Security Log Format

Webapp Secure is configured to log security incidents to mws-security.log. All security alerts should be sent to security.log (previously named security-alert.log). There are different types of security incidents that will be a part of this log: new profiles, security incidents, new counter responses. The following section explains the format of these security log messages.

Field definitions:

Note: Certain Incidents may create more fields in the log entry, helping identify the particular context of the incident. For example, the Hostname Spoofing Attempt incident will add @MKS_hostpattern@ and @MKS_rule@ to the log entry. To learn what context a particular incident includes, navigate to the triggered Incident in the Web UI, and click the Details tab. Each item in the Details table is output in the format @MKS_<detail_item>=<vlaue>@

Logfile Examples:

Oct 13 16:33:13 jwas1 [INFO][mws-security-alert][traffic-info] MKS_Category="Security Incident" MKS_Type="Apache Configuration Requested" MKS_Severity="2" MKS_ProfileName="Brett 8356" MKS_SrcIP="10.10.0.117" MKS_pubkey="el4urlypSXuRHOM3IoLT" MKS_useragent="Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.101 Safari/537.36" MKS_url="http://jwas1.jsec.net:80/.htaccess" MKS_count="1" MKS_fakeresponse="true"

Oct 13 16:33:13 jwas1 [INFO][mws-security-alert][traffic-info] MKS_Category="New Profile" MKS_ProfileId="3811" MKS_ProfileName="Brett 8356" MKS_PubKey="el4urlypSXuRHOM3IoLT"

Oct 13 16:33:55 jwas1 [INFO][mws-security-alert][auto-response] MKS_Category="New Counter Response" MKS_ResponseCode="BL" MKS_ResponseName="Block User" MKS_ProfileId="3811" MKS_ProfileName="Brett 8356" MKS_ResponseCreated="2014-10-13 16:33:54.0" MKS_ResponseDelayed="2014-10-13 16:33:54.0" MKS_ResponseExpires="null" MKS_ResponseConfig="<config />" MKS_SilentRunning="true"

Related Documentation