NGINX App Protect DoS Security Log
Overview
Security logs contain information about the status of the protected objects. It gives a general picture about each protected object in terms of traffic intensity, health of the backend server, learning and mitigations.
There are several types of logs, each contains different information and published either periodically or upon an important event.
Dictionary
The following table lists all the possible fields in the logs and their meaning.
| Field | Type | Meaning |
|---|---|---|
date_time |
string | the date and time of the event |
product |
string | always set to app-protect-dos |
product_version |
string | F5 NGINX App Protect DoS version |
unit_hostname |
string | host name of the app-protect-dos instance |
instance_id |
string | instance ID: container id from /proc/self/cgroupor hostname if container is is not available |
vs_name |
string | A unique identifier (representing the protected object’s name) of the location in the nginx.conf file that this request is associated with. It contains the line number of the containing server block in nginx.conf, the server name, a numeric discriminator that distinguishes between multiple entries within the same server, and the location name. For example: 34-mydomain.com:0-~/.*php(2). |
dos_attack_id |
integer | unique attack IP per unit_hostname |
attack_event |
string | Event name as it appears in remote logger. |
stress_level |
float | a number from 0 to … that reflects stress level. |
learning_confidence |
string | the possible values are not ready/bad actors only/ready |
baseline_dps |
integer | learned datagrams per second (DPS) |
incoming_dps |
integer | current datagrams per second (DPS) |
incoming_rps |
integer | current RPS (requests per second) |
successful_tps |
integer | successful TPS (successful requests per second - Any RC but 5xx) |
allowlist_rps |
integer | allowlist requests per second |
unsuccessful_rps |
integer | unsuccessful requests per second (passed to server and not responded: reset / timeout / 5xx |
incoming_datagrams |
integer | incremental number of incoming datagrams |
incoming_requests |
integer | incremental number of incoming requests |
allowlist_requests |
integer | incremental number of allowlist requests |
successful_responses |
integer | incremental number of successful responses |
unsuccessful_requests |
integer | incremental number of unsuccessful requests (passed to server and not responded: reset / timeout / 5xx |
active_connections |
integer | current number of active server connections |
threshold_dps |
float | global rate DPS threshold |
threshold_conns |
float | active connections threshold |
mitigated_bad_actors redirect_bad_actor challenge_bad_actor block_bad_actor |
integer | incremental number of mitigated bad actors. Increments upon any type of bad actors mitigations. incremental number of http redirections sent to detected bad actors incremental number of JS challenges sent to detected bad actors incremental number of blocked bad actors |
mitigated_by_signatures redirect_signature challenge_signature block_signature |
integer | incremental number of requests mitigated by signatures. Increments upon any type of signatures mitigations. incremental number of http redirections sent to clients when requests match a signature. incremental number of JS challenges sent to clients when requests match a signature. incremental number of blocked requests when requests match a signature. |
mitigated_by_global_rate redirect_global challenge_global block_global |
integer | incremental number of requests mitigated by global_rate. Increments upon any type of global rate mitigations. incremental number of http redirections sent to clients upon global rate mitigation. incremental number of JS challenges sent to clients upon global rate mitigation. incremental number of blocked requests upon global rate mitigation. |
mitigated_slow redirect_slow challenge_slow block_slow |
integer | incremental number of mitigated slow requests. Increments upon any type of slow requests mitigations. incremental number of http redirections sent to clients upon slow request mitigation. incremental number of JS challenges sent to clients upon slow request mitigation. incremental number of blocked slow requests. |
mitigated_connections |
integer | incremental number of mitigated by connections mitigation |
mitigated_bad_actors_l4 |
integer | incremental number of mitigated by L4 accelerated mitigation |
