Kemp Support, how can we help?

The latest application delivery knowledge and expertise at your fingertips.

Understanding OWASP WAF Logs





When reviewing the Kemp WAF logs there is no "action" indicated in the logs. Do the WAF logs show if there is an action to drop traffic or if the traffic successfully reaches the server?


Product: LoadMaster

Version: Any

Platform: Any

Application: HTTP(S) Based

Question/Problem Description:

How to understand which WAF logs depict that a connection has been blocked?

Steps to Reproduce:  
Error Message:  
Defect Number:  
Enhancement Number:  

 There are three audit modes that determine what information is logged:
No Audit: No data is logged.
Audit Relevant: Logs data that is of a warning level and higher. This is the default option for this setting.
Audit All: Logs all data through the Virtual Service.

If a connection does not reach the full Anomaly Scoring Threshold but triggers a rule, the connection will be logged at the "Warning" level.
The warning logs will look similar to the following:

Warning. Pattern match

If the connection reaches the anomaly threshold, the connection will be blocked. 
Within the log files, the connection is logged at the "Critical" level. The user will receive "Access Denied".
These logs will look similar to the following:

Access denied with code 403

Was this article helpful?
1 out of 3 found this helpful



T.Mike Curry

Where are the WAF log files? How do I view them?