Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Incident Log Format

    If incident logging is enabled, all incidents at or above the configured incident severity level will be sent to syslog in mws-security-alert.log.

    • MKS_Category - will always have the value "Security Incident" when logging security incidents
    • MKS_Type - a textual name for the type of incident
    • MKS_Severity - an integer between 0 and 4 for the severity of the incident (0 being lowest, 4 being highest)
    • MKS_ProfileName - the name of the hacker profile who caused the incident (also visible in the security monitor)
    • MKS_SrcIP - the ip of the hacker who caused the incident
    • MKS_pubkey - a textual key unique to that hacker profile (also visible in the security monitor)
    • MKS_useragent - the full useragent string of the browser or other program used by the hacker
    • MKS_url - the url used on the request that caused the incident
    • MKS_count - the number of times this hacker has caused this same incident

    Following the common names will be any incident specific contextual values which are tracked with the incident. These will vary based on incident type. For example a Query Parameter Manipulation incident would include the parameter that was changed along with actual and expected values. Here is a sample log entry:

    Apr 6 20:58:36 vm1 [INFO][mws-security-alert][Thread-49927] MKS_Category="Security Incident" MKS_Type="Query Parameter Manipulation" MKS_Severity="2" MKS_ProfileName="Luis 9605" MKS_SrcIP="" MKS_pubkey="fkrvpvFNhwoWRgaQiUxS" MKS_useragent="Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.19 (KHTML, like Gecko) Chrome/18.0.1025.142 Safari/535.19" MKS_url=" id=3" MKS_count="1" MKS_actual="2568" MKS_expected="25304" MKS_param="n_idx"

    Published: 2013-11-20