mitigated_bad_actors_rps redirect_bad_actor_rps challenge_bad_actor_rps block_bad_actor_rps |
integer | mitigated_bad_actors rps. Includes any type of bad actors mitigations. http redirections per second sent to detected bad actors. JS challenges per second sent to detected bad actors. blocked bad actors per second. |
mitigated_by_signatures_rps redirect_signature_rps challenge_signature_rps block_signature_rps |
integer | mitigated_signatures rps. Includes any type of signatures mitigations. http redirections sent per second to clients when requests match a signature. JS challenges per second sent to clients when requests match a signature. blocked requests per second when requests match a signature. |
mitigated_slow_rps redirect_slow_rps challenge_slow_rps block_slow_rps |
integer | mitigated slow requests per second. Includes any type of slow requests mitigations. http redirections per second sent to clients upon slow request mitigation. JS challenges per second sent to clients upon slow request mitigation. blocked slow requests per second. |
mitigated_by_global_rate_rps redirect_global_rps challenge_global_rps block_global_rps |
integer | mitigated_global_rate rps. Includes any type of global rate mitigations. http redirections per second sent to clients upon global rate mitigation. JS challenges per second sent to clients upon global rate mitigation. blocked requests per second upon global rate mitigation. |
mitigated_bad_actors_l4_rps |
integer | blocked requests per second when mitigated by L4 accelerated mitigation |
mitigated_connections_rps |
integer | mitigated_connections rps |
source_ip tls_fp impact_rps |
string string integer |
ip address of the detected bad actor 1.1.1.1 TLS Fingerprint of the bad actor RPS created by bad actor in the time of the detection (to be calculated as a max hitcount in AMT / 10) |
new_bad_actors_detected bad_actors |
integer | the number of newly detected bad actors the number of bad actors |
signature signature_id signature_efficiency signature_accuracy |
string integer float float |
signature string http.request.method eq GET and http.uri_parameters eq 6 unique signature ID per unit_host estimated efficiency upon signature detection: percentage of bad traffic covered by the signature estimated accuracy upon signature detection: percentage of learned good traffic NOT covered by the signature |
Events
1a. Attack notification
Reports about the start and end of an attack, as well as major parameters of ongoing attacks.
a. Example: Attack Started
date_time="Oct 05 2021 08:01:00",
product="app-protect-dos",
product_version="25+1.78.0-1.el7.ngx",
unit_hostname="localhost.localdomain",
instance_id="129c76",
vs_name="example.com/",
dos_attack_id="1",
attack_event="Attack started",
stress_level="1.00",
learning_confidence="Ready",
baseline_dps="17",
incoming_dps="181",
incoming_rps="181",
successful_tps="0",
allowlist_rps="0",
unsuccessful_rps="0",
incoming_datagrams="8576",
incoming_requests="8576",
allowlist_requests="162",
successful_responses="5265",
unsuccessful_requests="0",
active_connections="58",
threshold_dps="41.60",
threshold_conns="41.60",
mitigated_bad_actors="0",
mitigated_by_signatures="0",
mitigated_by_global_rate="0",
mitigated_bad_actors_l4="0",
mitigated_slow="0",
redirect_global="0",
redirect_bad_actor="0",
redirect_signature="0",
redirect_slow="0",
challenge_global="0",
challenge_bad_actor="0",
challenge_signature="0",
challenge_slow="0",
block_global="0",
block_bad_actor="0",
block_signature="0",
block_slow="0",
mitigated_connections="0",
mitigated_bad_actors_rps="0",
mitigated_by_signatures_rps="0",
mitigated_by_global_rate_rps="0",
mitigated_bad_actors_l4_rps="0",
mitigated_slow_rps="0",
redirect_global_rps="0",
redirect_bad_actor_rps="0",
redirect_signature_rps="0",
redirect_slow_rps="0",
challenge_global_rps="0",
challenge_bad_actor_rps="0",
challenge_signature_rps="0",
challenge_slow_rps="0",
block_global_rps="0",
block_bad_actor_rps="0",
block_signature_rps="0",
block_slow_rps="0",
mitigated_connections_rps="0",
b. Example: Attack Ended
date_time="Oct 05 2021 08:06:21",
product="app-protect-dos",
product_version="25+1.78.0-1.el7.ngx",
unit_hostname="localhost.localdomain",
instance_id="129c76",
vs_name="example.com/",
dos_attack_id="1",
attack_event="Attack ended",
stress_level="0.50",
learning_confidence="Ready",
baseline_dps="12",
incoming_dps="0",
incoming_rps="0",
successful_tps="0",
allowlist_rps="0",
unsuccessful_rps="0",
incoming_datagrams="226566",
