NGINX App Protect WAF Logs Overview
Overview
There are 3 types of logs that F5 NGINX App Protect on NGINX generates:
- Security log or Request log: The HTTP requests and how App Protect processed them, including violations and signatures found.
- Operation logs: Events such as startup, shutdown and reconfiguration.
- Debug logs: technical messages at different levels of severity used to debug and resolve incidents and error behaviors.
In addition, NGINX App Protect WAF can be configured to add additional data to NGINX Access log.
Note that NGINX does not have audit logs in the sense of who did what. This can be done either from the orchestration system controlling NGINX (such as NGINX Controller) or by tracking the configuration files and the systemd invocations using Linux tools.
App Protect uses its own logging mechanism for request logging rather than NGINX’s access logging mechanism (which is NGINX’s default logging mechanism).
| Type | Log Configuration | Configuration contexts | File Destination | Syslog Destination |
|---|---|---|---|---|
| Security | app_protect_security_log directive referencing security_log.json file |
nginx.conf: http, server, location |
Yes, either stderr, or an absolute path to a local file are supported |
Yes |
| Operation | error_log directive, part of core NGINX |
nginx.conf - global |
Yes, NGINX error log | Yes, NGINX error log |
| Debug | /etc/app_protect/bd/logger.cfg. Log file name is the redirection in the invocation of the bd command line in the start script |
Global (not part of nginx.conf) | Yes. Log file is in /var/log/app_protect default debug directory. No file rotation currently |
No |
Log Rotate
NGINX App Protect WAF supports log rotation. If you already have logrotate running, NGINX App Protect WAF log files will be rotated automatically according to the configuration file described below. To install logrotate:
For CentOS:
sudo yum install logrotate
For Debian / Ubuntu:
sudo apt-get install logrotate
For Alpine:
sudo apk add logrotate
By default the logrotate configuration file included in NGINX App Protect WAF is:
/var/log/app_protect/*.log {
size 1M
copytruncate
notifempty
create 644 nginx nginx
rotate 20
}
- size size - log files are rotated only if they grow larger than size.
- copytruncate - truncate the original log file in place after creating a copy, instead of moving the old log file and creating a new one.
- create mode owner group - the log file is created immediately after rotation with the permissions specified by mode. owner specifies the user name who will own the log file, and group specifies the group the log file will belong to.
- rotate count - log files are rotated count times before being removed.
You can modify the attributes and add directories to rotate in /etc/logrotate.d/app_protect.conf.
Normally you would run logrotate periodically using a cron job. For more information about logrotate refer to Linux man page.
All logs in the /var/log/app_protect/ folder will be rotated, including the security log, if the file destination is configured to be under this directory.
Example of configuring security log to be under /var/log/app_protect/:
In /etc/nginx/nginx.conf:
app_protect_security_log_enable on;
app_protect_security_log "/opt/app_protect/share/defaults/log_illegal.json" /var/log/app_protect/security.log;
Note:
The log rotation policy is provided as a default policy. Users can customize to adapt to their need.