NGINX App Protect WAF Operation Log
Overview
The operation logs consists of system operational and health events. The events are sent to the NGINX error log and are distinguished by the APP_PROTECT prefix followed by JSON body. The log level depends on the event: success is usually Notice while failure is Error. The timestamp is inherent in the error log.
Events
| Event Type | Level | Meaning |
|---|---|---|
| App Protect Connected | Notice | A worker successfully connected to NGINX App Protect WAF Enforcer. The mode attribute should be operational unless there is an ongoing problem. |
{
"event": "waf_connected",
"bd_thread_id": 3,
"worker_pid": 4928,
"mode": "operational",
"mode_changed": true
}
| Event Type | Level | Meaning |
|---|---|---|
| App Protect Connection Failure | Error | A worker attempted to connect to F5 NGINX App Protect WAF but the operation failed. The mode should be failure. |
{
"event": "waf_connection_failure",
"bd_thread_id": 3,
"worker_pid": 4928,
"mode": "failure",
"mode_changed": true
}
| Event Type | Level | Meaning |
|---|---|---|
| App Protect Disconnected | Error | Engine disconnected from Worker (socket closed). The mode should be failure. |
{
"event": "waf_disconnected",
"bd_thread_id": 3,
"worker_pid": 4928,
"mode": "failure",
"mode_changed": true
}
| Event Type | Level | Meaning |
|---|---|---|
| App Protect Resource Exception | Warning | Resource, as measured by the Worker, exceeded limits (above high threshold). Mode should be failure. It may have already been in this mode because there are other resources that had exceeded their limits. |
{
"event": "waf_resource_exception",
"bd_thread_id": 3,
"worker_pid": 4928,
"mode": "failure",
"mode_changed": true,
"resource": "cpu",
"value": 98,
"threshold": 95
}
| Event Type | Level | Meaning |
|---|---|---|
| App Protect Resource Reverted to Normal | Warning | Resource, as measured by the Worker, went back to normal range (below low threshold). Mode should be operational, unless there are other resources which are still out of limits. |
{
"event": "waf_resource_revert",
"bd_thread_id": 3,
"worker_pid": 4928,
"mode": "operational",
"mode_changed": true,
"resource": "cpu",
"value": 88,
"threshold": 90
}
| Event Type | Level | Meaning |
|---|---|---|
| Configuration Error | Error | There were errors in the AppProtect directives in the nginx.conf file. This is issued if the directive was spelled correctly, otherwise NGINX core will issue an error.This event occurs before configuration_load_start and means there will be no configuration load. This event is generated only on configuration reload. It cannot be generated on first configuration as there is no error log configured yet. |
{
"event": "configuration_error",
"error_message": "unknown argument",
"line_number": 58
}
| Event Type | Level | Meaning |
|---|---|---|
| Configuration Load Start | Notice | App Protect configuration load process started. The configuration consists of all the policies, security log configurations and global settings. These all are part of the config set file generated by the module and passed to the Policy Compiler. The path to this file in included in the event message. This event is generated only on configuration reload. It cannot be generated on first configuration as there is no error log configured yet. |
{
"event": "configuration_load_start",
"configSetFile": "/opt/app_protect/share/config_set.json"
}
| Event Type | Level | Meaning |
|---|---|---|
| Configuration Load Failure | Error | There was an error in one of the configuration files: file not found, failed to compile, or the configuration failed to load to the engine. |
{
"error_message": "Failed to import Policy 'policy1' from '/etc/app_protect/conf/policy_1.json': Could not parse/validate the Policy Bot Signature. Invalid value 'ignoree' for field 'action'.",
"completed_successfully": false,
"componentVersions": {
"wafNginxVersion": "4.2.0",
"wafEngineVersion": "10.179.0"
},
"softwareVersion": "4.0.0",
"event": "configuration_load_failure",
"error_line_number": 29
}
| Event Type | Level | Meaning |
|---|---|---|
| Configuration Load Success | Notice | The WAF configuration process ended successfully: all policies, log configuration and global settings were loaded to NGINX App Protect WAF and all traffic will be handled by this configuration. The “error_message” contains warnings. This event is generated also on the initial configuration (when NGINX starts). Also includes the signature update version which reflects the date the package was released and the exact revision time in datetime format that also includes the time of day, thus compatible with the revision date time in the WAF policy signature-requirements element. |
{
"completed_successfully": true,
"event": "configuration_load_success",
"attack_signatures_package": {
"version": "2022.11.16",
"revision_datetime": "2022-11-16T11:22:27Z"
},
"threat_campaigns_package": {
"version": "2022.11.15",
"revision_datetime": "2022-11-15T10:01:20Z"
},
"softwareVersion": "4.0.0",
"componentVersions": {
"wafEngineVersion": "10.179.0",
"wafNginxVersion": "4.2.0"
}
}
Last modified August 22, 2024