Log Request Response Handler

Purpose

When in detection mode, the handler only logs requests but no responses.

The Log Request Response Handler logs all requests, including POST arguments, in a special log file. In addition, the Log Request Response Handler also logs response data. This information is used later by theSuggest Rules Wizard as the starting point for the suggested rules. The temporary activation of the Log Request Response Handler is therefore an essential requirement for using the Suggest Rules Wizard .

For more information regarding adding and editing Handlers, see Editing Handlers.

Severity

Events triggered by this handler are given the severity: low. (For details on severity levels, see Severity of Events Triggered by Handlers).

Recommendations for use

Usually, the Log Request Response Handler isn’t configured manually, but by the Suggest Rules Wizard when you run this wizard for the first time.

Once the Log Request Response Handler has collected data across a sufficient period of time, you should delete it again to avoid that the log database created grows too large. In high-load phases the logging process can also have a negative impact on performance. To deactivate the Log Request Response Handler and to obtain a set of suggested rules based on the logged data, run the Suggest Rules Wizard a second time.

How long the Log Request Response Handler should remain active depends primarily on the traffic, structure and complexity of your web application. It isn’t easy to make a blanket statement here, but a thousand hits usually provide a solid basis. The other important thing is that it isn’t always the same pages that are called up, but in f act all pages with data from all form fields. An alternative method can also be to run the Log Request Response Handler on a test system on which all relevant pages are tested in depth.

Attributes

Attribute	Meaning
content types	The handler only analyzes and logs requests and responses of the specified content types. Requests and responses of all other content types are ignored.
file extensions	The handler only evaluates files that match one of the given file extensions.
omit keys value	The handler does not log values of the specified keys. Here you should specify all fields with sensitive data that should be excluded from logging for reasons of security, such as passwords or personal data.
log request in detection mode	When this option is enabled, vWAF logs request arguments not only when in protection mode, but also when in detection mode (see Detection Mode, Protection Mode). ATTENTION This always logs request arguments, even if your web application generates a 4xx error message for this request. This can result in learning invalid requests.
log response	When this option is enabled, the handler logs both requests and arguments from responses' bodies. If the option is disabled, the handler only logs requests.
usertext	Optional: Here you can specify some text that vWAF adds to the log file entries created by this handler. You can use this, for example, to document why you've added the handler to your configuration, and how the handler is intended to behave.

For details regarding entries added to the log file by this handler, see the relevant section in Entries in Application-Specific Log Files.