-
Notifications
You must be signed in to change notification settings - Fork 150
N1C F5 WAF Log Profile documentation #1779
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Merged
Merged
Changes from all commits
Commits
Show all changes
8 commits
Select commit
Hold shift + click to select a range
5fa0702
N1C F5 WAF Log Profile documentation
sylwang 3bd958f
update doc ref links
sylwang 7a021bf
address feedback
sylwang 8fdca2c
Merge branch 'main' into n1c-log-profile-release
yfeinblum 9970c6b
Apply suggestion from @JTorreG
JTorreG 255a4b3
Apply suggestions from code review
JTorreG e662b3a
Apply suggestions from code review
sylwang 316ff79
update release date
sylwang File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
17 changes: 17 additions & 0 deletions
17
content/includes/nginx-one-console/add-file/existing-log-profile.md
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,17 @@ | ||
| --- | ||
| nd-product: NONECO | ||
| nd-files: | ||
| - content/nginx-one-console/nginx-configs/config-sync-groups/add-file-csg.md | ||
| - content/nginx-one-console/nginx-configs/one-instance/add-file.md | ||
| --- | ||
|
|
||
| With this option, you can deploy an existing log profile that you created in NGINX One Console. | ||
| In the **Select a Log Profile** drop-down menu, select the log profile of your choice. Then take the following steps: | ||
|
|
||
| 1. In **Log Profile Destination**, specify the file path where the log profile bundle should be deployed, such as `/etc/app_protect/conf/log_default.tgz`. | ||
| 1. Select **Add**. NGINX One Console displays a code snippet for using the log profile bundle in your NGINX configuration. | ||
| 1. Paste the code snippet into your NGINX configuration. The snippet includes the required directives as described in the [WAF logging documentation](https://docs.nginx.com/waf/logging/security-logs/#directives-in-nginxconf): | ||
| - `app_protect_security_log_enable on` | ||
| - `app_protect_security_log` with the log profile bundle path and destination | ||
| 1. Select **Next** and then **Save and Publish**. | ||
| When publication is complete, you'll be returned to the **Configuration** tab where you can see the updated configuration. | ||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
7 changes: 7 additions & 0 deletions
7
content/nginx-one-console/waf-integration/log-profiles/_index.md
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,7 @@ | ||
| --- | ||
| title: Manage log profiles | ||
| weight: 200 | ||
| url: /nginx-one-console/waf-integration/log-profiles | ||
| --- | ||
|
|
||
| Configure and manage log profiles for F5 WAF for NGINX security logging through the NGINX One Console. Learn how to set up, review, deploy, and manage log profiles. |
127 changes: 127 additions & 0 deletions
127
content/nginx-one-console/waf-integration/log-profiles/configure-log-profiles.md
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,127 @@ | ||
| --- | ||
| title: "Configure log profiles" | ||
| nd-summary: | ||
| weight: 650 | ||
| toc: true | ||
| nd-content-type: how-to | ||
| nd-product: NONECO | ||
| nd-summary: Configure F5 WAF for NGINX security log profiles in NGINX One Console, controlling request filtering (all/illegal/blocked), log format (default/Splunk/ArcSight/custom), size limits, and deployment to NGINX instances via compiled .tgz bundles. | ||
| --- | ||
|
|
||
| This document describes how to configure log profiles for F5 WAF for NGINX security logs in F5 NGINX One Console. Security logs contain information about HTTP requests and responses, how F5 WAF for NGINX processes them, and the final decision made based on your configured policy. Log profiles define which information is captured, the format of log messages, the destination for logs, and the filtering criteria for security events. | ||
|
|
||
| ## Overview | ||
|
|
||
| In NGINX One Console, you configure **Log Profiles** to control security logging for F5 WAF for NGINX. Security logs (also called Request logs or Traffic logs) provide visibility into what F5 WAF for NGINX detects and how it processes traffic according to your policies. F5 WAF for NGINX uses its own logging mechanism rather than NGINX's default access logging. | ||
|
|
||
| With Log Profiles, you control: | ||
|
|
||
| - **Filtering**: Which requests are logged (all requests, requests with violations, or blocked requests only) | ||
| - **Format**: How log messages are structured (default, custom, Splunk, ArcSight, or BIG-IQ formats) | ||
| - **Destination**: Where logs are sent (file or syslog server) | ||
| - **Content**: What information is included in each log message (request details, violations, attack signatures, and more) | ||
| - **Size limits**: Maximum sizes for log messages and request data | ||
|
|
||
|
|
||
| For detailed information about security logging capabilities and available log attributes, see [Security Logs]({{< ref "/waf/logging/security-logs.md" >}}) and [Security logs examples]({{< ref "/waf/logging/security-logs.md#examples" >}}). | ||
|
|
||
| ## Add a log profile | ||
|
|
||
| From NGINX One Console, select **WAF** > **Log Profiles**. In the screen that appears, select **Add Log Profile**. This action opens a screen where you can: | ||
|
|
||
| - In **General Settings**, name and describe the log profile | ||
| - Configure the filter settings to determine which requests are logged | ||
| - Set the content format and options for how log messages are structured | ||
|
|
||
| After you finish configuring all the settings, select **Add Profile** to save your log profile. | ||
|
|
||
| ## Configure filter settings | ||
|
|
||
| The **Request Type** filter determines which requests are logged based on what F5 WAF for NGINX detects: | ||
|
|
||
| - **All**: Logs all requests, both legal and illegal | ||
| - **Illegal**: Logs requests with violations (alerted or blocked) | ||
| - **Blocked**: Logs requests with violations that were blocked | ||
|
|
||
| Select the filter option that matches your monitoring and compliance needs. For production environments, you might start with **Blocked** to reduce log volume, then expand to **Illegal** or **All** as needed for troubleshooting. | ||
|
|
||
| ## Configure content settings | ||
|
sylwang marked this conversation as resolved.
