# Log
# Blocking Log
The blocking log is stored in error.log. The log level of the blocking log is ALERT.
The format is ngx_waf: [rule type][specific rule triggered].
You can use the following command to quickly view the blocking log.
cat /path/to/error.log | grep ngx_waf:
Here are two examples.
2020/01/20 22:56:30 [alert] 6666#0: *30 ngx_waf: [BLACK-URL][(?i)(?:/\.env$)], client: 192.168.1.1, server: example.com, request: "GET /v1/.env HTTP/1.1", host: "example.com", referrer: "http:/example.com/v1/.env"
2020/01/20 22:58:40 [alert] 6667#0: *11 ngx_waf: [BLACK-POST][(?i)(?:select.+(?:from|limit))], client: 192.168.1.1, server: example.com, request: "POST /xmlrpc.php HTTP/1.1", host: "example.com", referrer: "https://example.com/"
# Debugging Log
When you adjust the error log level to debug in the nginx configuration file,
the debug log will be output in error.log for troubleshooting purposes.
for troubleshooting purposes. The format is ngx_waf_debug: debug information.
You can use the following command to quickly view the debug log.
cat /path/to/error.log | grep ngx_waf_debug:
Below is a typical modulation log that illustrates the flow of a CC defense detection.
2021/02/21 20:35:33 [debug] 6666#0: *1 ngx_waf_debug: Start the CC inspection process.
2021/02/21 20:35:33 [debug] 6666#0: *1 ngx_waf_debug: The module context has been obtained.
2021/02/21 20:35:33 [debug] 6666#0: *1 ngx_waf_debug: The configuration of the module has been obtained.
2021/02/21 20:35:33 [debug] 6666#0: *1 ngx_waf_debug: Detection has begun.
2021/02/21 20:35:33 [debug] 6666#0: *1 ngx_waf_debug: Shared memory is locked.
2021/02/21 20:35:33 [debug] 6666#0: *1 ngx_waf_debug: Shared memory is unlocked.
2021/02/21 20:35:33 [debug] 6666#0: *1 ngx_waf_debug: Detection is over.
2021/02/21 20:35:33 [debug] 6666#0: *1 ngx_waf_debug: The CC detection process is fully completed.
SENSITIVE INFORMATION DISCLOSURE
In the latest Current version, debug logs may contain some sensitive information, such as data received and sent by the server, CAPTCHA keys, etc.
When providing debug logs it is recommended to send them to us via email. You can find our email address here (opens new window).
# Customised Log Format
nginx allows custom log formats, and a server block can write to multiple log files at the same time, giving us the opportunity to customise our log formats. This module provides some built-in Variables that can be used to customise the blocking log with a little effort.
Here is an example.
...
http {
...
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
log_format yaml '- remote_addr: "$remote_addr"\n'
' remote_user: "$remote_user"\n'
' time_local: "$time_local"\n'
' request: "$request"\n'
' status: "$status"\n'
' body_bytes_sent: "$body_bytes_sent"\n'
' http_referer: "$http_referer"\n'
' http_user_agent: "$http_user_agent"\n'
' http_x_forwarded_for: "$http_x_forwarded_for"\n'
' waf_blocked: $waf_blocked\n'
' waf_spend: $waf_spend\n'
' waf_rule_type: "$waf_rule_type"\n'
' waf_rule_details: "$waf_rule_details"\n';
server {
...
access_log logs/access.log main;
access_log logs/access.yml yaml if=$waf_log;
access_log logs/waf.yml yaml if=$waf_blocking_log;
...
}
...
}
...
The above configuration stores the normal log format in logs/access.log,
while the yaml format logs are stored in logs/access.yml.
It is worth noting that yaml format logs use the three built-in variables provided by the module.
You can easily read `logs/access.The above configuration will have the following effect.
- normal access logs are written to
logs/access.log. - YAML-formatted access logs are written to
logs/access.yml. - YAML-formatted intercept logs are written to
logs/waf.yml.
Log analysis
You can customize the log format, and then programmatically analyze it and make statistical graphs.
ABOUT YAML FORMAT
YAML is a highly readable data serialisation format that is very easy to learn. As long as you can read JSON, learning YAML will be a snap. You can search for a description of the YAML format yourself.