• F5

    Deliver and secure every app

  • DevCentral

    Connect & learn in our hosted community

  • MyF5

    Your key to everything F5, including support, registration keys, and subscriptions

  • NGINX

    Learn more about NGINX Open Source and read the community blog

  • Community Forum

    Engage with the broader NGINX community for discussions and troubleshooting

Access logs

Access logs are NGINX’s mechanism for logging requests.

It is controlled by two directives:

log_format

This directive determines the format of the log messages using predefined variables.

F5 WAF for NGINX can extend this set of variables with several security log attributes available for inclusion in log_format.

If log_format is not specified then the built-in format combined is used, which does not include the extended F5 WAF for NGINX variables.

log_format must be used in order to add to add F5 WAF for NGINX information to the logs.

access_log

This directive determines the destination of the access_log and the formatted name.

The default configuration is the file /etc/nginx/log/access.log using the combined format.

Use this directive in order to create a customized format which can include the F5 WAF for NGINX variables.

F5 WAF for NGINX variables for access logs

These are the variables added to Access Log. They are a subset of the Security log attributes. The Security log names are prefixed with $app_protect.

Name Meaning Comment
$app_protect_support_id Unique ID assigned to the request by F5 WAF for NGINX. To be used to correlate the access log with the security log.
Left empty in failure mode.
$app_protect_outcome One of:
  • PASSED: request was sent to origin server.
  • REJECTED: request was blocked.
$app_protect_outcome_reason One of:
  • SECURITY_WAF_OK: allowed with no violations (legal request).
  • SECURITY_WAF_VIOLATION: blocked due to security violations.
  • SECURITY_WAF_FLAGGED: allowed although it has violations (illegal).
  • SECURITY_WAF_BYPASS: WAF was supposed to inspect the request but it didn’t (because of unavailability or resource shortage). The request was PASSED or REJECTED according to the failure mode action determined by the user.
  • SECURITY_WAF_REQUEST_IN_FILE_BYPASS: WAF was supposed to inspect the request but it didn’t (because request buffer was full and request was written to file). The request was PASSED or REJECTED according to the failure mode action determined by the user.
  • SECURITY_WAF_COMPRESSED_REQUEST_BYPASS: WAF was supposed to inspect the request but it didn’t (because request was compressed). The request was PASSED or REJECTED according to the failure mode action determined by the user.
$app_protect_policy_name The name of the policy that enforced the request.
$app_protect_version The F5 WAF for NGINX version string: major.minor.build format. Does not include the F5 NGINX plus version (e.g. R21). The latter is available in $version variable.

Note that many of the other security log attributes that are not included here have exact or similar parallels among the NGINX variables also available for access log.

For example, $request is parallel to the request security log attribute.

nginx
http {
    log_format security_waf 'request_time=$request_time client_ip=$remote_addr,'
                             'request="$request", status=$status,'
                             'waf_policy=$app_protect_policy_name, waf_request_id=$app_protect_support_id'
                             'waf_action=$app_protect_outcome, waf_action_reason=$app_protect_outcome_reason';

    server {

        location / {
            access_log /etc/app_protect/logs/nginx-access.log security_waf;
            ...
        }
    }
}
View source
Edit this page
Create a new issue