incoming_requests="226566",
allowlist_requests="1632",
successful_responses="7760",
unsuccessful_requests="0",
active_connections="0",
threshold_dps="2121.60",
threshold_conns="2121.60",
mitigated_bad_actors="94488",
mitigated_by_signatures="117361",
mitigated_by_global_rate="2861",
mitigated_bad_actors_l4="62788",
mitigated_slow="0",
redirect_global="2861",
redirect_bad_actor="94488",
redirect_signature="117361",
redirect_slow="0",
challenge_global="0",
challenge_bad_actor="0",
challenge_signature="0",
challenge_slow="0",
block_global="0",
block_bad_actor="0",
block_signature="0",
block_slow="0",
mitigated_connections="0",
mitigated_bad_actors_rps="0",
mitigated_by_signatures_rps="0",
mitigated_by_global_rate_rps="0",
mitigated_bad_actors_l4_rps="0",
mitigated_slow_rps="0",
redirect_global_rps="0",
redirect_bad_actor_rps="0",
redirect_signature_rps="0",
redirect_slow_rps="0",
challenge_global_rps="0",
challenge_bad_actor_rps="0",
challenge_signature_rps="0",
challenge_slow_rps="0",
block_global_rps="0",
block_bad_actor_rps="0",
block_signature_rps="0",
block_slow_rps="0",
mitigated_connections_rps="0",
1b. Traffic/Mitigation summary stats
Reported periodically, providing aggregated statistics per protected object.
This corresponds to the metrics reported on the main Grafana screen.
a. Example: No Attack
date_time="Oct 05 2021 07:54:29",
product="app-protect-dos",
product_version="25+1.78.0-1.el7.ngx",
unit_hostname="localhost.localdomain",
instance_id="129c76",
vs_name="example.com/",
dos_attack_id="0",
attack_event="No Attack",
stress_level="0.50",
learning_confidence="Not ready",
baseline_dps="19",
incoming_dps="9",
incoming_rps="9",
successful_tps="10",
allowlist_rps="1",
unsuccessful_rps="0",
incoming_datagrams="678",
incoming_requests="678",
allowlist_requests="52",
successful_responses="678",
unsuccessful_requests="0",
active_connections="0",
threshold_dps="2121.60",
threshold_conns="2121.60",
mitigated_bad_actors="0",
mitigated_by_signatures="0",
mitigated_by_global_rate="0",
mitigated_bad_actors_l4="0",
mitigated_slow="0",
redirect_global="0",
redirect_bad_actor="0",
redirect_signature="0",
redirect_slow="0",
challenge_global="0",
challenge_bad_actor="0",
challenge_signature="0",
challenge_slow="0",
block_global="0",
block_bad_actor="0",
block_signature="0",
block_slow="0",
mitigated_connections="0",
mitigated_bad_actors_rps="0",
mitigated_by_signatures_rps="0",
mitigated_by_global_rate_rps="0",
mitigated_bad_actors_l4_rps="0",
mitigated_slow_rps="0",
redirect_global_rps="0",
redirect_bad_actor_rps="0",
redirect_signature_rps="0",
redirect_slow_rps="0",
challenge_global_rps="0",
challenge_bad_actor_rps="0",
challenge_signature_rps="0",
challenge_slow_rps="0",
block_global_rps="0",
block_bad_actor_rps="0",
block_signature_rps="0",
block_slow_rps="0",
mitigated_connections_rps="0",
b. Example: Under Attack
date_time="Oct 05 2021 08:02:35",
product="app-protect-dos",
product_version="25+1.78.0-1.el7.ngx",
unit_hostname="localhost.localdomain",
instance_id="129c76",
vs_name="example.com/",
dos_attack_id="1",
attack_event="Under Attack",
stress_level="0.50",
learning_confidence="Ready",
baseline_dps="12",
incoming_dps="893",
incoming_rps="893",
successful_tps="12",
allowlist_rps="1",
unsuccessful_rps="0",
incoming_datagrams="87823",
incoming_requests="87823",
allowlist_requests="1523",
successful_responses="5736",
unsuccessful_requests="0",
active_connections="1",
threshold_dps="92.40",
threshold_conns="92.40",
mitigated_bad_actors="0",
mitigated_by_signatures="75137",
mitigated_by_global_rate="2861",
mitigated_bad_actors_l4="62788",
mitigated_slow="0",
redirect_global="2861",
redirect_bad_actor="0",
redirect_signature="75137",
redirect_slow="0",
challenge_global="0",
challenge_bad_actor="0",
challenge_signature="0",
challenge_slow="0",
block_global="0",
block_bad_actor="0",
block_signature="0",
block_slow="0",
mitigated_connections="0",
mitigated_bad_actors_rps="0",
mitigated_by_signatures_rps="879",
mitigated_by_global_rate_rps="0",
mitigated_bad_actors_l4_rps="0",
mitigated_slow_rps="0",
redirect_global_rps="0",
redirect_bad_actor_rps="0",
redirect_signature_rps="879",
redirect_slow_rps="0",
challenge_global_rps="0",
challenge_bad_actor_rps="0",
challenge_signature_rps="0",
challenge_slow_rps="0",
block_global_rps="0",
block_bad_actor_rps="0",
block_signature_rps="0",
block_slow_rps="0",
mitigated_connections_rps="0",
2. Bad actor detection/expiration
Reports NGINX App Protect DoS decisions regarding bad actors.
