The following article describes the process of searching for Managed WAF (web application firewall) logs in the Alert Logic console. Managed WAF appliances generate log messages when denying (blocking) web requests. The most common Message Type of Deny Logs is "WSM Deny Log."
You can locate, filter, aggregate, and download Managed WAF logs using functionality in the Alert Logic Search interface. For more information about Search, see the Additional Resources section below.
- Navigate to the Alert Logic console search functionality at (navigation menu) > Investigate > Search > Search > Simple Mode.
- In the search bar, type "message type" and select the Message Type drop-down option.
- Within the Message Type EXISTS term that appears, type in and select the value "WSM Deny Log." Select the three dots in the term and choose Contains from the list of functions.
The search query should now look like this (sans any additional search fields you've chosen to include):
- Select Search. When your search results surface, select a log message from the results to open its details. Select Open WSM to open a link to its appliance.
Note: There are many fields available that you can add to a search to narrow down your results, such as:
- Website Name
- Website ID
- Source IP
- Attack Class
- Page Requested
Ready-To-Use Search Queries
Copy and paste this search query into your Expert Mode text box to search for Managed WAF logs in the Alert Logic console:
time_recv AS "Time",
host_name AS "Appliance",
parsed.token_names.website_name AS "Website Name",
parsed.token_names.website_id AS "Website ID",
parsed.token_names.event.source_info.source_ip AS "Source IP",
parsed.token_names.application.application_risk AS "Risk",
parsed.token_names.attack.attack_detail AS "Attack Class",
parsed.token_names.violations AS "Violation",
parsed.token_names.request.type AS "Method",
parsed.token_names.data.data_description AS "Page Requested"
WHERE parsed.rule_name IN [ 'WSM Deny Log', 'WSM Deny Log v2' ]
ORDER BY "Time" DESC
You can also select from the following links to have the searches pre-populated in the Alert Logic console:
For additional information on Alert Logic search functionality, see the following support resources: