Logs
About
What is Log?
Log Profiles are used to send requests to log servers in the vServices. There are 7 log formats supported by the TR7 ASP device. You can find the details of log formats in the following text.
How to Add?
To add a new Log Profile, navigate to the Traffic Manager > Profiles > Logs > Add tab from the TR7 ASP web interface.
Interface
Log Profile Listing Screen
By following the steps "Traffic Manager > Profiles > Log" you can access the list of all Log Profiles attached to the TR7 ASP device. On this screen, you can perform actions such as adding, editing, and deleting Log Profiles.
- 1 (Information to be Displayed in the Table)
Select which information to display in the table listing Log Profiles.
Information that can be selected and is selected by default includes;
- Name
- Log Standard
- Log Addresses
- 2 (Add)
Click the Add button to open a form for creating a new Log Profile.
- 3 (Delete)
Select one or more Log Profiles and click the Delete button to delete the respective Log Profiles on the TR7 ASP device.
- 4 (Edit)
Click the Edit button to open the editing screen for the respective Log Profile.
- 5 (Search)
Used to search for all expressions in the table.
- 6 (RegExp Search)
Used to regexp search for all expressions in the table.
- 7 (Column Based Search)
Used to column based search for all expressions in the table.
- 8 (Usage Filter)
Used to filter which vServices all expressions in the table are used in.
- 9 (Page Information)
Information about how many Log Profiles are available in the list and how many Log Profiles are listed is available in the opened list. When Log Profiles are selected from the left side for deletion, the information of the selected Log Profile is also displayed here.
- 10 (Page Size)
Select the maximum number of Log Profiles to be listed. You can switch between pages with arrow icons.
- Preview of the Selected Log Profile
After following the steps "Traffic Manager > Profiles > Log" when you click on any profile, a window will open on the right side of the screen with information related to that profile.
This window also provides information about "Used In". For instance, the "SIEM_2" vService log profile is used in the "www.tr7.com" vService.
By clicking the (x) button in the upper right corner of the opened window, you can close the preview.
Interface
Log Profile Adding Form
To add a new Log Profile to the TR7 ASP device, follow the steps "Traffic Manager > Profiles > Log > Add".
- Name
Enter a name for the Log Profile to be created.
- Log Addresses
Enter the IP:Port information of the log server to which logs will be sent.
By clicking the blue (+) button on the right, multiple log servers can be added to a single Log Profile.
Sampling is disabled by default.
When sampling is enabled, a number between "1-10" can be entered. For example, when 5 is entered, every 5 logs of 10 sent to the log server. It can be enabled by clicking the respective button.
- Log Standard
Select the standard with which logs will be sent to the log server. "local" is used as the default.
Logs sent as "local".
Logs sent as "rfc3164".
Logs sent as "rfc5424".
Logs sent as "priority".
Logs sent as "raw".
- Line Format
Select the line format in which logs supported by TR7 ASP will be sent.
o Standard Log Format
Applicable vServices
- HTTP
- L7 TCP
- Network
Example Log Line (HTTP):
>> 172.16.101.16 - - [30/Jun/2022:14:45:26 +0000] "GET /tr7.png?q=val HTTP/1.1" 200 57598
Format:
| Value in Log | Description |
|---|---|
| 172.16.101.16 | Client IP Address |
| [30/Jun/2022:14:45:26 +0000] | Time of Request Made (GMT) |
| "GET /tr7.png?q=val HTTP/1.1" | Request Information ("METHOD PATH+QUERY HTTP_VERSION") |
| 200 | HTTP Response Code |
| 57598 | Response Size in Bytes |
Example Log Line (TCP):
Warning
When Standard Log Format, Apache Combined Log Format, or Apache VHost Log Format are selected for TCP vServices, a standard single format is created by the system.
>> 172.16.101.111:49490 [05/Jul/2022:11:02:34.847] DFE DBE/lbBackends-kw4qm5g5 5003/0/59539 0 cD 1/1/0/0/0 0/0
Format:
| Value in Log | Description |
|---|---|
| 172.16.101.111 | Client IP Address |
| 49490 | Client Port Number |
| [05/Jul/2022:11:02:34.847] | Request Time |
| DFE | vService Configuration Name |
| DBE | Server Group Name to Which the Request Is Routed |
| lbBackends- kw4qm5g5 | Unique Name of the Backend Service |
| 5003 | Wait Time in Queue for Connection (ms) |
| 0 | Time to Connect to the Server (ms) |
| 59539 | Total Time (ms) |
| 0 | Total Sent from Backend Service to Client (bytes) |
| cD | Session Termination |
| 1 | Total Number of Connections |
| 1 | Total Number of Connections in the vService |
| 0 | Total Number of Connections in the Backend Service |
| 0 | Total Active Connections in the Backend Service |
| 0 | Connection Attempt Count |
| 0 | Server Queue |
| 0 | vService Queue |
o Apache Combined Log Format (Standart + Referrer + User-Agent)
Applicable vServices
- HTTP
- L7 TCP
- Network
Example Log Line (HTTP):
>> 172.16.101.16 - - [30/Jun/2022:15:28:56 +0000] "GET /index2.php HTTP/1.1" 200 1763 "http://172.16.101.160:8080/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36"
Format:
| Value in Log | Description |
|---|---|
| 172.16.101.16 | Client IP Address |
| [30/Jun/2022:15:28:56 +0000] | Request Time |
| (GMT) | |
| "GET /index2.php HTTP/1.1" | Request Information ("METHOD PATH+QUERY |
| HTTP_VERSİYON") | |
| 200 | Returned HTTP Response Code |
| 1763 | Response Size in Bytes |
| "http://172.16.101.160:8080/" | Referer Header Information for the Request |
| "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36" | User-Agent Header Information for the Request |
Example Log Line (TCP):
Warning
When Standard Log Format, Apache Combined Log Format, or Apache VHost Log Format are selected for TCP vServices, a standard single format is created by the system.
>> 172.16.101.111:49490 [05/Jul/2022:11:02:34.847] DFE DBE/lbBackends-kw4qm5g5 5003/0/59539 0 cD 1/1/0/0/0 0/0
Format:
| Value in Log | Description |
|---|---|
| 172.16.101.111 | Client IP Address |
| 49490 | Client Port Number |
| [05/Jul/2022:11:02:34.847] | Request Time |
| DFE | vService Configuration Name |
| DBE | Name of the Backend Server Group |
| lbBackends- kw4qm5g5 | Unique Name of the Backend Service |
| 5003 | Waiting Time in Queue for Connection (ms) |
| 0 | Connection Time to Server (ms) |
| 59539 | Total Time (ms) |
| 0 | Total Sent from Backend to Client (bytes) |
| cD | Session Termination |
| 1 | Total Number of Connections |
| 1 | Total Connections at the vService |
| 0 | Total Connections at the Backend |
| 0 | Total Active Connections at the Backend |
| 0 | Number of Connection Attempts |
| 0 | Server Queue Waiting Time |
| 0 | vService Queue Waiting Time |
o Apache VHost Log Format (VHost + Standart + Referrer + User-Agent)
Applicable vServices
- HTTP
- L7 TCP
- Network
Example Log Line (HTTP)::
>> www.domain.com:8080 172.16.101.16 - - [30/Jun/2022:15:32:09 +0000] "GET /index2.php HTTP/1.1" 200 1736 "http://www.domain.com:8080/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36"
Format:
| Value in Log | Description |
|---|---|
| www.domain.com:8080 | Virtual Host Information of the Request |
| 172.16.101.16 | Client IP Address |
| [30/Jun/2022:15:32:09 +0000] | Request Time (GMT) |
| "GET /index2.php HTTP/1.1" | Request Information ("METHOD PATH+QUERY HTTP_VERSION") |
| 200 | Returned HTTP Response Code |
| 1736 | Response Size in Bytes |
| "http://www.domain.com:8080/" | Referer Header Information for the Request |
| "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36" | Referrer Header Information of the Request |
Example Log Line (TCP):
Warning
When Standard Log Format, Apache Combined Log Format, or Apache VHost Log Format are selected for TCP vServices, a standard single format is created by the system.
>> 172.16.101.111:49490 [05/Jul/2022:11:02:34.847] DFE DBE/lbBackends-kw4qm5g5 5003/0/59539 0 cD 1/1/0/0/0 0/0
Format:
| Value in Log | Description |
|---|---|
| 172.16.101.111 | Client IP Address |
| 49490 | Client Port Number |
| [05/Jul/2022:11:02:34.847] | Request Time |
| DFE | vService Configuration Name |
| DBE | Name of the Backend Server Group |
| lbBackends- kw4qm5g5 | Unique Name of the Backend Service |
| 5003 | Queue Waiting Time for Connection (ms) |
| 0 | Connection Time to Server (ms) |
| 59539 | Total Time (ms) |
| 0 | Total Sent from Backend to Client (bytes) |
| cD | Session Termination |
| 1 | Total Number of Connections |
| 1 | Total Connections at the vService |
| 0 | Total Connections at the Backend |
| 0 | Total Active Connections at the Backend |
| 0 | Number of Connection Attempts |
| 0 | Server Queue Waiting Time |
| 0 | vService Queue Waiting Time |
o CEF Format
Applicable vServices
- HTTP
- L7 TCP
- Network
Example Log Line (HTTP > WAF Disabled)::
>> CEF:0|TR7|TR7 ASP|v1.9|200|DBE|5|name=www.tr7.com src=192.168.1.136 srcPort=52304 dst=192.168.1.46 dstPort=8080 serverIP=192.168.1.165 serverPort=80 fCipher=- fProtocol=- sCipher=- sProtocol=- reqMethod=GET reqBase=/ reqQuery= reqProtocol=HTTP/1.1 reqHost=192.168.1.46:8080 reqUA=Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36 Edg/113.0.1774.50 reqHeaders=host: 192.168.1.46:8080\r\ncache-control: max-age=0\r\nupgrade-insecure-requests: 1\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/113.0.0.0 Safari\/537.36 Edg\/113.0.1774.50\r\naccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/webp,image\/apng,\/;q=0.8,application\/signed-exchange;v=b3;q=0.7\r\naccept-encoding: gzip, deflate\r\naccept-language: tr,en;q=0.9,en-GB;q=0.8,en-US;q=0.7\r\n\r\n resHeaders=date: Tue, 23 May 2023 07:57:06 GMT\r\nserver: Apache\/2.4.38 (Debian)\r\ncontent-length: 1074\r\ncontent-type: text\/html; charset=UTF-8\r\n\r\n reqUploadBytes=449 resDownloadBytes=1223 username=- isWafAttack=0 wafInfo={}
Format:
| Value in Log | Description |
|---|---|
| CEF:0 | CEF Format |
| TR7 | Manufacturer |
| TR7 ASP | Product Name |
| V1.9 | Product Version |
| 200 | Returned HTTP Response Code |
| DBE | Response Source |
| 5 | CEF Code |
| www.tr7.com | vService Name |
| 192.168.1.136 | Client IP Address |
| 52304 | Client Port Number |
| 192.168.1.46 | vService IP Address |
| 8080 | vService Port Number |
| 192.168.1.165 | Backend Service IP Address |
| 80 | Backend Service Port Number |
| fCipher=- | SSL vService Cipher Info |
| fProtocol=- | SSL vService Protocol Info |
| sCipher=- | Backend Service SSL Cipher Info |
| sProtocol=- | Backend Service SSL Protocol Info |
| GET | HTTP Request Method |
| / | HTTP Request Address |
| reqQuery= | HTTP Request Query Variables |
| HTTP/1.1 | HTTP Request Protocol |
| 192.168.1.46:8080 | HTTP Request Host Header Info |
| Mozilla/5.0 (Windows NT 10.0; Win64; x64)...Edg/113.0.1774.50 | HTTP Request User-Agent Header Info |
| host: host: 192.168.1.46:8080\r\ncache-control: max-age=0\r\nupgrade-insecure-requests: 1\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/113.0.0.0 Safari\/537.36 Edg\/113.0.1774.50\r\naccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/webp,image\/apng,\/;q=0.8,application\/signed-exchange;v=b3;q=0.7\r\naccept-encoding: gzip, deflate\r\naccept-language: tr,en;q=0.9,en-GB;q=0.8,en-US;q=0.7\r\n\r\n | HTTP Request Header Info |
| date: date: Tue, 23 May 2023 07:57:06 GMT\r\nserver: Apache\/2.4.38 (Debian)\r\ncontent-length: 1074\r\ncontent-type: text\/html; charset=UTF-8\r\n\r\n | HTTP HTTP Response Header Info |
| 663 | Request Size (bytes) |
| 57598 | Response Size (bytes) |
| username=- | User Authentication Action |
| isWafAttack=0 | Waf Attack Status (WAF Disabled) |
| wafInfo={} | Waf Attack Information |
Example Log Line (HTTP > WAF Enabled):
>> CEF:0|TR7|TR7 ASP|v1.9|418|TR7|5|name=www.tr7.com src=192.168.1.136 srcPort=52431 dst=192.168.1.46 dstPort=8080 serverIP=- serverPort=- fCipher=- fProtocol=- sCipher=- sProtocol=- reqMethod=GET reqBase=/cmd.exe reqQuery= reqProtocol=HTTP/1.1 reqHost=192.168.1.46:8080 reqUA=Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36 Edg/113.0.1774.50 reqHeaders=host: 192.168.1.46:8080\r\nupgrade-insecure-requests: 1\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/113.0.0.0 Safari\/537.36 Edg\/113.0.1774.50\r\naccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/webp,image\/apng,\/;q=0.8,application\/signed-exchange;v=b3;q=0.7\r\naccept-encoding: gzip, deflate\r\naccept-language: tr,en;q=0.9,en-GB;q=0.8,en-US;q=0.7\r\n\r\n resHeaders=- reqUploadBytes=434 resDownloadBytes=686 username=- isWafAttack=1 wafInfo={"bodyLen":0,"path":"\/cmd.exe","wafTime":0.59,"body":"","totalScore":8,"ua":"Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/113.0.0.0 Safari\/537.36 Edg\/113.0.1774.50","host":"192.168.1.46:8080","query":"","headers":{"user-agent":{"0":"Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/113.0.0.0 Safari\/537.36 Edg\/113.0.1774.50"},"accept-encoding":{"0":"gzip, deflate"},"accept-language":{"0":"tr,en;q=0.9,en-GB;q=0.8,en-US;q=0.7"},"accept":{"0":"text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/webp,image\/apng,\/;q=0.8,application\/signed-exchange;v=b3;q=0.7"},"host":{"0":"192.168.1.46:8080"},"upgrade-insecure-requests":{"0":"1"}},"date":1684829882692.6,"uid":"C0A80188:CCCF646C76BA:2A50616","method":"GET","cp":52431,"attacks":[{"id":130005,"scope":"path","score":8,"desc":"\/cmd.exe"}],"fpc":false,"ssl":0,"mon":false,"ci":"192.168.1.136"}
| Value in Log | Description |
|---|---|
| CEF:0 | CEF Format |
| TR7 | Manufacturer |
| TR7 ASP | Product Name |
| V1.9 | Product Version |
| 418 | Returned HTTP Response Code |
| DBE | Response Source |
| 5 | CEF Code |
| www.tr7.com | vService Name |
| 192.168.1.136 | Client IP Address |
| 52431 | Client Port Number |
| 192.168.1.46 | vService IP Address |
| 8080 | vService Port Number |
| serverIP=- | Backend Service IP Address |
| serverPort=- | Backend Service Port Number |
| fCipher=- | SSL vService Cipher Info |
| fProtocol=- | SSL vService Protocol Info |
| sCipher=- | Backend Service SSL Cipher Info |
| sProtocol=- | Backend Service SSL Protocol Info |
| GET | HTTP Request Method |
| /cmd.exe | HTTP Request Address |
| reqQuery= | HTTP Request Query Variables |
| HTTP/1.1 | HTTP Protocol |
| 192.168.1.46:8080 | HTTP Request Host Header Info |
| Mozilla/5.0 (Windows NT 10.0; Win64; x64)...Edg/113.0.1774.50 | HTTP Request User-Agent Header Info |
| host: 192.168.1.46:8080\r\nupgrade-insecure-requests: 1\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/113.0.0.0 Safari\/537.36 Edg\/113.0.1774.50\r\naccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/webp,image\/apng,\/;q=0.8,application\/signed-exchange;v=b3;q=0.7\r\naccept-encoding: gzip, deflate\r\naccept-language: tr,en;q=0.9,en-GB;q=0.8,en-US;q=0.7\r\n\r\n | HTTP Request Header Info |
| - | HTTP Response Header Info |
| 434 | Request Size (bytes) |
| 686 | Response Size (bytes) |
| username=- | User Authentication Action |
| isWafAttack=1 | Waf Attack Status (WAF Enabled) |
| wafInfo | Waf Attack Information |
| 0 | Request Body Size |
| \/cmd.exe | HTTP Request Address |
| 0.59 | Time it takes for the request to be blocked by the WAF |
| "body":"" | HTTP Request Host Header Info |
| 8 | WAF Score |
| Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/113.0.0.0 Safari\/537.36 Edg\/113.0.1774.50 | HTTP Request U-A Header Info |
| 192.168.1.46:8080 | HTTP Request Host Header Info |
| "query":"" | HTTP Request Query Variables |
| {"user-agent":{"0":"Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/113.0.0.0 Safari\/537.36 Edg\/113.0.1774.50"},"accept-encoding":{"0":"gzip, deflate"},"accept-language":{"0":"tr,en;q=0.9,en-GB;q=0.8,en-US;q=0.7"},"accept":{"0":"text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/webp,image\/apng,\/;q=0.8,application\/signed-exchange;v=b3;q=0.7"},"host":{"0":"192.168.1.46:8080"},"upgrade-insecure-requests":{"0":"1"}} | HTTP Header Info |
| 1684829882692.6 | Request Time |
| C0A80188:CCCF646C76BA:2A50616 | UUID |
| GET | HTTP Request Method |
| 52431 | Client Port Number |
| {"id":130005,"scope":"path","score":8,"desc":"\/cmd.exe"} | Details |
| false | Waf Attack Info |
| 0 | SSL Info |
| false | Monitor Mode Status |
| 192.168.1.136 | Client IP Address |
Example Log Line (TCP):
>> CEF:0|TR7|TR7 ASP|v1.9|TCP|TCP|5|name=TCP TEST src=172.16.101.111 srcPort=64289 dst=172.16.101.97 dstPort=7500 fCipher=- fProtocol=- reqUploadBytes=7395 resDownloadBytes=6502
Format:
| Value in Log | Description |
|---|---|
| CEF:0 | CEF Format |
| TR7 | Producer |
| TR7 ASP | Product Name |
| V1.9 | Product Version |
| TCP | Protocol |
| TCP | Response Source |
| 5 | CEF Code |
| TCP TEST | Returned HTTP Response Code |
| 172.16.101.111 | Client IP Address |
| 54756 | Client Port Number |
| 172.16.101.97 | vService IP Adrress |
| 7500 | vService Port Number |
| fCipher=- | SSL vService Cipher Info |
| fProtocol=- | SSL vService Protocol Info |
| 7395 | Request Size (bytes) |
| 6502 | Response Size (bytes) |
o TR7 JSON Format
Applicable vServices
- HTTP
- L7 TCP
- Network
Example Log Line (HTTP > WAF Disabled):
>> {"pool":"TEST","ident":"tr7","time":{"tq":"24","tw":"0","tc":"0","tr":"1","tt":"25"},"conn":{"act":"2","f":"2","b":"0","s":"0"},"queue":{"b":"0","s":"0"},"tstate":"----","retries":"0","network":{"ci":"172.16.101.16","cp":"54708","fi":"172.16.101.160","fp":"8080","si":"172.16.101.212","sp":"80"},"ssl":{"fAlgKeysize":"-","fCipher":"-","fProtocol":"-","fNpn":"-","fAlpn":"-","fKeyAlg":"-","fSigAlg":"-","fVersion":"-","fNotAfter":"-","fNotBefore":"-","fClientDn":"-","fIssuerDn":"-","sAlgKeysize":"-","sCipher":"-","sProtocol":"-","sNpn":"-","sAlpn":"-","sKeyAlg":"-","sSigAlg":"-","sVersion":"-","sNotAfter":"-","sNotBefore":"-","sClientDn":"-","sIssuerDn":"-"},"request":{"method":"GET","uri":"\/tr7.png","protocol":"HTTP/1.1","headers":"host: 172.16.101.160:8080\r\npragma: no-cache\r\ncache-control: no-cache\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/103.0.0.0 Safari\/537.36\r\ndnt: 1\r\naccept: image\/avif,image\/webp,image\/apng,image\/svg+xml,image\/,\/*;q=0.8\r\nreferer: http:\/\/172.16.101.160:8080\/index2.php\r\naccept-encoding: gzip, deflate\r\naccept-language: tr-TR,tr;q=0.9,ru-RU;q=0.8,ru;q=0.7,en-US;q=0.6,en;q=0.5\r\ncookie: app-token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6InRyN0tZSyIsImlwIjoiMTcyLjE2LjEwMS4xNiIsIiRfJCI6MjIxMjI5LCJleHAiOjE2NTcyMDA1MDh9.HsgZCqc8Xf8EXXv9u6Aw204uLh25ft7hO8X6of_Fp_s; Deneme1=TR71; Deneme2=TR72\r\n\r\n"},"response":{ "status_code":"200", "headers":"date: Thu, 30 Jun 2022 15:41:35 GMT\r\nserver: Apache\/2.4.38 (Debian)\r\nlast-modified: Mon, 04 Apr 2022 12:19:26 GMT\r\netag: \"e023-5dbd323b12d67\"\r\naccept-ranges: bytes\r\ncontent-length: 57379\r\ncontent-type: image\/png\r\n\r\n"}, "ids":{"p":"lbPools-l4yit8ld__lb", "b":"DBE","f":"DFE","s":"lbBackends-l4yircod"}, "bytes":{"uploaded":"663","read":"57598"},"resFrom":"-","isWafAttack":"-", "wafInfo":- }
Format:
| Value in Log | Description |
|---|---|
| "pool":"TEST", | vService Name |
| "ident":"tr7", | Producer |
| "tq":"24", | Request Acceptance Time (ms) |
| "tw":"0", | Time in Queue for Connection (ms) |
| "tc":"0", | Server Queue Waiting Time (ms) |
| "tr":"1", | Server Response Time (ms) |
| "tt":"25" | Total Time (ms) |
| "act":"2", | Total Concurrent Connections at the Time of Request |
| "f":"2", | Total Concurrent Connections in vService at the Time of Request |
| "b":"0", | Total Concurrent Connections in Distribution Group at the Time of Request |
