{{ secondMenu.name }}
Security Logs mainly record service attack behaviors, including Web app protection, intrusion prevention, Botnet, website access, email security, and DoS attacks. If an attacking threat triggers the security policy, it will be logged into the security log. If the attack event is determined to be a misjudgment, the attack event can be added to the exceptions for exclusion. If it is judged to be a real attack threat, the attack event can be dealt with according to the solution guidelines provided in the log details. You can export logs to perform an analysis or enter the IP address or domain name in the search box to search for the corresponding log information. See the figure below.
5.1.1.1.1.1Security Logs Retrieval Case
A network administrator in an enterprise discovers that a Web server is under attack. It is necessary to review the Web protection logs, determining the attacking IP address(es) and the means used in the attack, and other information.
Step 1.Click Filter and select the search criteria according to needs, as shown in the figure below.
If only the Email Protection type is selected, the Advanced option will be available for filtering the email protection logs.
| Search Criteria |
Note |
| Start Time/End Time |
Select the start time and end time for querying. |
| Src Zone |
Source zones of logs. |
| Src Address |
Source IP addresses of attackers. |
| Dst Zone |
Zones where destination IP addresses of attacks reside in. |
| Dst Address |
IP addresses attacked by attackers. |
| Type |
Perform filtering according to different log types. |
| Threat Level |
Filtering according to different security levels. |
| Action |
Filtering according to log actions. |
Table 10:Description of Log Search Criteria
Step 2.Select Start Time and End Time as needed. Check the Web App Firewall checkbox to view the Web App Firewall logs, as shown in the following figure.
Step 3.View the Web App Firewall logs, as shown in the following figure.
Logs reveal that the source of the attack, 202.0.165.44 attacked the target server, 192.168.254.61.
Step 4.Click View to check whether the attack behavior is a false positive, as shown in the following figure.
Basics: Describe the attack behavior, such as matching Rule ID and request method.
Data Packet: Record the complete request information of the data packet. The part highlighted in red indicates the feature of the attack.
You can determine whether it is a false positive by viewing the log details. If it is, add the attack event to the exceptions. Click More in the Operation column on the right side of the Security Logs page, and then select Exclude. The Exclude dialog box will appear, as shown in the following figure.
URL: The URL to be matched.
Exclusion Options:
Exclude: Add the matched Src and Dst IPs, Dst Port, and Rule ID as exceptions.
Only exclude requests for the URLs whose parameters match any of the following: These parameters will be excluded when performing website attack detection of Web App Firewall. For normal business scenarios where certain request parameters are detected as attacks because of the specific signature strings they contain, you can select this option to exclude such parameters exclusively.
The maximum number of logs that can be exported at the same time is 100,000 entries.
{{ $t('index.defaultHeader.chromeBrowserTip') }}