Web App Firewall logs 编辑

The Web App Firewall generates log messages for tracking configuration, policy invocation, and security check violation details.

When you enable the log action for security checks or signatures, the resulting log messages provide information about the requests and responses that the Web App Firewall has observed when protecting your websites and applications. The most important information is the action taken by the Web App Firewall when a signature or a security check violation was observed. For some security checks, the log message can provide useful information, such as, user location or detected pattern that triggered a violation. An excessive increase in the number of violation messages in the logs can indicate a surge in malicious requests. The message alerts you that your application might be under attack to exploit a specific vulnerability that is detected and thwarted by Web App Firewall protections.

Note:

If you want to segregate Citrix Web App Firewall logs from the System Logs, you must use an external SYSLOG server.

Citrix ADC (Native) format logs

The Web App Firewall uses the Citrix ADC format logs (also called native format logs) by default. These logs have the same format as those generated by other Citrix ADC features. Each log contains the following fields:

• Timestamp. Date and time when the connection occurred.
• Severity. Severity level of the log.
• Module. Citrix ADC module that generated the log entry.
• Event Type. Type of event, such as signature violation or security check violation.
• Event ID. ID assigned to the event.
• Client IP. IP address of the user whose connection was logged.
• Transaction ID. ID assigned to the transaction that caused the log.
• Session ID. ID assigned to the user session that caused the log.
• Message. The log message. Contains information identifying the signature or security check that triggered the log entry.

You can search for any of these fields, or any combination of information from different fields. Your selection is limited only by the capabilities of the tools you use to view the logs. You can observe the Web App Firewall log messages in the GUI by accessing the Citrix ADC syslog viewer, or you can manually connect to the Citrix ADC appliance and access logs from the command line interface, or you can drop into the shell and tail the logs directly from the /var/log/folder.

Example of a native format log message

Jun 22 19:14:37 <local0.info> 10.217.31.98 06/22/2015:19:14:37 GMT ns 0-PPE-1 :
default APPFW APPFW_cross-site scripting 60 0 :  10.217.253.62 616-PPE1 y/3upt2K8ySWWId3Kavbxyni7Rw0000
pr_ffc http://aaron.stratum8.net/FFC/login.php?login_name=abc&passwd=
12345&drinking_pref=on&text_area=%3Cscript%3E%0D%0A&loginButton=ClickToLogin&as_sfid=
AAAAAAWEXcNQLlSokNmqaYF6dvfqlChNzSMsdyO9JXOJomm2v
BwAMOqZIChv21EcgBc3rexIUcfm0vckKlsgoOeC_BArx1Ic4NLxxkWMtrJe4H7SOfkiv9NL7AG4juPIanTvVo
%3D&as_fid=feeec8758b41740eedeeb6b35b85dfd3d5def30c Cross-site script check failed for
field text_area="Bad tag: script" <blocked>
<!--NeedCopy-->