| "s":"0" | Total Concurrent Connections in Backend Service at the Time of Request |
| "b":"0", | Total Requests Queued in Distribution Group |
| "s":"0" | Total Requests Queued in Backend Service |
| "tstate":"----", | Termination Code for the Request |
| "retries":"0", | Number of Attempts Made to Connect to Backend Service |
| "ci":"172.16.101.16", | Client IP Address |
| "cp":"54708", | Client Port Number |
| "fi":"172.16.101.160", | vService IP Address |
| "fp":"8080", | vService Port Number |
| "si":"172.16.101.212", | Backend Server IP Address for Response |
| "sp":"80" | Backend Server Port Number for Response |
| "fAlgKeysize":"-", | SSL vService Symmetric Key Size |
| "fCipher":"-", | SSL vService Cipher Info |
| "fProtocol":"-", | SSL vService Protocol Info |
| "fNpn":"-", | SSL vService Npn Info |
| "fAlpn":"-", | SSL vService Alpn Info |
| "fKeyAlg":"-", | SSL vService Key Algorithm |
| "fSigAlg":"-", | SSL vService Signature Algorithm |
| "fVersion":"-", | SSL vService SSL Version |
| "fNotAfter":"-", | SSL vService Certificate Validity Period (NotAfter) |
| "fNotBefore":"-", | SSL vService Certificate Validity Period (NotBefore) |
| "fClientDn":"-", | SSL vService Certificate Client DN Info |
| "fIssuerDn":"-", | SSL vService Certificate İssuer DN Info |
| "sAlgKeysize":"-", | Backend Service SSL Symmetric Key Size |
| "sCipher":"-", | Backend Service SSL Cipher Info |
| "sProtocol":"-", | Backend Service SSL Protokol Info |
| "sNpn":"-", | Backend Service SSL Npn Info |
| "sAlpn":"-", | Backend Service SSL Alpn Info |
| "sKeyAlg":"-", | Backend Service SSL Key Algorithm |
| "sSigAlg":"-", | Backend Service SSL Signature Algorithm |
| "sVersion":"-", | Backend Service SSL Version |
| "sNotAfter":"-", | Backend Service SSL Certificate validity period (NotAfter) |
| "sNotBefore":"-", | Backend Service SSL Certificate validity period (NotBefore) |
| "sClientDn":"-", | Backend Service SSL Certificate Client DN Info |
| "sIssuerDn":"-" | Backend Service SSL Certificate Issuer DN Info |
| "method":"GET", | Request Method |
| "uri":"\/tr7.png", | Path |
| "protocol":"HTTP/1.1", | HTTP Protocol Info |
| "headers":"host: 172.16.101.160:8080\r\npragma: no-cache\r\ncache-control: no-cache\r\nUser-Agent: ... | HTTP Header Information |
| status_code":"200", | vService HTTP Response Code |
| "headers":"date: Thu, 30 Jun 2022 15:41:35 GMT\r\nserver: Apache\/2.4.38 (Debian)\r\nlast-modified: Mon, 04 Apr 2022 12:19:26 GMT\r\netag: \"e023-5dbd323b12d67\"\r\naccept-ranges: bytes\r\ncontent-length: 57379\r\ncontent-type: image\/png\r\n\r\n" | Response HTTP Header Information |
| "p":"lbPools-l4yit8ld__lb", | vService Unique Number |
| "b":"DBE", | Server Group Name to Which the Request is Directed |
| "f":"DFE", | vService Configuration Name |
| "s":"lbBackends-l4yircod" | Backend Service Unique Number |
| "uploaded":"663", | Request Size (bytes) |
| "read":"57598" | Response Size (bytes) |
| "resFrom":"-", | Response Source |
| "isWafAttack":"-" | WAF Attack Status (WAF Disabled) |
| "wafInfo":{} | WAF Info |
Example Log Line (HTTP > WAF Enabled):
>> {"pool":"TEST","ident":"tr7","time":{"tq":"24","tw":"0","tc":"0","tr":"1","tt":"25"},"conn":{"act":"2","f":"2","b":"0","s":"0"},"queue":{"b":"0","s":"0"},"tstate":"----","retries":"0","network":{"ci":"172.16.101.16","cp":"54708","fi":"172.16.101.160","fp":"8080","si":"172.16.101.212","sp":"80"},"ssl":{"fAlgKeysize":"-","fCipher":"-","fProtocol":"-","fNpn":"-","fAlpn":"-","fKeyAlg":"-","fSigAlg":"-","fVersion":"-","fNotAfter":"-","fNotBefore":"-","fClientDn":"-","fIssuerDn":"-","sAlgKeysize":"-","sCipher":"-","sProtocol":"-","sNpn":"-","sAlpn":"-","sKeyAlg":"-","sSigAlg":"-","sVersion":"-","sNotAfter":"-","sNotBefore":"-","sClientDn":"-","sIssuerDn":"-"},"request":{"method":"GET","uri":"\/tr7.png","protocol":"HTTP/1.1","headers":"host: 172.16.101.160:8080\r\npragma: no-cache\r\ncache-control: no-cache\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/103.0.0.0 Safari\/537.36\r\ndnt: 1\r\naccept: image\/avif,image\/webp,image\/apng,image\/svg+xml,image\/,\/*;q=0.8\r\nreferer: http:\/\/172.16.101.160:8080\/index2.php\r\naccept-encoding: gzip, deflate\r\naccept-language: tr-TR,tr;q=0.9,ru-RU;q=0.8,ru;q=0.7,en-US;q=0.6,en;q=0.5\r\ncookie: app-token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6InRyN0tZSyIsImlwIjoiMTcyLjE2LjEwMS4xNiIsIiRfJCI6MjIxMjI5LCJleHAiOjE2NTcyMDA1MDh9.HsgZCqc8Xf8EXXv9u6Aw204uLh25ft7hO8X6of_Fp_s; Deneme1=TR71; Deneme2=TR72\r\n\r\n"},"response":{ "status_code":"200", "headers":"date: Thu, 30 Jun 2022 15:41:35 GMT\r\nserver: Apache\/2.4.38 (Debian)\r\nlast-modified: Mon, 04 Apr 2022 12:19:26 GMT\r\netag: \"e023-5dbd323b12d67\"\r\naccept-ranges: bytes\r\ncontent-length: 57379\r\ncontent-type: image\/png\r\n\r\n"}, "ids":{"p":"lbPools-l4yit8ld__lb", "b":"DBE","f":"DFE","s":"lbBackends-l4yircod"}, "bytes":{"uploaded":"663","read":"57598"},"resFrom":"-","isWafAttack":"1", "wafInfo":{"ssl":0,"host":"172.16.101.192:8080","date":1656949983730.5,"cp":64472,"wafTime":0.256,"totalScore":4,"method":"GET","mon":false,"ci":"172.16.101.111","uid":"AC10656F:FBD862C30CDF:3BE0181","attacks":[{"score":4,"scope":"header","id":130005,"desc":"...16.101.192:8080\/cmd.exe..."}],"bodyLen":0,"ua":"Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/102.0.5005.115 Safari\/537.36 OPR\/88.0.4412.53}}
Format:
| Value in Log | Description |
|---|---|
| "pool":"TEST", | vService Name |
| "ident":"tr7", | Producer Name |
| "tq":"24", | Request Acceptance Time (ms) (ms) |
| "tw":"0", | Request Queuing Time for Connection (ms)(ms) |
| "tc":"0", | Server Connection Time (ms) (ms) |
| "tr":"1", | Server Response Time (ms) (ms) |
| "tt":"25" | Total Time (ms) (ms) |
| "act":"2", | Total Concurrent Connections at the Time of the Request Sayısı |
| "f":"2", | Concurrent Connections in vService at the Time of the Request Sayısı |
| "b":"0", | Total Concurrent Connections in the Distribution Group at the Time of the Request Sayısı |
| "s":"0" | Concurrent Connections in Backend Services at the Time of the Request Sayısı |
| "b":"0", | Total Number of Requests Entering the Queue in the Distribution Group |
| "s":"0" | Total Number of Requests Entering the Queue in Backend Services |
| "tstate":"----", | Termination Code of the Request Kodu |
| "retries":"0", | Number of Attempts to Connect to Backend Services Sayısı |
| "ci":"172.16.101.16", | Client IP Address |
| "cp":"54708", | Client Port Number |
| "fi":"172.16.101.160", | vService IP Address |
| "fp":"8080", | vService Port Number |
| "si":"172.16.101.212", | Backend IP Address |
| "sp":"80" | Responding Backend Server IP Address |
| "fAlgKeysize":"-", | SSL vService Symmetric Key Size |
| "fCipher":"-", | SSL vService Cipher Information |
| "fProtocol":"-", | SSL vService Protocol Information |
| "fNpn":"-", | SSL vService Npn Information |
| "fAlpn":"-", | SSL vService Alpn Information |
| "fKeyAlg":"-", | SSL vService Key Algorithm |
| "fSigAlg":"-", | SSL vService Signature Algorithm |
| "fVersion":"-", | SSL vService SSL Version |
| "fNotAfter":"-", | SSL vService Certificate Validity Period(NotAfter) |
| "fNotBefore":"-", | SSL vService Certificate Validity Period (NotBefore) |
| "fClientDn":"-", | SSL vService Certificate Client DN Information |
| "fIssuerDn":"-", | SSL vService Certificate Issuer DN Information |
| "sAlgKeysize":"-", | Backend Services SSL Symmetric Key Size |
| "sCipher":"-", | Backend Services SSL Cipher Information |
| "sProtocol":"-", | Backend Services SSL Protocol Information |
| "sNpn":"-", | Backend Services SSL Npn Information |
| "sAlpn":"-", | Backend Services SSL Alpn Information |
| "sKeyAlg":"-", | Backend Services SSL Key Algorithm |
| "sSigAlg":"-", | Backend Services SSL Signature Algorithm |
| "sVersion":"-", | Backend Services SSL Version |
| "sNotAfter":"-", | Backend Services SSL Certificate Validity Period (NotAfter) |
| "sNotBefore":"-", | Backend Services SSL Certificate Validity Period (NotBefore) |
| "sClientDn":"-", | Backend Services SSL Certificate Client DN Information |
| "sIssuerDn":"-" | Backend Services SSL Certificate Issuer DN Information |
| "method":"GET", | Request Method |
| "uri":"\/tr7.png", | Request URI |
| "protocol":"HTTP/1.1", | HTTP Protocol Information |
| "headers":"host: 172.16.101.160:8080\r\npragma: no-cache\r\ncache-control: no-cache\r\nUser-Agent: ... | HTTP Headers in the Request |
| status_code":"200", | Backend Services HTTP Response Code |
| "headers":"date: Thu, 30 Jun 2022 15:41:35 GMT\r\nserver: Apache\/2.4.38 (Debian)\r\nlast-modified: Mon, 04 Apr 2022 12:19:26 GMT\r\netag: \"e023-5dbd323b12d67\"\r\naccept-ranges: bytes\r\ncontent-length: 57379\r\ncontent-type: image\/png\r\n\r\n" | Response HTTP Headers |
| "p":"lbPools-l4yit8ld__lb", | Unique Number of vService |
| "b":"DBE", | Name of the Server Group the Request is Directed to |
| "f":"DFE", | Configuration Name of vService |
| "s":"lbBackends-l4yircod" | Unique Number of Backend Services |
| "uploaded":"663", | Request Size (bytes) |
| "read":"57598" | Response Size (bytes) |
