Log Fields (RTLD WAF)

Log data is reported as a JSON document. Log format determines whether log data identification information will be included and how the data is formatted. Each type of log format is described below.

JSON: This format includes:
- Top-level name/value pairs that uniquely identify the set of log entries reported in the JSON document.
- An object for each log entry associated with the current JSON document.
View a sample log file.
JSON Array: This format generates a JSON document that contains an array of objects. Each object is a log entry associated with the current JSON document.

View a sample log file.
JSON Lines: This format generates an invalid JSON document that contains an object on each line. Each object is a log entry associated with the current JSON document. This object is an exact match for an object contained by the Logs array.

View a sample log file.

If log data uses either the JSON Array or JSON Lines log format, then it will not contain information that uniquely identifies a set of log data. If log data using one of these formats is delivered to a destination other than AWS S3, Azure Blob Storage, or Google Cloud Storage, then there is no way to check for gaps in sequence numbers when attempting to identify missing log data.

A log entry describes a HTTP/HTTPS request that was submitted to our CDN.

Top-Level Name/Value Pairs

Top-level name/value pairs are unavailable for the JSON Array and JSON Lines log formats. If you require this information, please choose the standard JSON log format.

Top-level name/value pairs are described below.

account_number (String): Customer AN. Identifies an environment by its legacy system-defined ID.
agent_id (String): Agent ID. Indicates the unique ID that identifies the Real-Time Log Delivery software agent that generated the log data.
datestamp (String): Date Stamp. Indicates the date on which the log data was generated.

Syntax: YYYYMMDD

Example: 20230412
logs (Array of objects): Log Data. Describes the log entries associated with the current JSON document. Each object contains a set of fields that describe the request/response for a single log entry.
profile_id (Integer): Profile ID. Identifies a RTLD profile by its system-defined ID.
seq_num (Integer): Sequence Number. Indicates the sequential number that identifies the order in which the log data was generated by the software agent identified by the agent_id field.
service (String): Service. This field always reports waf.

logs Array

The logs array contains an object for each log entry associated with the current JSON document. Each log entry describes a threat through the following fields:

account_number (String): Customer AN. (Category: General) Identifies an environment by its legacy system-defined ID.
action_type (String): Action Type. (Category: Event) Indicates the action that was triggered as a result of the violation. Valid values are:
- BLOCK_REQUEST: Indicates that the request that violated a rule was blocked.
- NOP: Indicates that an alert was generated in response to the rule violation.
- REDIRECT_302: Indicates that the request that violated a rule was redirected to a URL defined by your security policy.
- CUSTOM_RESPONSE: Indicates that a custom response was returned to the client that submitted a request that violated a rule.
client_city (String): City Name. (Category: Client Geography) Indicates the city from which the request originated.
client_country_code (String): Country Code. (Category: Client Geography) Indicates the two-character ISO 3166-1 code for the country from which the request originated.
client_country (String): Country Name. (Category: Client Geography) Indicates the country from which the request originated.
client_ip (String): IP Address. (Category: Client Network) Indicates the IP address for the device that submitted the request to our CDN.
client_tls_ja3_md5 (String): JA3 MD5 Hash. (Category: Request) Indicates the JA3 fingerprint assigned to the request. A JA3 fingerprint identifies a client using key characteristics from a TLS request. This allows us to classify traffic across various IP addresses and ports.
host (String): Host. (Category: Request Header) Indicates the Host header value sent in the client’s request to the CDN.
referer (String): Referer. (Category: Request Header) Indicates the Referer header value sent in the client’s request to the CDN. This header reports the URL of the site from which the request originated.
rule_message (String): Rule Message. (Category: Event) Provides a description of the rule that the request violated.
rule_tags (Array of strings): Rule Tags. (Category: Event) Indicates the tags associated with the rule that the request violated. These tags may be used to determine whether a rule, access control, or global setting was violated.
server_port (Integer): Server Port. (Category: Network) Indicates the port number on an edge server to which the client directed a request. Valid values are:
- 80: HTTP request
- 443: HTTPS request
sub_events_count (Integer): Sub Events Count. (Category: Sub Event) Indicates the total number of sub events.
sub_events (Array of objects): Sub Events. (Category: Sub Event) Contains a list of fields that describe each sub event associated with the current event. A sub event is reported for each rule violation incurred by a request.
timestamp (Decimal): Epoch Time. (Category: Response) Indicates the Unix time, in seconds, at which an edge server delivered the requested content to the client.

Syntax: <SECONDS>.<MICROSECONDS>
url (String): URL. (Category: Request) Indicates the URL that was requested.
user_agent (String): User Agent. (Category: Request Header) Indicates the user agent that submitted the HTTP request to our CDN.
uuid (String): Event ID. (Category: Request) Indicates the unique ID assigned to the event.
waf_instance_name (String): Instance Name. (Category: Security Configuration) Indicates the name of the Security Application that the request violated.
waf_profile_name (String): Profile Name. (Category: Security Configuration) Indicates the name of the profile that triggered the violation.
waf_profile_type (String): Profile Type. (Category: Security Configuration) Indicates whether the request was screened as a result of an instance’s production or audit profile. Valid values are: PRODUCTION | AUDIT

sub_events Array

The sub_events array contains a list of fields that describe each sub event associated with the current event. A sub event is reported for each rule violation incurred by a request.

matched_on (String): Matched On. Indicates the variable that identifies where the violation was found.
matched_value (String): Matched Value. Indicates the value of the variable defined in the matched_on field.
rule_id (Integer): Rule ID. Indicates the ID for the rule that the request violated.
rule_message (String): Rule Message. Provides a description of the rule that the request violated.
total_anomaly_score (Integer): Total Anomaly Score. Indicates the total anomaly score for the current rule violation. This score is calculated by summing the anomaly score of the current rule violation with all rule violations reported above this sub event.

