Monitoring Attacks, Statistics, Log Files, Reports
Recording and analyzing access and server data is important for several reasons:
- You can see the points at which possible attacks are carried out, and use this information to further optimize your protection measures in the future.
- You can see the points at which security measures might possibly be too restrictive and thus prevent legitimate users from using your web application. vWAF can even provide suggestions on how to optimize your configuration.
- You comply with any potential legal or contractual regulations requiring you to keep records.
In vWAF you have access to the following dashboards and records:
Attack Status
- The current attack status of each application is indicated by a colored symbol both on the Home page (see Starting Administration) and in Application Control (see Application Control).
- When you select an individual application in Application Control and then activate the tab, you get a detailed view of the severity and type of attacks that have been launched within a specific period of time. Also you get information on the attacked hosts, attackers and attack points (see Attack Analysis).
Statistics
- Detailed graphical statistics can be accessed via the Application Statistics tab. They show the distribution of accepted and denied requests according to the time and the individual handlers (see Application Statistics).
- Cluster slave statistics show the load and status of individual cluster slaves (see Managing Deciders).
Reports
Application-specific, consolidated reports provide a printable summary of the current configuration and of the most recent events in PDF format (see Reports).
Log Files
- Log files contain host-specific logs from all internal system events and error messages (see Log Files).
- The Default Error Log logs events that don’t relate to any specific application. This includes invalid requests, or requests with a host name that doesn’t match any of the configured hosts in vWAF (see Default Error Log).
- The Audit Log contains a list of the actions of all administrators (see Audit Log).
- The Event Log displays a table of all status changes (see Event Log.)
In addition, you can also create a special, individual log file for alerts (see Configuring Alerts).
Log data can be sent to one or multiple log back-ends, and they can be downloaded (see Exporting Log Files).
Additional Log Files That Cannot Be Accessed via the Administration Interface
In addition to the log files mentioned above (application-specific log files, Default Error Log, Audit Log, Event Log), there are some more log files, which are usually only needed for debugging:
- Each enforcer writes its own enforcer log files. By default, the enforcers use the log framework of the web server that they are running on. So the web server configuration determines where the log files are stored. On Apache, for example, the standard destination is /var/log/httpd/errors_log.
- The deciders, the administration master, and the administration slaves write their log files to the same directory where the application specific log files are stored. This is the directory $ZEUSHOME/stingrayafm/generic/log/, and on the master the directory $ZEUSHOME/stingrayafm/generic/logmaster/.
You can change the path to which the additional log files are stored in the configuration file zeusafm.conf via the attribute “logDir” (see System Configuration).