Security monitoring overview
Security monitoring brings F5 WAF for NGINX events from every connected instance into a single place in NGINX One Console. This page explains what data the system collects, how it flows, and how it is organized.
Security monitoring is the NGINX One Console module that ingests F5 WAF for NGINX security events from your data planes, stores them centrally, and exposes them through a security dashboard and an analytics API. It gives you a single view of attacks, violations, and triggered signatures across every NGINX Plus instance you have connected to NGINX One Console.
This document covers what the module is and how data flows through it. For deployment steps, see Set up security monitoring. For details on what each dashboard widget shows, see the dashboard metrics reference.
The data pipeline has four stages:
- Detection. F5 WAF for NGINX inspects requests on the data plane and produces a security log entry whenever a request matches a violation, signature, or threat campaign.
- Forwarding. F5 WAF for NGINX writes the entry over syslog (port
1514on localhost) using thesecops_dashboardlog profile. NGINX Agent’s OpenTelemetry collector receives it through thetcplog/nginx_app_protectreceiver. - Transport. The collector batches events and exports them to NGINX One Console through the
otlp/defaultexporter. Batching keeps the upstream call rate low while keeping per-event delivery latency under a minute. - Storage and query. NGINX One Console parses, indexes, and stores the events. The security dashboard and the analytics API both read from the same store.
Every event carries the support ID, the policy that matched it, the violation and signature details, and the request context (method, URL, host, client IP, X-Forwarded-For, geolocation). Those fields are what the dashboard groups and filters on.
Every security event carries enough context to attribute it to a specific data plane, a specific policy, and the application it targeted.
- Instance: Each event records the NGINX instance hostname that produced it. Use this to scope by data plane.
- Policy: Each event records the F5 WAF for NGINX policy that produced it, so you can compare activity across policy versions or rollouts — useful for measuring the impact of a policy change before promoting it.
- Destination hostname: Each event records the HTTP
Hostheader sent by the client — the application being attacked, not the instance hostname (which identifies the data plane). Use this when one data plane fronts multiple applications and you need to scope by app rather than by infrastructure.
Security events are retained for 90 days. Queries that reach further back than 90 days return no results. If you need long-term retention, forward events to an external Security Information and Event Management (SIEM) system with a custom log profile in addition to the secops_dashboard log profile.
An operator notices a spike in attack volume on the security dashboard. The operator uses the global filters to narrow down to the affected policy and time window, then drills into the top signatures and attacked endpoints to identify which signatures fired and which URLs were targeted. From a single event, the operator pulls the Support ID, the X-Forwarded-For chain, and the raw request to confirm the source and decide whether to tighten the policy.
A security engineer suspects a policy is producing false positives. The engineer opens the security dashboard, filters by policy and blocked requests, and reviews the breakdown of triggered signatures. The high-volume signatures with low risk and accuracy stand out as candidates for tuning. The engineer cross-checks a few events against the raw requests to confirm the signature is firing on legitimate traffic before adjusting the policy.
A platform team needs a weekly summary of WAF activity across hundreds of instances. The team uses the analytics API to pull attack counts, top signatures, and top violations grouped by instance, then renders the result in their own reporting tool. The dashboard remains the interactive surface for ad-hoc investigation; the API is the integration point for automation.
- Access logs and performance metrics — security monitoring only ingests F5 WAF for NGINX security events. NGINX access logs and performance telemetry are handled by other parts of NGINX One Console.
- Policy authoring — use WAF policies to create and deploy F5 WAF for NGINX policies. Security monitoring shows you the effect of those policies, not the policies themselves.
- Long-term archival — events expire after 90 days. Forward to an external SIEM if you need longer retention.
For more information, see: