Log Fields (RTLD WAF)

Log data is reported as a JSON document. Log format determines whether log data identification information will be included and how the data is formatted. Each type of log format is described below.

JSON

This format includes:
- Top-level name/value pairs that uniquely identify the set of log entries reported in the JSON document.
- An object for each log entry associated with the current JSON document.
View a sample log file.
JSON Array

This format generates a JSON document that contains an array of objects. Each object is a log entry associated with the current JSON document.

View a sample log file.
JSON Lines

This format generates an invalid JSON document that contains an object on each line. Each object is a log entry associated with the current JSON document. This object is an exact match for an object contained by the Logs array.

View a sample log file.

If log data uses either the JSON Array or JSON Lines log format, then it will not contain information that uniquely identifies a set of log data. If log data is delivered to a destination other than AWS S3, Azure Blob Storage, or Google Cloud Storage, then there is no way to check for gaps in sequence numbers when attempting to identify missing log data.

A log entry describes a HTTP/HTTPS request that was submitted to our CDN.

Top-Level Name/Value Pairs

Top-level name/value pairs are unavailable for the JSON Array and JSON Lines log formats. If you require this information, please choose the standard JSON log format.

Top-level name/value pairs are described below.

Field	Friendly Name	Description
account_number String	Customer Account Number	Indicates your CDN account number (e.g., 0001). This account number may be viewed from the upper-right hand corner of the TCC.
agent_id String	Agent ID	Indicates the unique ID that identifies the Real-Time Log Delivery software agent that generated the log data.
datestamp String	Date Stamp	Indicates the date on which the log data was generated. Syntax: YYYYMMDD Example: 20240412
logs Array of Objects	Log Data	Describes the log entries associated with the current JSON document. Each object contains a set of fields that describe the request/response for a single log entry.
profile_id Number (Integer)	Profile ID	Identifies a RTLD profile by its system-defined ID.
seq_num Number (Integer)	Sequence Number	Indicates the sequential number that identifies the order in which the log data was generated by the software agent identified by the agent_id field.
service String	Service	This field always reports waf.

logs Array

The logs array contains an object for each log entry associated with the current JSON document. Each log entry describes a threat via the following fields:

Field	Friendly Name	Description
account_number String	Customer AN	Category: GeneralProvides miscellaneous information about the request. Indicates your CDN account number (e.g., 0001). This account number may be viewed from the upper-right hand corner of the TCC.
action_type String	Action Type	Category: EventProvides high-level information about the violation. Indicates the action that was triggered as a result of the violation. Valid values are: BLOCK_REQUEST: Indicates that the request that violated a rule was blocked. NOP: Indicates that an alert was generated in response to the rule violation. REDIRECT_302: Indicates that the request that violated a rule was redirected to the URL associated with the instance defined by the Instance Name field. CUSTOM_RESPONSE: Indicates that a custom response was returned to the client that submitted a request that violated a rule.
client_city String	City Name	Category: Client GeographyProvides geographical information about the client that submitted the request. Indicates the city from which the request originated.
client_country_code String	Country Code	Category: Client GeographyProvides geographical information about the client that submitted the request. Indicates the two-character ISO 3166-1 code for the country from which the request originated. View a listing of country codes.
client_country String	Country Name	Category: Client GeographyProvides geographical information about the client that submitted the request. Indicates the country from which the request originated.
client_ip String	IP Address	Category: Client NetworkDescribes the network of the client that submitted the request. Indicates the IP address for the computer that submitted the request to our CDN.
host String	Host	Category: Request HeaderDescribes request header values. Indicates the Host header value sent in the client's request to the CDN. View examples. Example 1: We will examine log data for the following request: http://can.0001.transactcdn.com/800001/myorigin/index.html The following value will be reported for this field: can.0001.transactcdn.com Example 2: We will examine log data for the following request: http://cdn.mydomain.com/index.html The following value will be reported for this field: cdn.mydomain.com
referer String	Referer	Category: Request HeaderDescribes request header values. Indicates the Referer header value sent in the client's request to the CDN. This header reports the URL of the site from which the request originated. This field will typically be set to a blank value.
rule_message String	Rule Message	Category: EventProvides high-level information about the violation. Provides a description of the rule that the request violated.
rule_tags Array of String Values	Rule Tags	Category: EventProvides high-level information about the violation. Indicates the tags associated with the rule that the request violated. These tags may be used to determine whether a rule, access control, or global setting was violated.
server_port Integer	Server Port	Category: Network Provides information on where and how the request was handled by our network. Indicates the port number on an edge server to which the client directed a request. Valid values are: 80: HTTP request 443: HTTPS request
sub_events_count Integer	Sub Events Count	Category: Sub EventIndicates how the request violated the security configuration. Indicates the total number of sub events.
sub_events Array of Objects	Sub Events	Category: Sub EventIndicates how the request violated the security configuration. Contains a list of fields that describe each sub event associated with the current event. A sub event is reported for each rule violation incurred by a request.
timestamp Number (Decimal)	Epoch Time	Category: ResponseDescribes the response sent from an edge server to the client that submitted the request. Indicates the Unix time, in seconds, at which an edge server delivered the requested content to the client. Syntax: Seconds.Microseconds
url String	URL	Category: RequestDescribes the request submitted to the CDN. Indicates the URL that was requested.
user_agent String	User Agent	Category: Request HeaderDescribes request header values. Indicates the user agentRefers to software that acts on behalf of a user. For example, a web browser (e.g., FireFox, Chrome, and Internet Explorer) is a user agent. A web browser will make HTTP/HTTPS requests based on user actions (e.g., requesting a web site or clicking a link). that submitted the HTTP request to our CDN.
uuid String	Event ID	Category: RequestDescribes the request submitted to the CDN. Indicates the unique ID assigned to the event. Pass this ID to the Get Event Log Entry endpoint to retrieve this event log entry.
waf_instance_name String	Instance Name	Category: Security ConfigurationProvides information about the security configuration that was violated. Indicates the name of the instance that activated the profile containing the rule that the requested violated.
waf_profile_name String	Profile Name	Category: Security ConfigurationProvides information about the security configuration that was violated. Indicates the name of the profile that triggered the violation.
waf_profile_type String	Profile Type	Category: Security ConfigurationProvides information about the security configuration that was violated. Indicates whether the request was screened as a result of an instance’s production or audit profile. Valid values are: PRODUCTION \| AUDIT

Field

Friendly Name

Description

account_number

String

Customer AN

Category: GeneralProvides miscellaneous information about the request.

Indicates your CDN account number (e.g., 0001). This account number may be viewed from the upper-right hand corner of the TCC.

action_type

String

Action Type

Category: EventProvides high-level information about the violation.

Indicates the action that was triggered as a result of the violation. Valid values are:

BLOCK_REQUEST: Indicates that the request that violated a rule was blocked.
NOP: Indicates that an alert was generated in response to the rule violation.
REDIRECT_302: Indicates that the request that violated a rule was redirected to the URL associated with the instance defined by the Instance Name field.
CUSTOM_RESPONSE: Indicates that a custom response was returned to the client that submitted a request that violated a rule.

client_city

String

City Name

Category: Client GeographyProvides geographical information about the client that submitted the request.

Indicates the city from which the request originated.

client_country_code

String

Country Code

Category: Client GeographyProvides geographical information about the client that submitted the request.

Indicates the two-character ISO 3166-1 code for the country from which the request originated.

View a listing of country codes.

client_country

String

Country Name

Category: Client GeographyProvides geographical information about the client that submitted the request.

Indicates the country from which the request originated.

client_ip

String

IP Address

Category: Client NetworkDescribes the network of the client that submitted the request.

Indicates the IP address for the computer that submitted the request to our CDN.

host

String

Host

Category: Request HeaderDescribes request header values.

Indicates the Host header value sent in the client's request to the CDN.

referer

String

Referer

Category: Request HeaderDescribes request header values.

Indicates the Referer header value sent in the client's request to the CDN. This header reports the URL of the site from which the request originated.

This field will typically be set to a blank value.

rule_message

String

Rule Message

Category: EventProvides high-level information about the violation.

Provides a description of the rule that the request violated.

rule_tags

Array of String Values

Rule Tags

Category: EventProvides high-level information about the violation.

Indicates the tags associated with the rule that the request violated. These tags may be used to determine whether a rule, access control, or global setting was violated.

server_port

Integer

Server Port

Category: Network Provides information on where and how the request was handled by our network.

Indicates the port number on an edge server to which the client directed a request. Valid values are:

80: HTTP request
443: HTTPS request

sub_events_count

Integer

Sub Events Count

Category: Sub EventIndicates how the request violated the security configuration.

Indicates the total number of sub events.

sub_events

Array of Objects

Sub Events

Category: Sub EventIndicates how the request violated the security configuration.

Contains a list of fields that describe each sub event associated with the current event. A sub event is reported for each rule violation incurred by a request.

timestamp

Number (Decimal)

Epoch Time

Category: ResponseDescribes the response sent from an edge server to the client that submitted the request.

Indicates the Unix time, in seconds, at which an edge server delivered the requested content to the client.

Syntax:

Seconds.Microseconds

url

String

URL

Category: RequestDescribes the request submitted to the CDN.

Indicates the URL that was requested.

user_agent

String

User Agent

Category: Request HeaderDescribes request header values.

Indicates the user agentRefers to software that acts on behalf of a user. For example, a web browser (e.g., FireFox, Chrome, and Internet Explorer) is a user agent. A web browser will make HTTP/HTTPS requests based on user actions (e.g., requesting a web site or clicking a link). that submitted the HTTP request to our CDN.

uuid

String

Event ID

Category: RequestDescribes the request submitted to the CDN.

Indicates the unique ID assigned to the event.

Pass this ID to the Get Event Log Entry endpoint to retrieve this event log entry.

waf_instance_name

String

Instance Name

Category: Security ConfigurationProvides information about the security configuration that was violated.

Indicates the name of the instance that activated the profile containing the rule that the requested violated.

waf_profile_name

String

Profile Name

Category: Security ConfigurationProvides information about the security configuration that was violated.

Indicates the name of the profile that triggered the violation.

waf_profile_type

String

Profile Type

Category: Security ConfigurationProvides information about the security configuration that was violated.

Indicates whether the request was screened as a result of an instance’s production or audit profile. Valid values are:

PRODUCTION | AUDIT

sub_events Array

The sub_events array contains a list of fields that describe each sub event associated with the current event. A sub event is reported for each rule violation incurred by a request.

Field	Friendly Name	Description
matched_on String	Matched On	Indicates the variable that identifies where the violation was found. View variable definitions.
matched_value String	Matched Value	Indicates the value of the variable defined in the matched_on field.
rule_id Integer	Rule ID	Indicates the ID for the rule that the request violated.
rule_message String	Rule Message	Provides a description of the rule that the request violated.
total_anomaly_score Integer	Total Anomaly Score	Indicates the total anomaly score for the current rule violation. This score is calculated by summing the anomaly score of the current rule violation with all rule violations reported above this sub event. View example. The anomaly score incurred by each sub event in this example is listed below. Sub Event 1: Anomaly Score 2 Sub Event 2: Anomaly Score 3 Sub Event 3: Anomaly Score 2 The total anomaly score for each sub event is listed below. Sub Event 1: Total Anomaly Score = 2 Sub Event 2: Total Anomaly Score = 5 Sub Event 3: Total Anomaly Score = 7

Sample Log Data

Sample log data that contains two log entries is provided below for all three log formats.