| "resFrom":"-", | Response Source |
| "isWafAttack":"1" | WAF Attack Status (WAF Eneble) |
| "wafInfo":{} | WAF Information |
| "ssl":0, | SSL Not Active |
| "date":1656949983730.5, | Request Time |
| "ci":"172.16.101.111", | Client IP Address |
| "uid":"AC10656F:FBD862C30CDF:3BE0181", | Unique Number of the Request |
| "method":"GET", | Request Method |
| "wafTime":0.256, | WAF Processing Time of the Request |
| "mon":false, | Monitoring Mode Status |
| "totalScore":4, | Total WAF Score of the Blocked Argument in the Request |
| "ua":"Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/102.0.5005.115 Safari\/537.36 OPR\/88.0.4412.53", | User-Agent Header Information of the Request |
| "bodyLen":0, | Request Body Size |
| "host":"172.16.101.192:8080", | vService Requested |
| "cp":64472, | Client Port Number |
| "desc":"...16.101.192:8080\/cmd.exe...", | Description Related to the Blocked Argument |
| "scope":"header", | Where the Blocked Argument is Found |
| "id":130005, | ID of the Blocked Argument |
| "v":true, | Value “false” indicates the attack argument is found in the name, “true” indicates it's found in the value, “2” indicates it's found in the file content or file name in file upload scenarios. |
| "score":4, | Total Score of the Blocked Argument in the Request |
| "arg":"referer" | Argument Name |
Example Log Line (TCP):
>> {"pool":"TCP TEST","ident":"tr7","time":{"tw":"13","tc":"0","tt":"10511"},"conn":{"act":"2","f":"2","b":"1","s":"1"},"queue":{"b":"0","s":"0"},"tstate":"cD","retries":"0","network":{"ci":"172.16.101.111","cp":"64347","fi":"172.16.101.97","fp":"7500","si":"172.16.111.211","sp":"80"},"ssl":{"fAlgKeysize":"-","fCipher":"-","fProtocol":"-","fNpn":"-","fAlpn":"-","fKeyAlg":"-","fSigAlg":"-","fVersion":"-","fNotAfter":"-","fNotBefore":"-","fClientDn":"-","fIssuerDn":"-","sAlgKeysize":"-","sCipher":"-","sProtocol":"-","sNpn":"-","sAlpn":"-","sKeyAlg":"-","sSigAlg":"-","sVersion":"-","sNotAfter":"-","sNotBefore":"-","sClientDn":"-","sIssuerDn":"-"},"ids":{"p":"lbPools-l3ormj0l__lb", "b":"DBE","f":"DFE","s":"lbBackends-kw4qm5g5"}, "bytes":{"uploaded":"4968","read":"5023"}}
Format:
| Value in Log | Description |
|---|---|
| "pool":"TCP TEST", | vService Name |
| "ident":"tr7", | Producer Name |
| "tw":"13", | Time Spent in Queue for Connection (ms) |
| "tc":"0", | Time to Connect to Server (ms) |
| "tt":"10511" | Total Time (ms) |
| "act":"2", | Total Concurrent Connections at the Time of Request |
| "f":"2", | Concurrent Connections in the vService at the Time of Request |
| "b":"1", | Total Concurrent Connections in the Distribution Group at the Time of Request |
| "s":"1" | Concurrent Connections in the Backend Service at the Time of Request |
| "b":"0", | Total Number of Requests Queued in the Distribution Group |
| "s":"0" | Total Number of Requests Queued in the Backend Service |
| "tstate":"cD", | Termination Code of the Request |
| "retries":"0", | Number of Attempts to Connect to the Backend Service |
| "ci":"172.16.101.111", | Client IP Address |
| "cp":"64347", | Client Port Number |
| "fi":"172.16.101.97", | vService IP Address |
| "fp":"7500", | vService Port Number |
| "si":"172.16.111.211", | Responding Backend Server IP Address |
| "sp":"80" | Backend Server Port Number |
| "fAlgKeysize":"-", | SSL vService Symmetric Key Size |
| "fCipher":"-", | SSL vService Cipher Information |
| "fProtocol":"-", | SSL vService Protocol Information |
| "fNpn":"-", | SSL vService Npn Information |
| "fAlpn":"-", | SSL vService Alpn Information |
| "fKeyAlg":"-", | SSL vService Key Algorithm |
| "fSigAlg":"-", | SSL vService Signature Algorithm |
| "fVersion":"-", | SSL vService Version |
| "fNotAfter":"-", | SSL vService Certificate Validity Period (NotAfter) |
| "fNotBefore":"-", | SSL vService Certificate Validity Period (NotBefore) |
| "fClientDn":"-", | SSL vService Certificate Client DN Information |
| "fIssuerDn":"-", | SSL vService Certificate Issuer DN Information |
| "sAlgKeysize":"-", | Backend Service SSL Symmetric Key Size |
| "sCipher":"-", | Backend Service SSL Cipher Information |
| "sProtocol":"-", | Backend Service SSL Protocol Information |
| "sNpn":"-", | Backend Service SSL Npn Information |
| "sAlpn":"-", | Backend Service SSL Alpn Information |
| "sKeyAlg":"-", | Backend Service SSL Key Algorithm |
| "sSigAlg":"-", | Backend Service SSL Signature Algorithm |
| "sVersion":"-", | Backend Service SSL Version |
| "sNotAfter":"-", | Backend Service SSL Certificate Validity Period (NotAfter) |
