NGINX App Protect DoS Security Log
Security logs contain information about the status of the protected objects. It gives a general picture about each protected object in terms of traffic intensity, health of the backend server, learning and mitigations.
There are several types of logs, each contains different information and published either periodically or upon an important event.
The following table lists all the possible fields in the logs and their meaning.
| Field | Type | Meaning | 
|---|---|---|
| date_time | string | the date and time of the event | 
| product | string | always set to app-protect-dos | 
| product_version | string | F5 NGINX App Protect DoS version | 
| unit_hostname | string | host name of the app-protect-dos instance | 
| instance_id | string | instance ID: container id from /proc/self/cgroupor hostname if container is is not available | 
| vs_name | string | A unique identifier (representing the protected object’s name) of the location in the nginx.conffile that this request is associated with. It contains the line number of the containing server block innginx.conf, the server name, a numeric discriminator that distinguishes between multiple entries within the same server, and the location name.For example: 34-mydomain.com:0-~/.*php(2). | 
| dos_attack_id | integer | unique attack IP per unit_hostname | 
| attack_event | string | Event name as it appears in remote logger. | 
| stress_level | float | a number from 0 to … that reflects stress level. | 
| learning_confidence | string | the possible values are not ready/bad actors only/ready | 
| baseline_dps | integer | learned datagrams per second (DPS) | 
| incoming_dps | integer | current datagrams per second (DPS) | 
| incoming_rps | integer | current RPS (requests per second) | 
| successful_tps | integer | successful TPS (successful requests per second - Any RC but 5xx) | 
| allowlist_rps | integer | allowlist requests per second | 
| unsuccessful_rps | integer | unsuccessful requests per second (passed to server and not responded: reset / timeout / 5xx | 
| incoming_datagrams | integer | incremental number of incoming datagrams | 
| incoming_requests | integer | incremental number of incoming requests | 
| allowlist_requests | integer | incremental number of allowlist requests | 
| successful_responses | integer | incremental number of successful responses | 
| unsuccessful_requests | integer | incremental number of unsuccessful requests (passed to server and not responded: reset / timeout / 5xx | 
| active_connections | integer | current number of active server connections | 
| threshold_dps | float | global rate DPS threshold | 
| threshold_conns | float | active connections threshold | 
| mitigated_bad_actorsredirect_bad_actorchallenge_bad_actorblock_bad_actor | integer | incremental number of mitigated bad actors. Increments upon any type of bad actors mitigations. incremental number of http redirections sent to detected bad actors incremental number of JS challenges sent to detected bad actors incremental number of blocked bad actors | 
| mitigated_by_signaturesredirect_signaturechallenge_signatureblock_signature | integer | incremental number of requests mitigated by signatures. Increments upon any type of signatures mitigations. incremental number of http redirections sent to clients when requests match a signature. incremental number of JS challenges sent to clients when requests match a signature. incremental number of blocked requests when requests match a signature. | 
| mitigated_by_global_rateredirect_globalchallenge_globalblock_global | integer | incremental number of requests mitigated by global_rate. Increments upon any type of global rate mitigations. incremental number of http redirections sent to clients upon global rate mitigation. incremental number of JS challenges sent to clients upon global rate mitigation. incremental number of blocked requests upon global rate mitigation. | 
| mitigated_slowredirect_slowchallenge_slowblock_slow | integer | incremental number of mitigated slow requests. Increments upon any type of slow requests mitigations. incremental number of http redirections sent to clients upon slow request mitigation. incremental number of JS challenges sent to clients upon slow request mitigation. incremental number of blocked slow requests. | 
| mitigated_connections | integer | incremental number of mitigated by connections mitigation | 