a. Example: Bad Actor Detection
date_time="Apr 29 2021 14:03:01",
product="app-protect-dos",
product_version="23+1.54.1-1.el7.ngx",
unit_hostname="localhost.localdomain",
instance_id="d9a6d8",
vs_name="example.com/",
dos_attack_id="1",
attack_event="Bad actor detection",
source_ip="5.5.5.9",
impact_rps="30",
b. Example: Bad Actor Expired
date_time="Apr 29 2021 14:05:29",
product="app-protect-dos",
product_version="23+1.54.1-1.el7.ngx",
unit_hostname="localhost.localdomain",
instance_id="d9a6d8",
vs_name="example.com/",
dos_attack_id="0",
attack_event="Bad actor expired",
source_ip="5.5.5.10",
impact_rps="12",
3. Attack signatures
Reports NGINX App Protect DoS decisions regarding signatures.
Example: Attack Signature Detected
date_time="Apr 29 2021 14:02:56",
product="app-protect-dos",
product_version="23+1.54.1-1.el7.ngx",
unit_hostname="localhost.localdomain",
instance_id="d9a6d8",
vs_name="example.com/",
dos_attack_id="1",
attack_event="Attack signature detected",
signature="(http.user_agent_header_exists eq true) and (http.accept contains other-than(application|audio|message|text|image|multipart)) and (http.unknown_header_exists eq true) and (http.headers_count neq 10) and (http.x_forwarded_for_header_exists eq false) and (http.uri_parameters eq 1) and (http.uri_len between 48-63) and (http.accept_header_exists eq true) and (http.hdrorder not-hashes-to 55) and (http.connection_header_exists eq true) and (http.accept_encoding_header_exists eq true) and (http.request.method eq reserved) and (http.cookie_header_exists eq true) and (http.uri_file hashes-to 7) and (http.host_header_exists eq true)",
signature_id="809655398",
signature_efficiency="72.00",
signature_accuracy="100.00",
4. Bad actors detection information
Provides detailed information about bad actors.
Example: Bad Actors Detected
date_time="Apr 29 2021 14:02:00",
product="app-protect-dos",
product_version="23+1.54.1-1.el7.ngx",
unit_hostname="localhost.localdomain",
instance_id="d9a6d8",
vs_name="example.com/",
dos_attack_id="1",
attack_event="Bad actors detected",
new_bad_actors_detected="2",
bad_actors="2",
Security Log Configuration File
The file is in JSON format.
Filter
| Element | Description | Type/Values | Default |
|---|---|---|---|
| traffic-mitigation-stats | This filter element refers to Traffic/Mitigation summary stats. | Enumerated values: - all - none |
all |
| bad-actors | This filter element refers to Bad actor detection/expiration, every 10 seconds. | Enumerated values: - all - none - top N |
top 10 |
| attack-signatures | This filter element refers to Attack Signatures, every 10 seconds. | Enumerated values: - all - none - top N |
top 10 |
Example:
{
"filter": {
"traffic-mitigation-stats": "all",
"bad-actors": "top 100",
"attack-signatures": "top 100"
}
}
Last modified August 22, 2024