Security Log Format

Webapp Secure is configured to log security incidents to mws-security.log. All security alerts should be sent to security.log (previously named security-alert.log). There are different types of security incidents that will be a part of this log: new profiles, security incidents, new counter responses. The following section explains the format of these security log messages.

Field definitions:

Logfile Example.

Mar 19 18:20:04 my-vm [INFO][mws-security-alert][traffic-info] MKS_Category="New Profile" MKS_ProfileId="197382" MKS_ProfileName="Sandy 5021" MKS_PubKey="c0tcXdDev0XMwwOu30uD" Mar 19 18:20:04 my-vm [INFO][mws-security-alert][auto-response] MKS_Category="New Counter Response" MKS_ResponseCode="SL" MKS_ResponseName="Slow Connection" MKS_ProfileId="197180" MKS_ProfileName="Rhoda 4027" MKS_ResponseCreated="2014-03-19 18:20:00.583" MKS_ResponseDelayed="2014-03-19 18:20:00.583" MKS_ResponseExpires="2014-03-20 18:20:00.583" MKS_ResponseConfig="<config ix0ix4002='1' min='2500' max='6000' />" Mar 19 18:20:05 my-vm [INFO][mws-security-alert][traffic-info] MKS_Category="Security Incident" MKS_Type="Apache Configuration Requested" MKS_Severity="2" MKS_ProfileName="Janelle 3524" MKS_SrcIP="10.20.1.23" MKS_pubkey="ami4U5RExf4d4NO59xxT" MKS_useragent="Mozilla/5.0 (X11 U Linux x86_64 pl-PL rv:1.9.2.13) Gecko/20101206 Ubuntu/10.04 (lucid) Firefox/3.6.13" MKS_url="http://10.20.0.53:80/.htaccess" MKS_count="1" MKS_fakeresponse="true"

Related Documentation