| mitigated_bad_actors_l4 | integer | incremental number of mitigated by L4 accelerated mitigation | 
| mitigated_bad_actors_rpsredirect_bad_actor_rpschallenge_bad_actor_rpsblock_bad_actor_rps | integer | mitigated_bad_actors rps. Includes any type of bad actors mitigations. http redirections per second sent to detected bad actors. JS challenges per second sent to detected bad actors. blocked bad actors per second. | 
| mitigated_by_signatures_rpsredirect_signature_rpschallenge_signature_rpsblock_signature_rps | integer | mitigated_signatures rps. Includes any type of signatures mitigations. http redirections sent per second to clients when requests match a signature. JS challenges per second sent to clients when requests match a signature. blocked requests per second when requests match a signature. | 
| mitigated_slow_rpsredirect_slow_rpschallenge_slow_rpsblock_slow_rps | integer | mitigated slow requests per second. Includes any type of slow requests mitigations. http redirections per second sent to clients upon slow request mitigation. JS challenges per second sent to clients upon slow request mitigation. blocked slow requests per second. | 
| mitigated_by_global_rate_rpsredirect_global_rpschallenge_global_rpsblock_global_rps | integer | mitigated_global_rate rps. Includes any type of global rate mitigations. http redirections per second sent to clients upon global rate mitigation. JS challenges per second sent to clients upon global rate mitigation. blocked requests per second upon global rate mitigation. | 
| mitigated_bad_actors_l4_rps | integer | blocked requests per second when mitigated by L4 accelerated mitigation | 
| mitigated_connections_rps | integer | mitigated_connections rps | 
| source_iptls_fpimpact_rps | string string integer | ip address of the detected bad actor 1.1.1.1TLS Fingerprint of the bad actor RPS created by bad actor in the time of the detection (to be calculated as a max hitcount in AMT / 10) | 
| new_bad_actors_detectedbad_actors | integer | the number of newly detected bad actors the number of bad actors | 
| signaturesignature_idsignature_efficiencysignature_accuracy | string integer float float | signature string http.request.method eq GET and http.uri_parameters eq 6unique signature ID per unit_host estimated efficiency upon signature detection: percentage of bad traffic covered by the signature estimated accuracy upon signature detection: percentage of learned good traffic NOT covered by the signature | 
Reports about the start and end of an attack, as well as major parameters of ongoing attacks.
a. Example: Attack Started
date_time="Oct 05 2021 08:01:00",
product="app-protect-dos",
product_version="25+1.78.0-1.el7.ngx",
unit_hostname="localhost.localdomain",
instance_id="129c76",
vs_name="example.com/",
dos_attack_id="1",
attack_event="Attack started",
stress_level="1.00",
learning_confidence="Ready",
baseline_dps="17",
incoming_dps="181",
incoming_rps="181",
successful_tps="0",
allowlist_rps="0",
unsuccessful_rps="0",
incoming_datagrams="8576",
incoming_requests="8576",
allowlist_requests="162",
successful_responses="5265",
unsuccessful_requests="0",
active_connections="58",
threshold_dps="41.60",
threshold_conns="41.60",
mitigated_bad_actors="0",
mitigated_by_signatures="0",
mitigated_by_global_rate="0",
mitigated_bad_actors_l4="0",
mitigated_slow="0",
redirect_global="0",
redirect_bad_actor="0",
redirect_signature="0",
redirect_slow="0",
challenge_global="0",
challenge_bad_actor="0",
challenge_signature="0",
challenge_slow="0",
block_global="0",
block_bad_actor="0",
block_signature="0",
block_slow="0",
mitigated_connections="0",
mitigated_bad_actors_rps="0",
mitigated_by_signatures_rps="0",
mitigated_by_global_rate_rps="0",
mitigated_bad_actors_l4_rps="0",
mitigated_slow_rps="0",
redirect_global_rps="0",
redirect_bad_actor_rps="0",
redirect_signature_rps="0",
redirect_slow_rps="0",
challenge_global_rps="0",
challenge_bad_actor_rps="0",
challenge_signature_rps="0",
challenge_slow_rps="0",
block_global_rps="0",
block_bad_actor_rps="0",
block_signature_rps="0",
block_slow_rps="0",
mitigated_connections_rps="0",b. Example: Attack Ended
date_time="Oct 05 2021 08:06:21",
product="app-protect-dos",
product_version="25+1.78.0-1.el7.ngx",
unit_hostname="localhost.localdomain",
instance_id="129c76",
vs_name="example.com/",
dos_attack_id="1",
attack_event="Attack ended",
stress_level="0.50",
learning_confidence="Ready",
baseline_dps="12",
incoming_dps="0",
incoming_rps="0",
successful_tps="0",
allowlist_rps="0",
