name":"service_2","Transaction_Type":"Config","Additional_Data":"","Transaction_ID":10,"Login_IP":"10.11.28.232","Object_Type":"service","Old_Value":"","New_Value":"1455016692","Variable":"service_creation_time","Admin":"admin","Change_Type":"Set"},{"ID":"56b9cafcfc5891108b6a25a8","Time":"1455016699565","Role":"admin","Object_Name":"service_2","Transaction_Type":"Config","Additional_Data":"","Transaction_ID":10,"Login_IP":"10.11.19.89","Object_Type":"service","Old_Value":"","New_Value":"255.255.255.255","Variable":"if_mask","Admin":"admin","Change_Type":"Set"},{"ID":"56b9cafcfc5891108b6a25a9","Time":"1455016699566","Role":"admin","Object_Name":"service_2:default-url-policy","Transaction_Type":"Config","Additional_Data":"","Transaction_ID":10,"Login_IP":"10.11.18.25","Object_Type":"aps_url_acl","Old_Value":"","New_Value":"","Variable":"","Admin":"admin","Change_Type":"Add"}],"metadata":{"header":[{"Transaction_Type":{"11":"Support Tunnel closed","21":"Account Locked","7":"Shutdown","17":"Clear Statistics and Logs","2":"Config","22":"sendgarp_executed","1":"Logout","18":"Initialization","0":"Login","23":"failover_executed","16":"Admin Access Violation","13":"Firmware Revert","25":"config_sync","6":"Reboot","3":"Command","9":"Energize Updates","12":"Firmware Apply","20":"Delete Cloud Node","14":"Session-Timeout","15":"Unsuccessful Login","8":"Firmware Update","4":"Rollback","24":"failback_executed","19":"Add Cloud Node","10":"Support Tunnel open","5":"Restore"}},{"Change_Type":{"6":"Copy","11":"Done","3":"Delete","7":"Success","9":"Start","2":"Modify","8":"Failure","1":"Add","4":"Set","0":"None","10":"Stop","5":"Clear"}}]},"token":"eyJldCI6IjE0NjU1NDY5ODYiLCJwYXNzd29yZCI6ImIyNTE2ZDIyM2VkOTI5NWJiZWZhYjIzZDc4\nZjI1MzA4IiwidXNlciI6ImFkbWluIn0=\n"}

Example 2: Retrieving audit logs based on a specific filter

Request:

curl http://10.11.25.9:8000/restapi/v1/logs/audit_logs -u 'eyJldCI6IjE0NjQxMTg5MjgiLCJwYXNzd29yZCI6IjY0N2MxYTZlMGQwMGI5ZTdlN2ZlMDE2MmE1\nNDFiYzEzIiwidXNlciI6ImFkbWluIn0=\n:' -X GET -G -d login_ip!=10.11.18.25

Response:

{"value":[{"ID":"56b9a08ed8ebf6113b65e895","Time":"1455005838537","Role":"admin","Object_Name":"Data path","Transaction_Type":"Initialization","Additional_Data":"[Service Initialization]","Transaction_ID":0,"Login_IP":"127.0.0.1","Object_Type":"Services","Old_Value":"","New_Value":"","Variable":"","Admin":"admin","Change_Type":"Start"},{"ID":"56b9a09ed8ebf6113b65e8a1","Time":"1455005854253","Role":"admin","Object_Name":"Data path","Transaction_Type":"Initialization","Additional_Data":"[Data path successfully initialized]","Transaction_ID":0,"Login_IP":"127.0.0.1","Object_Type":"Services","Old_Value":"","New_Value":"","Variable":"","Admin":"admin","Change_Type":"Success"},{"ID":"56b9c0acfc5891108b6a2575","Time":"1455014060250","Role":"admin","Object_Name":"Data path","Transaction_Type":"Initialization","Additional_Data":"[Service Initialization]","Transaction_ID":0,"Login_IP":"127.0.0.1","Object_Type":"Services","Old_Value":"","New_Value":"","Variable":"","Admin":"admin","Change_Type":"Start"},"metadata":{"header":[{"Transaction_Type":{"11":"Support Tunnel closed","21":"Account Locked","7":"Shutdown","17":"Clear Statistics and Logs","2":"Config","22":"sendgarp_executed","1":"Logout","18":"Initialization","0":"Login","23":"failover_executed","16":"Admin Access Violation","13":"Firmware Revert","25":"config_sync","6":"Reboot","3":"Command","9":"Energize Updates","12":"Firmware Apply","20":"Delete Cloud Node","14":"Session-Timeout","15":"Unsuccessful Login","8":"Firmware Update","4":"Rollback","24":"failback_executed","19":"Add Cloud Node","10":"Support Tunnel open","5":"Restore"}},{"Change_Type":{"6":"Copy","11":"Done","3":"Delete","7":"Success","9":"Start","2":"Modify","8":"Failure","1":"Add","4":"Set","0":"None","10":"Stop","5":"Clear"}}]},"token":"eyJldCI6IjE0NjU1NDcxODYiLCJwYXNzd29yZCI6IjdlZGEwMjhiMzk3OGNhOGU3ZWE4MTAzOGUx\nZmRjOWEzIiwidXNlciI6ImFkbWluIn0=\n"}

