Page tree
Skip to end of metadata
Go to start of metadata

Log Alert Node creates logs in database from security events generated by engines. When a security engine detects an attack, an event is created and added to the attribute table http.request.security.events (internal attribute). Then, when Log Alert node is run, all information about security events is extracted and sent to database.

Each event generates one log, so each HTTP request can generate multiple logs.

Note that events accepted by the Security Exception Management node will not be logged (like false positive or others requests matching exceptions).

Logs can be viewed through the Security Logs panel.

Node parameters

  • Display name: name of the node displayed in the Workflow. Replace the default name "Log Alert".
  • Security Engine: used to filter events generated by security engines. When selecting "ICX Engine", only ICX security events will be sent to database. When Choosing "<All Engines>", every event will be logged (default).

Custom Logs

In "Security Engine" list, choosing "Custom" allows the user to generate a "custom" log, on which one can set a custom message:

In Security Logs view, custom message will be visible on "Tokens" tab of detailed view. It's the only case when Log Alert node itself creates an event which is not generated by Security Engines.

Provided attributes

  • log.uid: unique identifier generated by the node. This data can be displayed on an error page in order to found the log (with the help of a security log filter) and facilitate resolution of a false positive reported by an user. An other way to do so, it's to use the http.request.uid attribute.

Use Case

Basic Log Alert: Denyall WAF Security Engines Workflow

  1. The first node "SWF - Security Engines" is used to activate and configure Security Engines.
  2. If an attack is detected, an event is created and added in the table http.request.security.events.
  3. The "Security Exception Management" node runs exception rules on detected events:
    - If an event is accepted by rules, it will be removed from the http.request.security.events table and added to the security.exception.events table.
  4. A condition on the security.exception.blocked attribute decides if the request must be blocked or not:
    -If equals to "true" (an attack is detected), the "Log Alert" node will sent events still present in the http.request.security.events table in the database. Then the request will be blocked by a HTTP code 403.
    -If equals to "false" (no attack detected), the request will be sent to the backend server.