The Deny log window provides access to all denied request to the proxy. Filtering functions allows for specification of fine grained filtering of log information.
The filter function allows you to specify conditions for showing a subset of the log entries. Until reset the filter conditions also apply to the log report.
When the log filter section is not expanded a and current filter criteria is shown on a general level. When filter criteria are defined a will be available at the left of the filter button. When the reset button is pressed the filter criteria will be reset.
When the Filter button is clicked the filter section expands and filter criteria can be specified. Following filter criteria are available:
| ID
Input field |
Number identifying a log entry.
|
| Path
Input field |
Pattern or string specifying filter based on the URL path.
|
| Parameters
Input field |
Filter based on the number of parameters.
|
| IP
Input field |
Source IP address of the originating client
|
| Host
Input field |
Host information from the request blocked.
|
| Date from
Input field |
Filter based on request timestamp. Date from specifies the date of the oldest log records that should be included.
|
| Date to
Input field |
Filter based on request timestamp. Date to specifies the date of the newest log records that should be included. Use Date from and Date to to specify a time interval.
|
| Attack classification
Multiple checkboxes |
Filter based on attack classification.
|
| Policy violation
Multiple checkboxes |
Filter based on policy violation.
|
| Reset
Button |
Resets the filter criteria to default values. |
| Apply
Button |
Applies defined filter to deny log database. |
| Close
Button |
Closes the filter section. |
Displays requests for resources for the selected proxy that were blocked by Web Security Manager.
HTTP headers, URL, parameters and values (if any) that were blocked in the request are highlighted in red color.
Also failed requests are shown in the deny log allowing for identifying broken internal and external links and broken robots not abiding the 404 not found message.
Total number of log entries matching the current filter criteria (if specified) is displayed as . If the total number of records is larger then the selection, use navigation arrows to navigate the log record back and forth.
Details are expandable: Click details icon in the rightmost column to expand.
| Checkbox |
Mark log entry for adding to the access policy. To allow further requests based on the information in the selected log entry/entries, select them and click on the button. Note: parameters that are defined as If adding is not possible the checkbox is inactive. |
| Time |
Date and time the request was logged. |
| Country |
Country the requests originated from. |
| Host |
Hostname from the original request or none if none was present. |
| Risk |
Risk classification of the log entry. Options are:
|
| Source IP |
Source IP the request originated from. Click on IP-address to get whois information. |
| Class |
Attack classification of the log entry. Options are:
|
| Action |
Block action taken on the request. Options are:
|
| URL Path |
The URL path requested. |
| Method
Detail - click details to view. |
Offending method (if any) |
| Violation
Detail - click details to view. |
Shows the general violation description as defined by Web Security Manager. See the list of violations below |
| Resp. status
Detail - click details to view. |
If applicable shows the response status from the backend server like |
| Resp. time
Detail - click details to view. |
The time from Web Security Manager received the request and forwarded it to the backend server until the response is sent to the client from Web Security Manager. |
| Referer
Detail - click details to view. |
The refering source, internal or external, from which the request originated. |
| Header
Detail - click details to view. |
Offending header fields and values (if any). |
| Query
Detail - click details to view. |
Offending parameter names and values (if any). |
| Raw
Detail - click details to view. |
Shows the original request as send by the client. To view it, click on the button. |
To view all entries in the list expanded click the button in the lower button bar.
