NGINX App Protect WAF Operation Log

Learn about the NGINX App Protect WAF Operation Log.

Operation Logs

Overview

The operation logs consists of system operational and health events. The events are sent to the NGINX error log and are distinguished by the APP_PROTECT prefix followed by JSON body. The log level depends on the event: success is usually Notice while failure is Error. The timestamp is inherent in the error log.

Events

Event Type Level Meaning
App Protect Connected Notice A worker successfully connected to NGINX App Protect WAF Enforcer.
The mode attribute should be operational unless there is an ongoing problem.
{
    "event": "waf_connected",
    "bd_thread_id": 3,
    "worker_pid": 4928,
    "mode": "operational",
    "mode_changed": true
}
Event Type Level Meaning
App Protect Connection Failure Error A worker attempted to connect to NGINX App Protect WAF but the operation failed.
The mode should be failure.
{
    "event": "waf_connection_failure",
    "bd_thread_id": 3,
    "worker_pid": 4928,
    "mode": "failure",
    "mode_changed": true
}
Event Type Level Meaning
App Protect Disconnected Error Engine disconnected from Worker (socket closed).
The mode should be failure.
{
    "event": "waf_disconnected",
    "bd_thread_id": 3,
    "worker_pid": 4928,
    "mode": "failure",
    "mode_changed": true
}
Event Type Level Meaning
App Protect Resource Exception Warning Resource, as measured by the Worker, exceeded limits (above high threshold).
Mode should be failure. It may have already been in this mode because there are other resources that had exceeded their limits.
{
    "event": "waf_resource_exception",
    "bd_thread_id": 3,
    "worker_pid": 4928,
    "mode": "failure",
    "mode_changed": true,
    "resource": "cpu",
    "value": 98,
    "threshold": 95
}
Event Type Level Meaning
App Protect Resource Reverted to Normal Warning Resource, as measured by the Worker, went back to normal range (below low threshold).
Mode should be operational, unless there are other resources which are still out of limits.
{
    "event": "waf_resource_revert",
    "bd_thread_id": 3,
    "worker_pid": 4928,
    "mode": "operational",
    "mode_changed": true,
    "resource": "cpu",
    "value": 88,
    "threshold": 90
}
Event Type Level Meaning
Configuration Error Error There were errors in the AppProtect directives in the nginx.conf file. This is issued if the directive was spelled correctly, otherwise NGINX core will issue an error.
This event occurs before configuration_load_start and means there will be no configuration load.
This event is generated only on configuration reload. It cannot be generated on first configuration as there is no error log configured yet.
{
    "event": "configuration_error",
    "error_message": "unknown argument",
    "line_number": 58
}
Event Type Level Meaning
Configuration Load Start Notice App Protect configuration load process started. The configuration consists of all the policies, security log configurations and global settings. These all are part of the config set file generated by the module and passed to the Policy Compiler. The path to this file in included in the event message.
This event is generated only on configuration reload. It cannot be generated on first configuration as there is no error log configured yet.
{
    "event": "configuration_load_start",
    "configSetFile": "/opt/app_protect/share/config_set.json"
}
Event Type Level Meaning
Configuration Load Failure Error There was an error in one of the configuration files: file not found, failed to compile, or the configuration failed to load to the engine.
{
    "event": configuration_load_failure",
    "error_message": "Failed to import Policy '/etc/nginx/default_policy.json' from '/etc/nginx/default_policy.json': Fail parse JSON Policy: malformed JSON string, neither tag, array, object, number, string or atom, at character offset 0 (before \"xxxx\\nhdjk\\n\\n555\\n\") \n.\n",
    "error_line_number": 58
}
Event Type Level Meaning
Configuration Load Success Notice The WAF configuration process ended successfully: all policies, log configuration and global settings were loaded to NGINX App Protect WAF and all traffic will be handled by this configuration.
The “error_message” contains warnings.
This event is generated also on the initial configuration (when NGINX starts).
Also includes the signature update version which reflects the date the package was released and the exact revision time in datetime format that also includes the time of day, thus compatible with the revision date time in the WAF policy signature-requirements element.
{
    "event": "configuration_load_success",
    "error_message": "csrfProtection/enabled cannot be set to true and set to false",
    "software_version": "1.3.42",
    "attack_signatures_package": {
        "version": "2020.02.20",
        "revision_datetime": "2020-02-20T13:35:38"
    }
}

This documentation applies to the following versions of NGINX App Protect WAF: 3.12.