Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Navigation
Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Security Log Format

    Webapp Secure is configured to log security incidents to mws-security.log. All security alerts should be sent to security.log (previously named security-alert.log). There are different types of security incidents that will be a part of this log: new profiles, security incidents, new counter responses. The following section explains the format of these security log messages.

    • New profile

      <date_utc> <hostname> [<log_level>][mws-security-alert][<service>] MKS_Category="New Profile" MKS_ProfileId="<profile_id>” MKS_ProfileName="<profile_name>" MKS_PubKey="<pubkey>”

    • Security incidents

      <date_utc> <hostname> [<log_level>][mws-security-alert][<service>] MKS_Category="Security Incident" MKS_Type="<incident>” MKS_Severity=”<severity>” MKS_ProfileName=”<profile_name>” MKS_SrcIP=”<source_ip>” MKS_PubKey=”<pubkey>” MKS_useragent=”<user_agent>” MKS_url=”<url>” MKS_count=”<count>” MKS_fakeresponse=”<fake_response>”

    • New counter responses

      <date_utc> <hostname> [<log_level>][mws-security-alert][<service>] MKS_Category="New Counter Response" MKS_ResponseCode=”<response_code>” MKS_ResponseName=”<response_name>” MKS_ProfileId=”<profile_id>” MKS_ProfileName=”<profile_name>” MKS_ResponseCreated=”<created_date>” MKS_ResponseDelayed=”<delay_date>” MKS_ResponseExpires=”<expiration_date>” MKS_ResponseConfig=”<response_config>”

    Field definitions:

    • <date_utc>–The date of the log entry, in UTC.
    • <hostname>–The hostname of the appliance.
    • <log_level>–The importance level of a log entry. Can be TRACE, DEBUG, INFO, WARN, or ERROR.
    • <service>–-The WebApp Secure service that triggered the security log entry. Possible services include:
      • [auto-response]--The auto response service will most likely generate New Counter Response log entries.
      • [traffic-info]-- The traffic information service will usually generate New Incident and New Profile log entries in security.log.
    • <profile_id>–The numerical ID assigned to the Profile that caused the security alert, or the profile ID that received a Response.
    • <profile_name>–The friendly name assigned to the Profile that caused the security alert, or the Profile that received a Response. For example, "Bob 1234".
    • <pubkey>– The Public ID that can be used in conjunction with the Support_Processor to unblock Profiles. For example, "tTtHvXuby4gxNVmPIeIE".
    • <incident>–The name of the incident that triggered this security alert.
    • <severity>–The numerical severity of the incident that triggered this security alert. This can be a number from 0 to 4, inclusive.
    • <source_ip>–The IP the request that generated this alert originated from.
    • <user_agent>–The client's user agent string that generated this alert.
    • <url>–The client's user agent string that generated this alert.
    • <count>–The number of times the profile triggered this incident. This is used for certain incidents to decide whether or not to elevate the profile or increase the responses on the profile.
    • <fake_response>–Whether or not (true or false) the response sent back to the client was a fake one created by WebApp Secure.
    • <response_code>–The numerical code for the response issued. For example, "13007".
    • <response_name>–The friendly name for the response issued on the profile indicated in the alert.
    • <created_date>–The date and time the response was created.
    • <delay_date>–The date and time the response is set to be delayed until.
    • <expiration_date>–The date and time the response is set to expire.
    • <response_config>–The configuration used in this response. Displayed as an XML-like node.

    Logfile Example.

    Mar 19 18:20:04 my-vm [INFO][mws-security-alert][traffic-info] MKS_Category="New Profile" MKS_ProfileId="197382" MKS_ProfileName="Sandy 5021" MKS_PubKey="c0tcXdDev0XMwwOu30uD" Mar 19 18:20:04 my-vm [INFO][mws-security-alert][auto-response] MKS_Category="New Counter Response" MKS_ResponseCode="SL" MKS_ResponseName="Slow Connection" MKS_ProfileId="197180" MKS_ProfileName="Rhoda 4027" MKS_ResponseCreated="2014-03-19 18:20:00.583" MKS_ResponseDelayed="2014-03-19 18:20:00.583" MKS_ResponseExpires="2014-03-20 18:20:00.583" MKS_ResponseConfig="<config ix0ix4002='1' min='2500' max='6000' />" Mar 19 18:20:05 my-vm [INFO][mws-security-alert][traffic-info] MKS_Category="Security Incident" MKS_Type="Apache Configuration Requested" MKS_Severity="2" MKS_ProfileName="Janelle 3524" MKS_SrcIP="10.20.1.23" MKS_pubkey="ami4U5RExf4d4NO59xxT" MKS_useragent="Mozilla/5.0 (X11 U Linux x86_64 pl-PL rv:1.9.2.13) Gecko/20101206 Ubuntu/10.04 (lucid) Firefox/3.6.13" MKS_url="http://10.20.0.53:80/.htaccess" MKS_count="1" MKS_fakeresponse="true"

    Published: 2014-06-27