NGINX App Protect DoS Logs Overview

There are 4 types of logs corresponding to App Protect DoS:

  • Security Log: The general picture of the site and how App Protect DoS processed it, including anomalies and signatures found.
  • Operation Log: Events such as configuration errors or warnings.
  • Debug Logs: Technical messages at different levels of severity used to debug and resolve incidents and error behaviors.
  • Request Logging: F5 NGINX App Protect DoS adds information to each request logged to NGINX’s access logging mechanism.
Note:
NGINX does not have audit logs in the sense of "who did what". This can be done either from the orchestration system controlling NGINX (such as NGINX Controller) or by tracking the configuration files and the systemd invocations using Linux tools.
Type Log Configuration Configuration Contexts File Destination Syslog Destination
Debug Log file name is the redirection in the invocation of the admd command line in the start script Global (not part of nginx.conf) Yes. Log file is in /var/log/adm/admd.log directory. There is currently no file rotation capability available for this log. No
Operation error_log directive, part of core NGINX nginx.conf - global Yes, NGINX error log Yes, NGINX error log
Request NGINX has two directives for the access log:
- access_log - to turn [on|off]
- log_format - to specify the required information regarding each request

NGINX App Protect DoS has several variables that can be added to the log_format directive, such as $app_protect_dos_outcome.

For more information refer to NGINX App Protect DoS Access Log
nginx.conf - global Yes, NGINX access log Yes, NGINX access log
Security NGINX App Protect DoS has two directives in nginx.conf:
- app_protect_dos_security_log_enable to turn logging [on|off]
- app_protect_dos_security_log to set it’s logging configuration and destination

For more information refer:
- Configuration: App Protect DoS - Directives and Policy
- Usage: NGINX App Protect DoS - Security Log
nginx.conf: http, server, location Yes, either stderr, or an absolute path to a local file are supported Yes

Security Log

The security logs contain information about the status of the protected objects. It gives a general picture about each protected object in terms of traffic intensity, health of the backend server, learning and mitigations. For more information refer to NGINX App Protect DoS Security Log documentation.

Operation Log

The operation logs consists of system operational and health events. The events are sent to the NGINX error log and are distinguished by the APP_PROTECT_DOS prefix followed by JSON body. The log level depends on the event: success is usually indicated by notice, while failure is indicated by error. The timestamp is inherent in the error log. For more information refer to App Protect DoS Operation Log documentation.

Request Log

Access log is NGINX’s request log mechanism. It is controlled by two directives.

log_format

This directive determines the format of the log messages using predefined variables. App Protect DoS will enrich this set of variables with several security log attributes that are available to be included in the log_format. If log_format is not specified then the built-in format combined is used but, because that format does not include the extended App Protect DoS variables, this directive must be used when the user wants to add App Protect DoS information to the log.

access_log

This directive determines the destination of the access_log and the name of the format. The default is the file /var/log/nginx/access.log using the combined format. In order to use the custom format that includes the NGINX App Protect DoS variables, use this directive with the name of the desired format.

App Protect DoS Variables

These are the variables added to Access Log. They are a subset of the Security log attributes. The Security log names are prefixed with $app_protect_dos.
For more information refer to NGINX App Protect DoS Access Log

Debug Log - NGINX App Protect DoS

The NGINX App Protect DoS Debug log is used to troubleshoot the functionality of the product.

The path of the log is at a fixed location: /var/log/adm/admd.log.

There are several log levels - error, warning, info and debug. The default is info.

In order to change the log level at run time, the following command can be called:

admd -l DEBUG_LEVEL
Note:
nginx.conf does not refer to the NGINX App Protect DoS debug log configuration neither directly nor indirectly.

NGINX Error log

The NGINX Error log is used to troubleshoot the configuration portion of NGINX App Protect DoS.

The file is called error.log and its path and debug level is determined in nginx.conf by the directive error_log.

For example:

error_log /var/log/nginx/error.log debug;

Last modified August 22, 2024