Example: The anomaly score incurred by each sub event in this example is listed below.
- Sub Event 1: Anomaly Score 2
- Sub Event 2: Anomaly Score 3
- Sub Event 3: Anomaly Score 2
The total anomaly score for each sub event is listed below.
- Sub Event 1: Total Anomaly Score = 2
- Sub Event 2: Total Anomaly Score = 5
- Sub Event 3: Total Anomaly Score = 7

Sample Log Data

Sample log data that contains two log entries is provided below for all three log formats.

JSON
{
	"agent_id": "1234500008619D55A",
	"seq_num": 0,
	"service": "waf",
	"account_number": "0001",
	"profile_id": 0,
	"datestamp": "20201008",
	"logs": [{
			"timestamp": 1602200337.177535713,
			"user_agent": "curl/7.64.1",
			"url": "https://cdn.example.com/",
			"client_ip": "190.220.230.2",
			"referer": "",
			"host": "cdn.example.com",
			"uuid": "38046679731278771327748811544613832704",
			"client_country_code": "US",
			"waf_profile_name": "Site 1",
			"waf_profile_type": "PRODUCTION",
			"waf_instance_name": "Site 1 Instance",
			"sub_events_count": 1,
			"sub_events": [{
					"total_anomaly_score": 0,
					"matched_on": "REQUEST_METHOD",
					"matched_value": "POST",
					"rule_id": 80009,
					"rule_message": "Method is not allowed by policy"
				}
			],
			"rule_tags": [],
			"rule_message": "Method is not allowed by policy",
			"action_type": "BLOCK_REQUEST",
			"server_port": 443,
			"client_country": "United States",
			"client_city": "Los Angeles"
		}, {
			"timestamp": 1602200338.598465258,
			"user_agent": "curl/7.64.1",
			"url": "https://cdn.example.com/",
			"client_ip": "230.180.240.23",
			"referer": "",
			"host": "cdn.example.com",
			"uuid": "38046679731278771327748811544613832998",
			"client_country_code": "US",
			"waf_profile_name": "Site 1",
			"waf_profile_type": "PRODUCTION",
			"waf_instance_name": "Site 1 Instance",
			"sub_events_count": 1,
			"sub_events": [{
					"total_anomaly_score": 0,
					"matched_on": "REQUEST_METHOD",
					"matched_value": "POST",
					"rule_id": 80009,
					"rule_message": "Method is not allowed by policy"
				}
			],
			"rule_tags": [],
			"rule_message": "Method is not allowed by policy",
			"action_type": "BLOCK_REQUEST",
			"server_port": 443,
			"client_country": "United States",
			"client_city": "Los Angeles"
		}
	]
}

JSON_Array
[{
		"timestamp": 1602200337.177535713,
		"user_agent": "curl/7.64.1",
		"url": "https://cdn.example.com/",
		"client_ip": "190.220.230.2",
		"referer": "",
		"host": "cdn.example.com",
		"uuid": "38046679731278771327748811544613832704",
		"client_country_code": "US",
		"waf_profile_name": "Site 1",
		"waf_profile_type": "PRODUCTION",
		"waf_instance_name": "Site 1 Instance",
		"sub_events_count": 1,
		"sub_events": [{
				"total_anomaly_score": 0,
				"matched_on": "REQUEST_METHOD",
				"matched_value": "POST",
				"rule_id": 80009,
				"rule_message": "Method is not allowed by policy"
			}
		],
		"rule_tags": [],
		"rule_message": "Method is not allowed by policy",
		"action_type": "BLOCK_REQUEST",
		"server_port": 443,
		"client_country": "United States",
		"client_city": "Los Angeles"
	}, {
		"timestamp": 1602200338.598465258,
		"user_agent": "curl/7.64.1",
		"url": "https://cdn.example.com/",
		"client_ip": "230.180.240.23",
		"referer": "",
		"host": "cdn.example.com",
		"uuid": "38046679731278771327748811544613832998",
		"client_country_code": "US",
		"waf_profile_name": "Site 1",
		"waf_profile_type": "PRODUCTION",
		"waf_instance_name": "Site 1 Instance",
		"sub_events_count": 1,
		"sub_events": [{
				"total_anomaly_score": 0,
				"matched_on": "REQUEST_METHOD",
				"matched_value": "POST",
				"rule_id": 80009,
				"rule_message": "Method is not allowed by policy"
			}
		],
		"rule_tags": [],
		"rule_message": "Method is not allowed by policy",
		"action_type": "BLOCK_REQUEST",
		"server_port": 443,
		"client_country": "United States",
		"client_city": "Los Angeles"
	}
]

1{"user_agent": "Mozilla/5.0 (Windows NT ... Represents a log entry.}
2{"user_agent": "Mozilla/5.0 (Windows NT ...}

Top-Level Name/Value Pairs #

logs Array #

sub_events Array #

Sample Log Data #

Top-Level Name/Value Pairs

logs Array

sub_events Array

Sample Log Data