Example (JSON):

{
	"agent_id": "1234500008619D55A",
	"seq_num": 0,
	"service": "waf",
	"account_number": "0001",
	"profile_id": 0,
	"datestamp": "20201008",
	"logs": [{
			"timestamp": 1602200337.177535713,
			"user_agent": "curl/7.64.1",
			"url": "https://cdn.example.com/",
			"client_ip": "190.220.230.2",
			"referer": "",
			"host": "cdn.example.com",
			"uuid": "38046679731278771327748811544613832704",
			"client_country_code": "US",
			"waf_profile_name": "Site 1",
			"waf_profile_type": "PRODUCTION",
			"waf_instance_name": "Site 1 Instance",
			"sub_events_count": 1,
			"sub_events": [{
					"total_anomaly_score": 0,
					"matched_on": "REQUEST_METHOD",
					"matched_value": "POST",
					"rule_id": 80009,
					"rule_message": "Method is not allowed by policy"
				}
			],
			"rule_tags": [],
			"rule_message": "Method is not allowed by policy",
			"action_type": "BLOCK_REQUEST",
			"server_port": 443,
			"client_country": "United States",
			"client_city": "Los Angeles"
		}, {
			"timestamp": 1602200338.598465258,
			"user_agent": "curl/7.64.1",
			"url": "https://cdn.example.com/",
			"client_ip": "230.180.240.23",
			"referer": "",
			"host": "cdn.example.com",
			"uuid": "38046679731278771327748811544613832998",
			"client_country_code": "US",
			"waf_profile_name": "Site 1",
			"waf_profile_type": "PRODUCTION",
			"waf_instance_name": "Site 1 Instance",
			"sub_events_count": 1,
			"sub_events": [{
					"total_anomaly_score": 0,
					"matched_on": "REQUEST_METHOD",
					"matched_value": "POST",
					"rule_id": 80009,
					"rule_message": "Method is not allowed by policy"
				}
			],
			"rule_tags": [],
			"rule_message": "Method is not allowed by policy",
			"action_type": "BLOCK_REQUEST",
			"server_port": 443,
			"client_country": "United States",
			"client_city": "Los Angeles"
		}
	]
}

Example (JSON array):

[{
		"timestamp": 1602200337.177535713,
		"user_agent": "curl/7.64.1",
		"url": "https://cdn.example.com/",
		"client_ip": "190.220.230.2",
		"referer": "",
		"host": "cdn.example.com",
		"uuid": "38046679731278771327748811544613832704",
		"client_country_code": "US",
		"waf_profile_name": "Site 1",
		"waf_profile_type": "PRODUCTION",
		"waf_instance_name": "Site 1 Instance",
		"sub_events_count": 1,
		"sub_events": [{
				"total_anomaly_score": 0,
				"matched_on": "REQUEST_METHOD",
				"matched_value": "POST",
				"rule_id": 80009,
				"rule_message": "Method is not allowed by policy"
			}
		],
		"rule_tags": [],
		"rule_message": "Method is not allowed by policy",
		"action_type": "BLOCK_REQUEST",
		"server_port": 443,
		"client_country": "United States",
		"client_city": "Los Angeles"
	}, {
		"timestamp": 1602200338.598465258,
		"user_agent": "curl/7.64.1",
		"url": "https://cdn.example.com/",
		"client_ip": "230.180.240.23",
		"referer": "",
		"host": "cdn.example.com",
		"uuid": "38046679731278771327748811544613832998",
		"client_country_code": "US",
		"waf_profile_name": "Site 1",
		"waf_profile_type": "PRODUCTION",
		"waf_instance_name": "Site 1 Instance",
		"sub_events_count": 1,
		"sub_events": [{
				"total_anomaly_score": 0,
				"matched_on": "REQUEST_METHOD",
				"matched_value": "POST",
				"rule_id": 80009,
				"rule_message": "Method is not allowed by policy"
			}
		],
		"rule_tags": [],
		"rule_message": "Method is not allowed by policy",
		"action_type": "BLOCK_REQUEST",
		"server_port": 443,
		"client_country": "United States",
		"client_city": "Los Angeles"
	}
]

Example (JSON lines):

{"user_agent": "Mozilla/5.0 (Windows NT ...Represents a log entry.}
{"user_agent": "Mozilla/5.0 (Windows NT ...}