NGINX App Protect DoS Security Log

Overview

Security logs contain information about the status of the protected objects. It gives a general picture about each protected object in terms of traffic intensity, health of the backend server, learning and mitigations.

There are several types of logs, each contains different information and published either periodically or upon an important event.

Dictionary

The following table lists all the possible fields in the logs and their meaning.

Field Type Meaning
date_time string the date and time of the event
product string always set to app-protect-dos
product_version string F5 NGINX App Protect DoS version
unit_hostname string host name of the app-protect-dos instance
instance_id string instance ID: container id from /proc/self/cgroupor hostname if container is is not available
vs_name string A unique identifier (representing the protected object’s name) of the location in the nginx.conf file that this request is associated with. It contains the line number of the containing server block in nginx.conf, the server name, a numeric discriminator that distinguishes between multiple entries within the same server, and the location name.
For example: 34-mydomain.com:0-~/.*php(2).
dos_attack_id integer unique attack IP per unit_hostname
attack_event string Event name as it appears in remote logger.
stress_level float a number from 0 to … that reflects stress level.
learning_confidence string the possible values are not ready/bad actors only/ready
baseline_dps integer learned datagrams per second (DPS)
incoming_dps integer current datagrams per second (DPS)
incoming_rps integer current RPS (requests per second)
successful_tps integer successful TPS (successful requests per second - Any RC but 5xx)
allowlist_rps integer allowlist requests per second
unsuccessful_rps integer unsuccessful requests per second (passed to server and not responded: reset / timeout / 5xx
incoming_datagrams integer incremental number of incoming datagrams
incoming_requests integer incremental number of incoming requests
allowlist_requests integer incremental number of allowlist requests
successful_responses integer incremental number of successful responses
unsuccessful_requests integer incremental number of unsuccessful requests (passed to server and not responded: reset / timeout / 5xx
active_connections integer current number of active server connections
threshold_dps float global rate DPS threshold
threshold_conns float active connections threshold
mitigated_bad_actors
redirect_bad_actor
challenge_bad_actor
block_bad_actor
integer incremental number of mitigated bad actors. Increments upon any type of bad actors mitigations.
incremental number of http redirections sent to detected bad actors
incremental number of JS challenges sent to detected bad actors
incremental number of blocked bad actors
mitigated_by_signatures
redirect_signature
challenge_signature
block_signature
integer incremental number of requests mitigated by signatures. Increments upon any type of signatures mitigations.
incremental number of http redirections sent to clients when requests match a signature.
incremental number of JS challenges sent to clients when requests match a signature.
incremental number of blocked requests when requests match a signature.
mitigated_by_global_rate
redirect_global
challenge_global
block_global
integer incremental number of requests mitigated by global_rate. Increments upon any type of global rate mitigations.
incremental number of http redirections sent to clients upon global rate mitigation.
incremental number of JS challenges sent to clients upon global rate mitigation.
incremental number of blocked requests upon global rate mitigation.
mitigated_slow
redirect_slow
challenge_slow
block_slow
integer incremental number of mitigated slow requests. Increments upon any type of slow requests mitigations.
incremental number of http redirections sent to clients upon slow request mitigation.
incremental number of JS challenges sent to clients upon slow request mitigation.
incremental number of blocked slow requests.
mitigated_connections integer incremental number of mitigated by connections mitigation
mitigated_bad_actors_l4 integer incremental number of mitigated by L4 accelerated mitigation
mitigated_bad_actors_rps
redirect_bad_actor_rps
challenge_bad_actor_rps
block_bad_actor_rps
integer mitigated_bad_actors rps. Includes any type of bad actors mitigations.
http redirections per second sent to detected bad actors.
JS challenges per second sent to detected bad actors.
blocked bad actors per second.
mitigated_by_signatures_rps
redirect_signature_rps
challenge_signature_rps
block_signature_rps
integer mitigated_signatures rps. Includes any type of signatures mitigations.
http redirections sent per second to clients when requests match a signature.
JS challenges per second sent to clients when requests match a signature.
blocked requests per second when requests match a signature.
mitigated_slow_rps
redirect_slow_rps
challenge_slow_rps
block_slow_rps
integer mitigated slow requests per second. Includes any type of slow requests mitigations.
http redirections per second sent to clients upon slow request mitigation.
JS challenges per second sent to clients upon slow request mitigation.
blocked slow requests per second.
mitigated_by_global_rate_rps
redirect_global_rps
challenge_global_rps
block_global_rps
integer mitigated_global_rate rps. Includes any type of global rate mitigations.
http redirections per second sent to clients upon global rate mitigation.
JS challenges per second sent to clients upon global rate mitigation.
blocked requests per second upon global rate mitigation.
mitigated_bad_actors_l4_rps integer blocked requests per second when mitigated by L4 accelerated mitigation
mitigated_connections_rps integer mitigated_connections rps
source_ip
tls_fp
impact_rps
string
string
integer
ip address of the detected bad actor 1.1.1.1
TLS Fingerprint of the bad actor
RPS created by bad actor in the time of the detection (to be calculated as a max hitcount in AMT / 10)
new_bad_actors_detected
bad_actors
integer the number of newly detected bad actors
the number of bad actors
signature
signature_id
signature_efficiency
signature_accuracy
string
integer
float
float
signature string http.request.method eq GET and http.uri_parameters eq 6
unique signature ID per unit_host
estimated efficiency upon signature detection: percentage of bad traffic covered by the signature
estimated accuracy upon signature detection: percentage of learned good traffic NOT covered by the signature