unsuccessful_rps="0",
incoming_datagrams="226566",
incoming_requests="226566",
allowlist_requests="1632",
successful_responses="7760",
unsuccessful_requests="0",
active_connections="0",
threshold_dps="2121.60",
threshold_conns="2121.60",
mitigated_bad_actors="94488",
mitigated_by_signatures="117361",
mitigated_by_global_rate="2861",
mitigated_bad_actors_l4="62788",
mitigated_slow="0",
redirect_global="2861",
redirect_bad_actor="94488",
redirect_signature="117361",
redirect_slow="0",
challenge_global="0",
challenge_bad_actor="0",
challenge_signature="0",
challenge_slow="0",
block_global="0",
block_bad_actor="0",
block_signature="0",
block_slow="0",
mitigated_connections="0",
mitigated_bad_actors_rps="0",
mitigated_by_signatures_rps="0",
mitigated_by_global_rate_rps="0",
mitigated_bad_actors_l4_rps="0",
mitigated_slow_rps="0",
redirect_global_rps="0",
redirect_bad_actor_rps="0",
redirect_signature_rps="0",
redirect_slow_rps="0",
challenge_global_rps="0",
challenge_bad_actor_rps="0",
challenge_signature_rps="0",
challenge_slow_rps="0",
block_global_rps="0",
block_bad_actor_rps="0",
block_signature_rps="0",
block_slow_rps="0",
mitigated_connections_rps="0",Reported periodically, providing aggregated statistics per protected object.
This corresponds to the metrics reported on the main Grafana screen.
a. Example: No Attack
date_time="Oct 05 2021 07:54:29",
product="app-protect-dos",
product_version="25+1.78.0-1.el7.ngx",
unit_hostname="localhost.localdomain",
instance_id="129c76",
vs_name="example.com/",
dos_attack_id="0",
attack_event="No Attack",
stress_level="0.50",
learning_confidence="Not ready",
baseline_dps="19",
incoming_dps="9",
incoming_rps="9",
successful_tps="10",
allowlist_rps="1",
unsuccessful_rps="0",
incoming_datagrams="678",
incoming_requests="678",
allowlist_requests="52",
successful_responses="678",
unsuccessful_requests="0",
active_connections="0",
threshold_dps="2121.60",
threshold_conns="2121.60",
mitigated_bad_actors="0",
mitigated_by_signatures="0",
mitigated_by_global_rate="0",
mitigated_bad_actors_l4="0",
mitigated_slow="0",
redirect_global="0",
redirect_bad_actor="0",
redirect_signature="0",
redirect_slow="0",
challenge_global="0",
challenge_bad_actor="0",
challenge_signature="0",
challenge_slow="0",
block_global="0",
block_bad_actor="0",
block_signature="0",
block_slow="0",
mitigated_connections="0",
mitigated_bad_actors_rps="0",
mitigated_by_signatures_rps="0",
mitigated_by_global_rate_rps="0",
mitigated_bad_actors_l4_rps="0",
mitigated_slow_rps="0",
redirect_global_rps="0",
redirect_bad_actor_rps="0",
redirect_signature_rps="0",
redirect_slow_rps="0",
challenge_global_rps="0",
challenge_bad_actor_rps="0",
challenge_signature_rps="0",
challenge_slow_rps="0",
block_global_rps="0",
block_bad_actor_rps="0",
block_signature_rps="0",
block_slow_rps="0",
mitigated_connections_rps="0",b. Example: Under Attack
date_time="Oct 05 2021 08:02:35",
product="app-protect-dos",
product_version="25+1.78.0-1.el7.ngx",
unit_hostname="localhost.localdomain",
instance_id="129c76",
vs_name="example.com/",
dos_attack_id="1",
attack_event="Under Attack",
stress_level="0.50",
learning_confidence="Ready",
baseline_dps="12",
incoming_dps="893",
incoming_rps="893",
successful_tps="12",
allowlist_rps="1",
unsuccessful_rps="0",
incoming_datagrams="87823",
incoming_requests="87823",
allowlist_requests="1523",
successful_responses="5736",
unsuccessful_requests="0",
active_connections="1",
threshold_dps="92.40",
threshold_conns="92.40",
mitigated_bad_actors="0",
mitigated_by_signatures="75137",
mitigated_by_global_rate="2861",
mitigated_bad_actors_l4="62788",
mitigated_slow="0",
redirect_global="2861",
redirect_bad_actor="0",
redirect_signature="75137",
redirect_slow="0",
challenge_global="0",
challenge_bad_actor="0",
challenge_signature="0",
challenge_slow="0",
block_global="0",
block_bad_actor="0",
block_signature="0",
block_slow="0",
mitigated_connections="0",
mitigated_bad_actors_rps="0",
mitigated_by_signatures_rps="879",
mitigated_by_global_rate_rps="0",
mitigated_bad_actors_l4_rps="0",
mitigated_slow_rps="0",
redirect_global_rps="0",
redirect_bad_actor_rps="0",
redirect_signature_rps="879",
redirect_slow_rps="0",
challenge_global_rps="0",
challenge_bad_actor_rps="0",
challenge_signature_rps="0",
challenge_slow_rps="0",
block_global_rps="0",
block_bad_actor_rps="0",
block_signature_rps="0",
block_slow_rps="0",
mitigated_connections_rps="0",Reports NGINX App Protect DoS decisions regarding bad actors.
