Expected Log Samples¶

<134>Nov 25 13:05:37 XXXXXX.XXXXXX.XXXASM:unit_hostname="XXXXXX.XXXXXX.XXX",management_ip_address="XXX.XXX.XX.XXX",http_class_name="/Common/Internal",web_application_name="/Common/Internal",policy_name="/Common/nternal",policy_apply_date="2019-11-25 08:59:54",violations="",support_id="XXXXXXXXXXXXXXXXXXXXX",request_status="passed",response_code="XXX",ip_client="XXX.XX.XX.XX",route_domain="X",method="GET",protocol="HTTPS",query_string="XXXXXX=XXXXXXXXXXXXXXXXXXXXXXXffXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX&fromdcpublic=1&documentid=XXXXX",x_forwarded_for_header_value="XXX.XX.XX.XX",sig_ids="",sig_names="",date_time="2019-11-25 13:05:37",severity="Informational",attack_type="",geo_location="N/A",ip_address_intelligence="N/A",username="N/A",session_id="XXXXXXXXXXXXXXXXXX",src_port="XXXXXX",dest_port="XXXX",dest_ip="XXX.XXX.XX.XX",sub_violations="",virus_name="N/A",violation_rating="0",websocket_direction="N/A",websocket_message_type="N/A",device_id="N/A",staged_sig_ids="",staged_sig_names="",blocking_exception_reason="N/A",captcha_result="not_received",uri="/XXXXXX.legacy/dcdocumentretrieveext.asp",request="GET /legacy/dcdocumentretrieveext.asp?logpoint=f15b47317e20f281af88427ff98ead21809edbc3b9eb2d5df2f4d00a19ca3868&fromdcpublic=1&documentid=XXXX HTTP/1.1\r\nAccept: image/png, image/svg+xml, image/*;q=0.8, */*;q=0.5\r\nReferer: http://XXXXXXX/XXXXXXXX.XXXXXX/XXXXXXX/Application/STOP/StopList/Forms/STOP_STOPObjectDetailView/View/76e6259a-d2d9-4fb2-bb1e-f9b835194b8a\r\nAccept-Language: en-US\r\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko\r\nAccept-Encoding: gzip, deflate\r\nHost: aesin01\r\nDNT: 1\r\nConnection: Keep-Alive\r\nCookie: LogPointClient=XXXXXXX; LogPointName=XXX; Language=US; ASP.NET_SessionId=XXXXXXXXXXXXXXXXXXXXXXXX; TS016ff46e=01cdbc463142a16fa549885f53d97b29553dbaf3658baa327e10dc4e7f098424c1d4baea03f28d03dc6477d8e5d3f747d177440bfbc6dd3b5e50edb0ffaa93ad597d19498febf3287d2efcb0cbf36d37c055104d151e73f320b446e4bca974430ee57d8a22a2190c1a1613fb884e1618df5e00b692; TSPD_101=088b86466aab280093c105cf91586ea1a0cc535675985fd8ce2539f2f0969307b1010a662728b6034d7f125ad6b0c81f0867acbfaa051000240462973318176c1b19f75b583a2b53; WindowSettingsId=WinSetting_33; WindowSettings_action=keep; ASPSESSIONIDSARQRSRQ=FNANDAHBDKOHGODPHDMEDGEO; WindowSettings_legacyPage=; WindowSettings_legacyPageCaption=unknown\r\nX-Forwarded-For: XXX.XX.XX.XX\r\n\r\n",response="Content type is not supported for response logging"

<131>Nov 25 16:50:28 logpoint.com ASM:CEF:0|F5|ASM|13.1.1|Illegal URL|Illegal URL|5|dvchost=logpoint.com dvc=XX.XX.XX.XXX cs1=/Common/asm_policy_logpoint.com cs1Label=policy_name cs2=/Common/asm_policy_logpoint.com cs2Label=http_class_name deviceCustomDate1=Nov 25 2019 14:50:21 deviceCustomDate1Label=policy_apply_date externalId=XXXXXXXXXXXXXXXXXXXact=alerted cn1=XXXcn1Label=response_code src=XX.X.XXX.XXX spt=XXXXXdst=XX.XX.XX.XXX dpt=XXXrequestMethod=GET app=HTTPS cs5=XX.X.XXX.XXX, XX.X.XXX.XXX cs5Label=x_forwarded_for_header_value rt=Nov 25 2019 16:50:27 deviceExternalId=0 cs4=Forceful Browsing cs4Label=attack_type cs6=TR cs6Label=geo_location c6a1= c6a1Label=device_address c6a2= c6a2Label=source_address c6a3= c6a3Label=destination_address c6a4= c6a4Label=ip_address_intelligence msg=N/A suid=XXXXXXXXXXXXXXXXXXXuser=N/A cn2=5 cn2Label=violation_rating cn3=0 cn3Label=device_id request=/auth cs3Label=full_request cs3=GET /auth HTTP/1.1\r\nHost: XXXXXXXXXXXXX\r\nCache-Control: no-store,no-cache\r\nPragma: no-cache\r\nRequest-Context: appId\=cid-XX:XXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXX\r\nRequest-Id: |XXXXXXXXXX.XXXXXXXXXXXXXXXXX.XXXXXXXX.\r\nX-Forwarded-For: XX.X.XXX.XXX, XX.X.XXX.XXX\r\n\r\n

Jul 12 13:12:49 WAFLOGPOINT001 err tmm1[17208]: 01230140:3: RST sent from xxx.xxx.xxx.xxx:xxxxx to xxx.xxx.x.xx:xx,[0x299e18a:2598] {peer} TCP RST from remote system

[16/Jun/2020:08:59:23 +0200] REQUEST -> CLIENT = 1.1.1.1:1000, VS_NAME = /xxxx-xxxx-xxxx/xxxx-xxxx-xxxx_xxxxx.xxx.xxxxxxx.xxx_https, VIP = 1.1.1.1:xxx, HTTP_VERSION = HTTP/1.1, HTTP_METHOD = POST, HTTP_KEEPALIVE = Y, HTTP_PATH = /auth/oauth/check_token, HTTP_QUERY = , HTTP_REQUEST = POST /auth/oauth/check_token HTTP/1.1, HTTP_URI = /auth/oauth/check_token

<13>Sep 1 05:01:20 abc Sep 1 05:01:20 abc run-parts(/etc/cron.hourly)[22380]: finished iprepd_logrotate