Troubleshooting

Security event log backup with Security Monitoring

Description

If the Security Monitoring module doesn’t receive a security violation event, the attack data is lost.

Resolution

F5 WAF for NGINX supports logging to multiple destinations. You can send logs to NGINX Agent and keep a backup. If Security Monitoring doesn’t receive security events, check the backup log to verify attack details. Use the following settings to turn on backup logging:

  1. For an instance with Security Monitoring only:

    nginx
    app_protect_policy_file "/etc/app_protect/conf/NginxDefaultPolicy.json";
app_protect_security_log_enable on;
app_protect_security_log "/etc/app_protect/conf/log_sm.json" syslog:server=127.0.0.1:514;
app_protect_security_log "/etc/app_protect/conf/log_sm.json" <Path to store log file>;
# Example: app_protect_security_log "/etc/app_protect/conf/log_sm.json" /var/log/app_protect/security.log;

  2. For an instance with Security Monitoring and NGINX Instance Manager:

    nginx
    app_protect_policy_file "/etc/nms/NginxDefaultPolicy.tgz";
app_protect_security_log_enable on;
app_protect_security_log "/etc/nms/secops_dashboard.tgz" syslog:server=127.0.0.1:514;
app_protect_security_log "/etc/nms/secops_dashboard.tgz" <Path to store log file>;
# Example: app_protect_security_log "/etc/nms/secops_dashboard.tgz" /var/log/app_protect/security.log;

How to get support

If you need more help, see the following topics:

View source
Edit this page
Create a new issue