| "sNotBefore":"-", | Backend Service SSL Certificate Validity Period (NotBefore) |
| "sClientDn":"-", | Backend Service SSL Certificate Client DN Information |
| "sIssuerDn":"-" | Backend Service SSL Certificate Issuer DN Information |
| "p":"lbPools-l3ormj0l__lb", | Unique Number of the vService |
| "b":"DBE", | Name of the Server Group to Which the Request is Directed |
| "f":"DFE", | vService Configuration Name |
| "s":"lbBackends-kw4qm5g5" | Unique Number of the Backend Service |
| "uploaded":"4968", | Request Size (bytes) |
| "read":"5023" | Response Size (bytes) |
o TR7 WAF Log
Applicable vServices
- HTTP
- L7 TCP
- Network
Example Log Line (HTTP > WAF Enabled):
>> {"host":"172.16.101.192:8080","wafTime":0.338,"path":"\/favicon.ico","mon":false,"date":1656944781536.4,"totalScore":10,"ssl":0,"bodyLen":0,"method":"GET","uid":"AC10656F:F9C162C2F88D:2ED025F","attacks":[{"scope":"header","desc":"...16.101.192:8080\/cmd.exe\/insert...","v":true,"arg":"referer","id":130005,"score":4},{"scope":"header","desc":"...92:8080\/cmd.exe\/insert...","v":true,"arg":"referer","id":110003,"score":6}],"cp":63937,"ua":"Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/102.0.5005.115 Safari\/537.36 OPR\/88.0.4412.53","ci":"172.16.101.111"}
Format:
| Value in Log | Description |
|---|---|
| "host":"172.16.101.192:8080", | vService Address Servisi |
| "wafTime":0.338, | WAF Processing Time |
| "path":"\/favicon.ico", | Requested Path Bilgisi |
| "mon":false, | Mode Status |
| "date":1656944781536.4, | Request Time |
| "totalScore":10, | Total WAF Score of Blocked Argument in Request |
| "ssl":0, | SSL Not Active |
| "bodyLen":0, | Request Body Size |
| "method":"GET", | Request Method |
| "uid":"AC10656F:F9C162C2F88D:2ED025F", | Unique Identifier of Request |
| "scope":"header", | Where the Blocked Argument is Found |
| "desc":"...16.101.192:8080\/cmd.exe\/insert...", | Description of Blocked |
| "v":true, | If "false", attack argument is found in the name; if "true", it is found in the value of the argument; if "2", in case of file upload attack, it is found inside the file or in the file name. |
| "arg":"referer", | Argument Name |
| "id":130005, | Blocked Argument ID |
| "score":4 | Score of the Blocked Argument in Request |
| "cp":63937, | Client Port Number |
| "ua":"Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/102.0.5005.115 Safari\/537.36 OPR\/88.0.4412.53", | User-Agent Header Information of Request |
| "ci":"172.16.101.111" | Client IP Address |
o Manuel JSON format
Applicable vServices
- HTTP
- L7 TCP
- Network
The Manuel JSON format allows for the selection of specific information to be sent to the log server as JSON format. This can be done by clicking the (Value) button next on the right side of the Key. Select value that you want to use as Value and specify a name as Key regarding to Value. You can select more than one via (+) button. With these options you can only see the specified logs on your log server.
o Manuel CEF format
Applicable vServices
- HTTP
- L7 TCP
- Network
The Manuel CEF format allows for the selection of specific information to be sent to the log server as CEF format. This can be done by clicking the (Value) button next on the right side of the Key. Select value that you want to use as Value and specify a name as Key regarding to Value. You can select more than one via (+) button. With these options you can only see the specified logs on your log server.
o Manuel Log Line Format
Applicable vServices
- HTTP
- L7 TCP
- Network
The Manuel log line format allows for the selection of specific information to be sent to the log server. This can be done by clicking the (fx) button on the right side. More than one is possible.
- Add
When the Add button is clicked, a Log Profile is added.
Interface
How is a Log Profile added to the vService?
Step > 1
First, navigate through "Settings Mode > vServices" on the TR7 web interface.
Step > 2
Right-click on the vService to which you want to add the Log Profile and select Edit, or click on the service and follow the "Actions > Edit" steps from the pane that opens on the right to reach the same window.
Step > 3
In the vService editing screen, select "Details > LOG" to activate logging.
Step > 4
To use a previously added profile or add a new one, click on the arrow next to the profile. Selections can be made from existing profiles.
A new Log Profile can also be added by clicking the Add button on the vService screen.
Step > 5
Save the changes by clicking the Save button and wait for the reconfiguration of the vService.