Events

1a. Attack notification

Reports about the start and end of an attack, as well as major parameters of ongoing attacks.

a. Example: Attack Started

date_time="Oct 05 2021 08:01:00",
product="app-protect-dos",
product_version="25+1.78.0-1.el7.ngx",
unit_hostname="localhost.localdomain",
instance_id="129c76",
vs_name="example.com/",
dos_attack_id="1",
attack_event="Attack started",
stress_level="1.00",
learning_confidence="Ready",
baseline_dps="17",
incoming_dps="181",
incoming_rps="181",
successful_tps="0",
allowlist_rps="0",
unsuccessful_rps="0",
incoming_datagrams="8576",
incoming_requests="8576",
allowlist_requests="162",
successful_responses="5265",
unsuccessful_requests="0",
active_connections="58",
threshold_dps="41.60",
threshold_conns="41.60",
mitigated_bad_actors="0",
mitigated_by_signatures="0",
mitigated_by_global_rate="0",
mitigated_bad_actors_l4="0",
mitigated_slow="0",
redirect_global="0",
redirect_bad_actor="0",
redirect_signature="0",
redirect_slow="0",
challenge_global="0",
challenge_bad_actor="0",
challenge_signature="0",
challenge_slow="0",
block_global="0",
block_bad_actor="0",
block_signature="0",
block_slow="0",
mitigated_connections="0",
mitigated_bad_actors_rps="0",
mitigated_by_signatures_rps="0",
mitigated_by_global_rate_rps="0",
mitigated_bad_actors_l4_rps="0",
mitigated_slow_rps="0",
redirect_global_rps="0",
redirect_bad_actor_rps="0",
redirect_signature_rps="0",
redirect_slow_rps="0",
challenge_global_rps="0",
challenge_bad_actor_rps="0",
challenge_signature_rps="0",
challenge_slow_rps="0",
block_global_rps="0",
block_bad_actor_rps="0",
block_signature_rps="0",
block_slow_rps="0",
mitigated_connections_rps="0",

