NGINX App Protect WAF Logs Overview

Log Types

Logs in F5 NGINX App Protect WAF v5 can be accessed and configured similarly to NGINX App Protect WAF, though there are some differences in the process.

NGINX Access Log

NGINX App Protect WAF v5 can be configured to add additional data to NGINX Access log.

Security Logs

A key change in configuring Security logs is the requirement to compile JSON logging profiles into a bundle file before applying them.

Default Logging Profile Bundles

There are several pre-compiled logging profile bundles available:

log_default (equivalent to log_illegal)
log_all
log_illegal
log_blocked
log_grpc_all
log_grpc_blocked
log_grpc_illegal

These logging profiles can be referenced by their names, excluding the file path and the tgz extension.

For instance:

    ...
    location / {

        # NGINX App Protect WAF
        app_protect_enable on;
        app_protect_security_log_enable on;
        app_protect_security_log log_blocked syslog:server=log-server:514;

        proxy_pass http://127.0.0.1:8080/;
    }

Security Log Destination

Please refer to Security logs page for details.

WAF Enforcer Container Logs

When stderr is set as the destination for security logs in the app_protect_security_log directive, these logs are accessible via the waf-enforcer container. To view them, use the following command:

docker logs waf-enforcer

Or in Kubernetes:

kubectl logs deployment.apps/nap5-deployment -c waf-enforcer

Debug Logs

Logs for internal components of NGINX App Protect 5 can be accessed by executing docker logs or kubectl logs on one of the deployment containers. For example:

docker logs waf-config-mgr

Last modified August 22, 2024