![[Note]](images/note.png) |
Note |
|---|---|
|
In order not to lock the management interface by returning huge amounts of data a maximum of 500 log entries at a time will be displayed in the interactive log interface. Use the function to download larger lists (or the complete log) for off line analysis and archival purposes. |
| Path unknown | No policy rules allow the path segment of the URL, either because it does not match a positive policy rule or because it matches a negative policy rule - a signature. |
| Path denied | The path is explicitly denied by an URL blocking policy rule. |
| Query unknown | No positive policy rules match the name of the request parameter. |
| Query illegal | No policy rules allow the value of the request parameter, either because it does not match a positive policy rule or because it matches a negative policy rule - a signature. |
| Session validation failed | The request session ID is not valid, either because the session token has been tampered with or hijacked. |
| Form validation failed | The form submitted cannot be verified as having been issued by the web application in a response to a request from the current user session. This is an indication of a CSRF attack. |
| Session expired | The request session has exceeded the idle expiration threshold configured in Web Security Manager for the web application. |
| Malformed XML | Submitted XML request is malformed and hence cannot be parsed and validated. |
| Multiple or %u encoded request | The request contains elements that are encoded more than twice or it contains elements that are encoded using %u-encoding. |
| Authorization failed | User is not authorized to access requested resource. |
| Header unknown | Request header not RFC 2616 compliant. |
| Header illegal | Header value failed strict validation. |
| Header validation failed | Header value failed pragmatic validation. |
| Output illegal | Server response contains illegal string. |
| Generic protocol violation | Protocol violations like missing content length or content type headers for POST requests. |
| HTTP Protocol version | HTTP protocol version not allowed. |
| Method illegal | HTTP method not allowed. |
| Missing hostname | Request does not specify host name. |
| Invalid hostname | Not website proxy is configured for the requested host name. |
| Request line maximum length | Entire request line (URI?query) exceeds allowed maximum length. |
| Request path maximum length | Request path exceeds allowed maximum length. |
| Query string maximum length | Request query exceeds allowed maximum length. |
| Content type not enabled | Request content type is supported but not enabled. |
| Header name length | Header name exceeds allowed maximum length. |
| Header value length | Header value exceeds allowed maximum length. |
| Maximum number of headers | Header number exceeds allowed maximum. |
| Upload attempt | Upload attempted but upload not allowed. |
| Payload length exceeded | POST payload exceeds allowed maximum size. |
| Maximum number of upload files | Number of files to upload in a request exceeds allowed maximum. |
| Total upload size | Total size of upload files in request exceeds allowed maximum. |
| Maximum file size | Size of a single upload file exceeds allowed maximum. |
| Cookie version not allowed | Request cookie version not allowed. |
| Maximum number of cookies | Number of cookies in request exceeds allowed maximum. |
| Cookie name length | Name of a cookie exceeds allowed maximum length. |
| Cookie value length | Value of a cookie exceeds allowed maximum length. |
| Maximum number of GET parameters | GET parameter number exceeds allowed maximum. |
| GET parameter name length | GET parameter name exceeds allowed maximum length. |
| GET parameter value length | GET parameter value exceeds allowed maximum length. |
| GET parameter combined length | Combined length of GET parameter name and value exceeds allowed maximum length. |
| Maximum number of POST parameters | POST parameter number exceeds allowed maximum. |
| POST parameter name length | POST parameter name exceeds allowed maximum length. |
| POST parameter value length | POST parameter value exceeds allowed maximum length. |
| POST parameter combined length | Combined length of POST parameter name and value exceeds allowed maximum length. |
| General request violation | Other generic violations. |
The lower button bar contains the following buttons.
| Flush log
Button |
Use with caution! When clicking this button and accepting the confirm pop-up window. All log data for that proxy will be deleted! |
| Log report
Button |
Generate a printable report based on defined filter criteria (if any). |
| Add selected to ACL
Button |
Adds selected log records to access policy. |
When access logging is enabled all requests to the website is logged.
The access log is generated on a per day basis. The current log can be monitored and viewed and closed logs are made available for download.
The fields displayed depends on the selected access log format.
When log files are available for download the filename is an active link. To download an access log file click on the filename.
When remote backup is enabled, the latest access log file made available for download will be compressed (using gzip) and copied to the remote backup destination along with the backup of the system configuration.
Several log file formats are available. A condensed Web Security Manager specific and some standardized formats, like NCSA Combined (Apache Combined), suitable for importing into log analysis and report generation tools.
See Access Log formats for log format definitions.