b. Example: Attack Ended

date_time="Oct 05 2021 08:06:21",
product="app-protect-dos",
product_version="25+1.78.0-1.el7.ngx",
unit_hostname="localhost.localdomain",
instance_id="129c76",
vs_name="example.com/",
dos_attack_id="1",
attack_event="Attack ended",
stress_level="0.50",
learning_confidence="Ready",
baseline_dps="12",
incoming_dps="0",
incoming_rps="0",
successful_tps="0",
allowlist_rps="0",
unsuccessful_rps="0",
incoming_datagrams="226566",
incoming_requests="226566",
allowlist_requests="1632",
successful_responses="7760",
unsuccessful_requests="0",
active_connections="0",
threshold_dps="2121.60",
threshold_conns="2121.60",
mitigated_bad_actors="94488",
mitigated_by_signatures="117361",
mitigated_by_global_rate="2861",
mitigated_bad_actors_l4="62788",
mitigated_slow="0",
redirect_global="2861",
redirect_bad_actor="94488",
redirect_signature="117361",
redirect_slow="0",
challenge_global="0",
challenge_bad_actor="0",
challenge_signature="0",
challenge_slow="0",
block_global="0",
block_bad_actor="0",
block_signature="0",
block_slow="0",
mitigated_connections="0",
mitigated_bad_actors_rps="0",
mitigated_by_signatures_rps="0",
mitigated_by_global_rate_rps="0",
mitigated_bad_actors_l4_rps="0",
mitigated_slow_rps="0",
redirect_global_rps="0",
redirect_bad_actor_rps="0",
redirect_signature_rps="0",
redirect_slow_rps="0",
challenge_global_rps="0",
challenge_bad_actor_rps="0",
challenge_signature_rps="0",
challenge_slow_rps="0",
block_global_rps="0",
block_bad_actor_rps="0",
block_signature_rps="0",
block_slow_rps="0",
mitigated_connections_rps="0",

1b. Traffic/Mitigation summary stats

Reported periodically, providing aggregated statistics per protected object.
This corresponds to the metrics reported on the main Grafana screen.

a. Example: No Attack

date_time="Oct 05 2021 07:54:29",
product="app-protect-dos",
product_version="25+1.78.0-1.el7.ngx",
unit_hostname="localhost.localdomain",
instance_id="129c76",
vs_name="example.com/",
dos_attack_id="0",
attack_event="No Attack",
stress_level="0.50",
learning_confidence="Not ready",
baseline_dps="19",
incoming_dps="9",
incoming_rps="9",
successful_tps="10",
allowlist_rps="1",
unsuccessful_rps="0",
incoming_datagrams="678",
incoming_requests="678",
allowlist_requests="52",
successful_responses="678",
unsuccessful_requests="0",
active_connections="0",
threshold_dps="2121.60",
threshold_conns="2121.60",
mitigated_bad_actors="0",
mitigated_by_signatures="0",
mitigated_by_global_rate="0",
mitigated_bad_actors_l4="0",
mitigated_slow="0",
redirect_global="0",
redirect_bad_actor="0",
redirect_signature="0",
redirect_slow="0",
challenge_global="0",
challenge_bad_actor="0",
challenge_signature="0",
challenge_slow="0",
block_global="0",
block_bad_actor="0",
block_signature="0",
block_slow="0",
mitigated_connections="0",
mitigated_bad_actors_rps="0",
mitigated_by_signatures_rps="0",
mitigated_by_global_rate_rps="0",
mitigated_bad_actors_l4_rps="0",
mitigated_slow_rps="0",
redirect_global_rps="0",
redirect_bad_actor_rps="0",
redirect_signature_rps="0",
redirect_slow_rps="0",
challenge_global_rps="0",
challenge_bad_actor_rps="0",
challenge_signature_rps="0",
challenge_slow_rps="0",
block_global_rps="0",
block_bad_actor_rps="0",
block_signature_rps="0",
block_slow_rps="0",
mitigated_connections_rps="0",