Example 3: Retrieving audit logs based on limit and offset filters

curl -X GET --header 'Accept: application/json' -u 'eyJldCI6IjE1MDUyMDM1NDAiLCJwYXNzd29yZCI6ImM5ZjJkOGE4NGUxNGYzMTk3Y2QzMGRiYTdk\nODk3Zjg1IiwidXNlciI6ImFkbWluIn0 =:' 'http://<WAF-IP/PORT>/restapi/v1/logs/audit_logs?limit=10&offset=25

Example 4: Retrieving audit logs based on the given interval

curl http://<WAF-IP/PORT>/restapi/v1/logs/audit_logs?min_time=2015-12-20T23:22:18&max_time=2015-12-21T22:20:19 –X GET –u ”token:”

Note: The time for the filters "min_time" and "max_time" must be specified in the following format - YYYY-MM-DDTHH-MM-SS.

The following table lists the audit log parameters:

Parameter name in web interface

Parameter name to be used in the REST API command

Time

timestamp

ID

bson_oid

Login IP

login_ip

Admin

admin_name

Role

admin_role

Transaction Type

txn_name

Change Type

chg_name

Transaction ID

txn_id

Object_Type

obj_type

Object_Name

obj_name

Variable

variable

Old Value

old_value

New Value

new_value

Additional Data

add_data

Limit limit
Offset offset
Minimum Time min_time
Maximum Time max_time

To Retrieve System Logs

URL: /v1/logs/system_logs

Method: GET

Description: Lists all system logs.

Parameter Name

Data Type

Mandatory

Description

Input Parameters:

 

 

 

parameters

Alphanumeric

Optional

Any specific parameter name that needs to be retrieved.

Example 1: Retrieving all system logs

Request:

curl http://10.11.25.9:8000/restapi/v1/logs/system_logs -u 'eyJldCI6IjE0NjU1NDQzNjEiLCJwYXNzd29yZCI6Ijc4NmVhZDZlMWQ1NGVkZDQzZWE3YTU0Y2Iz\nNWQzYjNlIiwidXNlciI6ImFkbWluIn0=\n:' -X GET

Response:

{"value":[{"ID":"56f76bfc4d1495115204049a","Time":"1459055612510","Event_ID":7005,"Message":"[ALERT:7005] Server 10.11.25.117:80 is enabled by out of band monitor. Reason:out of band monitor","Module":"LB","Severity":1},{"ID":"56f76bfc4d1495115204049b","Time":"1459055612589","Event_ID":56003,"Message":"Server:10.11.25.117:80 Host:- is up Reason:out of band monitor\n","Module":"HEALTH","Severity":6},{"ID":"56f76c0e4d1495115204049c","Time":"1459055630993","Event_ID":44047,"Message":"Memory Usage exceeds 85%.Current RAM Usage:57%, Swap Usage: 88%","Module":"PROCMON","Severity":1},{"ID":"56f76c4d4d1495115204049d","Time":"1459055693774","Event_ID":44047,"Message":"Memory Usage exceeds 85%.Current RAM Usage:57%, Swap Usage: 88%","Module":"PROCMON","Severity":1},{"ID":"56f76c8c4d1495115204049e","Time":"1459055756504","Event_ID":44047,"Message":"Memory Usage exceeds 85%.Current RAM Usage:57%, Swap Usage: 88%","Module":"PROCMON","Severity":1},{"ID":"56f76ccb4d1495115204049f","Time":"1459055819256","Event_ID":44047,"Message":"Memory Usage exceeds 85%.Current RAM Usage:57%, Swap Usage: 88%","Module":"PROCMON","Severity":1},{"ID":"56f76d0a4d149511520404a0","Time":"1459055882054","Event_ID":44047,"Message":"Memory Usage exceeds 85%.Current RAM Usage:58%, Swap Usage: 88%","Module":"PROCMON","Severity":1},{"ID":"56f76f8a4d149511520404af","Time":"1459056522819","Event_ID":7006,"Message":"[ALERT:7006] Server 10.11.25.117:80 is disabled by out of band monitor. Reason: TCP connection timedout error .","Module":"LB","Severity":1},{"ID":"56f76f8a4d149511520404b0","Time":"1459056522928","Event_ID":56004,"Message":"Server:10.11.25.117:80 Host:- is down Reason: TCP connection timedout error .\n","Module":"HEALTH","Severity":1},{"ID":"56f76f944d149511520404b1","Time":"1459056532821","Event_ID":7005,"Message":"[ALERT:7005] Server 10.11.25.117:80 is enabled by out of band monitor. Reason:out of band monitor","Module":"LB","Severity":1},{"ID":"56f76f944d149511520404b2","Time":"1459056532902","Event_ID":56003,"Message":"Server:10.11.25.117:80 Host:- is up Reason:out of band monitor\n","Module":"HEALTH","Severity":6}],"metadata":{"header":[{"Severity":{"6":"6-Information","4":"4-Warning","1":"1-Alert","3":"3-Error","0":"0-Emergency","7":"7-Debug","2":"2-Critical","5":"5-Notice"}}]},"token":"eyJldCI6IjE0NjU1NDc0MDUiLCJwYXNzd29yZCI6ImVkOWE1ZjIyNDM3MmI0NTM4NTg4MDAyZmY2\nYWQwMDhiIiwidXNlciI6ImFkbWluIn0=\n"}

Example 2: Retrieving system logs based on a specific filter

Request:

curl http://10.11.25.9:8000/restapi/v1/logs/system_logs -u 'eyJldCI6IjE0NjU1NDQzNjEiLCJwYXNzd29yZCI6Ijc4NmVhZDZlMWQ1NGVkZDQzZWE3YTU0Y2Iz\nNWQzYjNlIiwidXNlciI6ImFkbWluIn0=\n:' -X GET -G -d module_name=LB

Response:

{"value":[{"ID":"56f76bfc4d1495115204049a","Time":"1459055612510","Event_ID":7005,"Message":"[ALERT:7005] Server 10.11.25.117:80 is enabled by out of band monitor. Reason:out of band monitor","Module":"LB","Severity":1},{"ID":"56f76db54d149511520404a3","Time":"1459056053007","Event_ID":7006,"Message":"[ALERT:7006] Server 10.11.25.117:80 is disabled by out of band monitor. Reason: TCP connection timedout error .","Module":"LB","Severity":1},{"ID":"56f76dc54d149511520404a5","Time":"1459056069534","Event_ID":7005,"Message":"[ALERT:7005] Server 10.11.25.117:80 is enabled by out of band monitor. Reason:out of band monitor","Module":"LB","Severity":1},{"ID":"56f76f8a4d149511520404af","Time":"1459056522819","Event_ID":7006,"Message":"[ALERT:7006] Server 10.11.25.117:80 is disabled by out of band monitor. Reason: TCP connection timedout error .","Module":"LB","Severity":1},{"ID":"56f76f944d149511520404b1","Time":"1459056532821","Event_ID":7005,"Message":"[ALERT:7005] Server 10.11.25.117:80 is enabled by out of band monitor. Reason:out of band monitor","Module":"LB","Severity":1},{"ID":"56f777a34d149511520404f8","Time":"1459058595430","Event_ID":7006,"Message":"[ALERT:7006] Server 10.11.25.117:80 is disabled by out of band monitor. Reason: TCP connection timedout error .","Module":"LB","Severity":1},{"ID":"56f777ad4d149511520404fa","Time":"1459058605432","Event_ID":7005,"Message":"[ALERT:7005] Server 10.11.25.117:80 is enabled by out of band monitor. Reason:out of band monitor","Module":"LB","Severity":1}],"metadata":{"header":[{"Severity":{"6":"6-Information","4":"4-Warning","1":"1-Alert","3":"3-Error","0":"0-Emergency","7":"7-Debug","2":"2-Critical","5":"5-Notice"}}]},"token":"eyJldCI6IjE0NjU1NDc0NTEiLCJwYXNzd29yZCI6ImE1MmFhNmRiNGRmNDhmYzg2YmJhMzdiNGYz\nZTYyYzliIiwidXNlciI6ImFkbWluIn0=\n"}

Example 3: Retrieving system logs based on limit and offset filters

curl -X GET --header 'Accept: application/json' -u 'eyJldCI6IjE1MDUyMDM1NDAiLCJwYXNzd29yZCI6ImM5ZjJkOGE4NGUxNGYzMTk3Y2QzMGRiYTdk\nODk3Zjg1IiwidXNlciI6ImFkbWluIn0 =:' 'http://<WAF-IP/PORT>/restapi/v1/logs/system_logs?limit=10&offset=25

Example 4: Retrieving system logs based on the given interval

curl http://<WAF-IP/PORT>/restapi/v1/logs/system_logs?min_time=2015-12-20T23:22:18&max_time=2015-12-21T22:20:19 –X GET –u ”token:”

Note: The time for the filters "min_time" and "max_time" must be specified in the following format - YYYY-MM-DDTHH-MM-SS.

The following table lists the system log parameters:

Parameter name in web interface

Parameter name to be used in the REST API command

Time

timestamp

Module

module_name

ID

bson_oid

Event ID

event_id

Severity

sev_level

Message

log_msg

Limit limit
Offset offset
Minimum Time min_time
Maximum Time max_time

To Retrieve Network Firewall Logs

URL: /v1/logs/

Method: GET

Description: Lists all network firewall logs.

Parameter Name

Data Type

Mandatory

Description

Input Parameters:

 

 

 

parameters

Alphanumeric

Optional

Any specific parameter name that needs to be retrieved.

Example 1: Retrieving all network firewall logs

Request:

curl http://10.11.25.9:8000/restapi/v1/logs/nwfirewall_logs -u 'eyJldCI6IjE0NjU1NDQzNjEiLCJwYXNzd29yZCI6Ijc4NmVhZDZlMWQ1NGVkZDQzZWE3YTU0Y2Iz\nNWQzYjNlIiwidXNlciI6ImFkbWluIn0=\n:' -X GET

Response:

{"value":[{"ID":"5718af7a4d149511670ffd7a","Source_Port":29926,"Time":"1461235578777","Destination_Port":80,"Destination_IP":"99.99.9.101","Source_IP":"1.169.193.215","ACL_Policy":0,"Country":"TW","Protocol":"TCP","ACL_Name":"GeoIP-Pool:abc"},{"ID":"5718b2664d149511670ffd7b","Source_Port":60625,"Time":"1461236326053","Destination_Port":80,"Destination_IP":"99.99.9.101","Source_IP":"103.240.91.7","ACL_Policy":0,"Country":"IN","Protocol":"TCP","ACL_Name":"TOR-Nodes"},{"ID":"5718b3e44d149511670ffd7e","Source_Port":30694,"Time":"1461236708320","Destination_Port":80,"Destination_IP":"99.99.9.101","Source_IP":"1.169.193.215","ACL_Policy":0,"Country":"TW","Protocol":"TCP","ACL_Name":"GeoIP-Pool:abc"},{"ID":"5718b7674d149511670ffd81","Source_Port":27362,"Time":"1461237607188","Destination_Port":80,"Destination_IP":"99.99.9.101","Source_IP":"1.1.160.247","ACL_Policy":0,"Country":"TH","Protocol":"TCP","ACL_Name":"Anonymous-Proxy-or-Satellite-Provider"}],"metadata":{"header":[{"ACL_Policy":{"1":"Allow","0":"Deny"}}]},"token":"eyJldCI6IjE0NjU1NDc1MDAiLCJwYXNzd29yZCI6IjMyOTUzM2E5ZGUwZWIzMWE1YzRjNWUzNGYz\nZTRhNGU3IiwidXNlciI6ImFkbWluIn0=\n"}

Example 2: Retrieving network firewall logs based on a specific filter

Request:

curl http://10.11.25.9:8000/restapi/v1/logs/nwfirewall_logs -u 'eyJldCI6IjE0NjQxMTg5MjgiLCJwYXNzd29yZCI6IjY0N2MxYTZlMGQwMGI5ZTdlN2ZlMDE2MmE1\nNDFiYzEzIiwidXNlciI6ImFkbWluIn0=\n:' -X GET-G -d acl_id=GeoIP-Pool:hello

Response:

{"value":[{"ID":"5718af7a4d149511670ffd7a","Source_Port":18826,"Time":"1461235578777","Destination_Port":80,"Destination_IP":"99.99.9.101","Source_IP":"1.169.193.215","ACL_Policy":0,"Country":"TW","Protocol":"TCP","ACL_Name":"GeoIP-Pool:hello"},{"ID":"5718b2664d149511670ffd7b","Source_Port":60625,"Time":"1461236326053","Destination_Port":80,"Destination_IP":"99.99.9.101","Source_IP":"103.240.91.7","ACL_Policy":0,"Country":"IN","Protocol":"TCP","ACL_Name":"GeoIP-Pool:hello"},{"ID":"5718b3e44d149511670ffd7e","Source_Port":30694,"Time":"1461236708320","Destination_Port":80,"Destination_IP":"99.99.9.101","Source_IP":"1.169.193.215","ACL_Policy":0,"Country":"TW","Protocol":"TCP","ACL_Name":"GeoIP-Pool:hello"},,"metadata":{"header":[{"ACL_Policy":{"1":"Allow","0":"Deny"}}]},"token":"eyJldCI6IjE0NjU1NDc1MDAiLCJwYXNzd29yZCI6IjMyOTUzM2E5ZGUwZWIzMWE1YzRjNWUzNGYz\nZTRhNGU3IiwidXNlciI6ImFkbWluIn0=\n"}

Example 3: Retrieving network firewall logs based on limit and offset filters

curl -X GET --header 'Accept: application/json' -u 'eyJldCI6IjE1MDUyMDM1NDAiLCJwYXNzd29yZCI6ImM5ZjJkOGE4NGUxNGYzMTk3Y2QzMGRiYTdk\nODk3Zjg1IiwidXNlciI6ImFkbWluIn0 =:' 'http://<WAF-IP/PORT>/restapi/v1/logs/nwfirewall_logs?limit=10&offset=25

Example 4: Retrieving network firewall logs based on the given interval

curl http://<WAF-IP/PORT>/restapi/v1/logs/nwfirewall_logs?min_time=2015-12-20T23:22:18&max_time=2015-12-21T22:20:19 –X GET –u ”token:”

Note: The time for the filters "min_time" and "max_time" must be specified in the following format - YYYY-MM-DDTHH-MM-SS.

The following table lists the network firewall log parameters:

Parameter name in web interface

Parameter name to be used in the REST API command

Time

timestamp

ACL Name

acl_id

Source IP

src_ip

Source Port

src_port

Country

country_code

Destination IP

dest_ip

Destination Port

dest_port

ID

bson_oid

Protocol

acl_protocol

ACL Policy

acl_action

Limit limit
Offset offset
Minimum Time min_time
Maximum Time max_time
Last updated on