a. Example: Bad Actor Detection
date_time="Apr 29 2021 14:03:01",
product="app-protect-dos",
product_version="23+1.54.1-1.el7.ngx",
unit_hostname="localhost.localdomain",
instance_id="d9a6d8",
vs_name="example.com/",
dos_attack_id="1",
attack_event="Bad actor detection",
source_ip="5.5.5.9",
impact_rps="30",b. Example: Bad Actor Expired
date_time="Apr 29 2021 14:05:29",
product="app-protect-dos",
product_version="23+1.54.1-1.el7.ngx",
unit_hostname="localhost.localdomain",
instance_id="d9a6d8",
vs_name="example.com/",
dos_attack_id="0",
attack_event="Bad actor expired",
source_ip="5.5.5.10",
impact_rps="12",Reports NGINX App Protect DoS decisions regarding signatures.
Example: Attack Signature Detected
date_time="Apr 29 2021 14:02:56",
product="app-protect-dos",
product_version="23+1.54.1-1.el7.ngx",
unit_hostname="localhost.localdomain",
instance_id="d9a6d8",
vs_name="example.com/",
dos_attack_id="1",
attack_event="Attack signature detected",
signature="(http.user_agent_header_exists eq true) and (http.accept contains other-than(application|audio|message|text|image|multipart)) and (http.unknown_header_exists eq true) and (http.headers_count neq 10) and (http.x_forwarded_for_header_exists eq false) and (http.uri_parameters eq 1) and (http.uri_len between 48-63) and (http.accept_header_exists eq true) and (http.hdrorder not-hashes-to 55) and (http.connection_header_exists eq true) and (http.accept_encoding_header_exists eq true) and (http.request.method eq reserved) and (http.cookie_header_exists eq true) and (http.uri_file hashes-to 7) and (http.host_header_exists eq true)",
signature_id="809655398",
signature_efficiency="72.00",
signature_accuracy="100.00",Provides detailed information about bad actors.
Example: Bad Actors Detected
date_time="Apr 29 2021 14:02:00",
product="app-protect-dos",
product_version="23+1.54.1-1.el7.ngx",
unit_hostname="localhost.localdomain",
instance_id="d9a6d8",
vs_name="example.com/",
dos_attack_id="1",
attack_event="Bad actors detected",
new_bad_actors_detected="2",
bad_actors="2",The file is in JSON format.
| Element | Description | Type/Values | Default | 
|---|---|---|---|
| traffic-mitigation-stats | This filter element refers to Traffic/Mitigation summary stats. | Enumerated values: - all - none | all | 
| bad-actors | This filter element refers to Bad actor detection/expiration, every 10 seconds. | Enumerated values: - all - none - top N | top 10 | 
| attack-signatures | This filter element refers to Attack Signatures, every 10 seconds. | Enumerated values: - all - none - top N | top 10 | 
Example:
{
    "filter": {
        "traffic-mitigation-stats": "all",
        "bad-actors": "top 100",
        "attack-signatures": "top 100"
    }
}