b. Example: Under Attack

date_time="Oct 05 2021 08:02:35",
product="app-protect-dos",
product_version="25+1.78.0-1.el7.ngx",
unit_hostname="localhost.localdomain",
instance_id="129c76",
vs_name="example.com/",
dos_attack_id="1",
attack_event="Under Attack",
stress_level="0.50",
learning_confidence="Ready",
baseline_dps="12",
incoming_dps="893",
incoming_rps="893",
successful_tps="12",
allowlist_rps="1",
unsuccessful_rps="0",
incoming_datagrams="87823",
incoming_requests="87823",
allowlist_requests="1523",
successful_responses="5736",
unsuccessful_requests="0",
active_connections="1",
threshold_dps="92.40",
threshold_conns="92.40",
mitigated_bad_actors="0",
mitigated_by_signatures="75137",
mitigated_by_global_rate="2861",
mitigated_bad_actors_l4="62788",
mitigated_slow="0",
redirect_global="2861",
redirect_bad_actor="0",
redirect_signature="75137",
redirect_slow="0",
challenge_global="0",
challenge_bad_actor="0",
challenge_signature="0",
challenge_slow="0",
block_global="0",
block_bad_actor="0",
block_signature="0",
block_slow="0",
mitigated_connections="0",
mitigated_bad_actors_rps="0",
mitigated_by_signatures_rps="879",
mitigated_by_global_rate_rps="0",
mitigated_bad_actors_l4_rps="0",
mitigated_slow_rps="0",
redirect_global_rps="0",
redirect_bad_actor_rps="0",
redirect_signature_rps="879",
redirect_slow_rps="0",
challenge_global_rps="0",
challenge_bad_actor_rps="0",
challenge_signature_rps="0",
challenge_slow_rps="0",
block_global_rps="0",
block_bad_actor_rps="0",
block_signature_rps="0",
block_slow_rps="0",
mitigated_connections_rps="0",

2. Bad actor detection/expiration

Reports NGINX App Protect DoS decisions regarding bad actors.

a. Example: Bad Actor Detection

date_time="Apr 29 2021 14:03:01",
product="app-protect-dos",
product_version="23+1.54.1-1.el7.ngx",
unit_hostname="localhost.localdomain",
instance_id="d9a6d8",
vs_name="example.com/",
dos_attack_id="1",
attack_event="Bad actor detection",
source_ip="5.5.5.9",
impact_rps="30",

b. Example: Bad Actor Expired

date_time="Apr 29 2021 14:05:29",
product="app-protect-dos",
product_version="23+1.54.1-1.el7.ngx",
unit_hostname="localhost.localdomain",
instance_id="d9a6d8",
vs_name="example.com/",
dos_attack_id="0",
attack_event="Bad actor expired",
source_ip="5.5.5.10",
impact_rps="12",

3. Attack signatures

Reports NGINX App Protect DoS decisions regarding signatures.

Example: Attack Signature Detected

date_time="Apr 29 2021 14:02:56",
product="app-protect-dos",
product_version="23+1.54.1-1.el7.ngx",
unit_hostname="localhost.localdomain",
instance_id="d9a6d8",
vs_name="example.com/",
dos_attack_id="1",
attack_event="Attack signature detected",
signature="(http.user_agent_header_exists eq true) and (http.accept contains other-than(application|audio|message|text|image|multipart)) and (http.unknown_header_exists eq true) and (http.headers_count neq 10) and (http.x_forwarded_for_header_exists eq false) and (http.uri_parameters eq 1) and (http.uri_len between 48-63) and (http.accept_header_exists eq true) and (http.hdrorder not-hashes-to 55) and (http.connection_header_exists eq true) and (http.accept_encoding_header_exists eq true) and (http.request.method eq reserved) and (http.cookie_header_exists eq true) and (http.uri_file hashes-to 7) and (http.host_header_exists eq true)",
signature_id="809655398",
signature_efficiency="72.00",
signature_accuracy="100.00",

4. Bad actors detection information

Provides detailed information about bad actors.

Example: Bad Actors Detected

date_time="Apr 29 2021 14:02:00",
product="app-protect-dos",
product_version="23+1.54.1-1.el7.ngx",
unit_hostname="localhost.localdomain",
instance_id="d9a6d8",
vs_name="example.com/",
dos_attack_id="1",
attack_event="Bad actors detected",
new_bad_actors_detected="2",
bad_actors="2",

Security Log Configuration File

The file is in JSON format.

Filter

Element Description Type/Values Default
traffic-mitigation-stats This filter element refers to Traffic/Mitigation summary stats. Enumerated values:
- all
- none
all
bad-actors This filter element refers to Bad actor detection/expiration, every 10 seconds. Enumerated values:
- all
- none
- top N
top 10
attack-signatures This filter element refers to Attack Signatures, every 10 seconds. Enumerated values:
- all
- none
- top N
top 10

Example:

{
    "filter": {
        "traffic-mitigation-stats": "all",
        "bad-actors": "top 100",
        "attack-signatures": "top 100"
    }
}