|
||
|
|
||
| The content section specifies the format and structure of log messages. | ||
|
|
||
| ### Format options | ||
|
|
||
| Select one of the following log formats: | ||
|
|
||
| - **Default**: Default format for F5 WAF for NGINX with comma-separated key-value pairs | ||
| - **GRPC**: Variant of the default format suited for gRPC traffic | ||
| - **User-defined**: Custom format that you define using a format string with placeholders | ||
| - **Splunk**: Formatted for Splunk SIEM with F5 plugin | ||
| - **ArcSight**: Formatted according to ArcSight Common Event Format (CEF) with custom fields adapted for F5 | ||
| - **BIG-IQ**: Formatted for BIG-IQ, the F5 centralized management platform for BIG-IP | ||
|
|
||
| ### Size limits | ||
|
|
||
| Configure size restrictions for log messages: | ||
|
|
||
| - **Max request size**: Limit in bytes for the `request` and `request_body_base64` fields (range: 1-10240 bytes, default: 2000 bytes). You can also set this to `any`, which is synonymous with 10240 bytes. | ||
| - **Max message size**: Total size limit in KB for the entire log message (range: 1k-64k, default: 2k). Must not be smaller than `max_request_size`. | ||
|
|
||
| ### Custom formatting | ||
|
|
||
| If you select **User-defined** format, you can create a custom format string using placeholders for log attributes. For example: | ||
|
|
||
| ``` | ||
| Request ID %support_id%: %method% %uri% received on %date_time% from IP %ip_client% had the following violations: %violations% | ||
| ``` | ||
|
|
||
| Each attribute name is delimited by percent signs (for example, `%violation_rating%`). Available placeholders include attributes like `%ip_client%`, `%request%`, `%violations%`, `%attack_type%`, and many others. See the [Available security log attributes]({{< ref "/waf/logging/security-logs.md#available-security-log-attributes" >}}). | ||
|
|
||
| ### Advanced options | ||
|
|
||
| You can configure additional formatting options for how list values appear in your logs: | ||
|
|
||
| - **List delimiter**: Character or string that separates list elements (default: comma) | ||
| - **List prefix**: Character or string that starts a list (default: none) | ||
| - **List suffix**: Character or string that ends a list (default: none) | ||
| - **Escaping characters**: Replace specific characters in log values with alternative characters. Configure the `from` character to be replaced and the `to` result character. | ||
|
|
||
| For detailed information about the JSON structure of security log configuration files (used in the Log Profile JSON section), see [Security log configuration file]({{< ref "/waf/logging/security-logs.md#security-log-configuration-file" >}}). | ||
|
|
||
| ## Compile the log profile | ||
|
|
||
| Before deploying a log profile, you can optionally compile the JSON configuration file into a bundle. If you don't compile manually, the deployment process will automatically compile the log profile. | ||
|
|
||
| The compiled bundle is in compressed tar format (.tgz) and contains all the necessary configuration to enable security logging on your NGINX instances. | ||
|
|
||
| ### Manage bundles for different compiler versions | ||
|
|
||
| From the Log Profiles list, you can manage compiled bundles for your log profiles: | ||
|
|
||
| 1. Go to **WAF** > **Log Profiles**. You'll see a list of all log profiles. | ||
| 2. In the **Actions** column for a log profile, you can: | ||
| - **Edit**: Open the log profile configuration editor to reconfigure settings | ||
| - **Make a Copy**: Create a new log profile by copying the JSON content | ||
| - **Deploy**: Deploy the log profile to instances or Config Sync Groups | ||
| - **Download JSON**: Download the log profile JSON configuration | ||
| - **Manage Bundles**: View and manage compiled bundles for different WAF compiler versions | ||
| - **Delete**: Remove the log profile | ||
|
|
||
| When you select **Manage Bundles**, you'll see all supported WAF compiler versions. For each version, you can see whether the log profile is compiled for that version. You can: | ||
|
|
||
| - **Compile**: Compile the log profile into a bundle for a specific compiler version | ||
| - **Download**: Download an existing compiled bundle for a specific compiler version | ||
|
|
||
| This allows you to maintain compatibility with different versions of F5 WAF for NGINX across your infrastructure. | ||
|
|
||
| ## Deploy the log profile | ||
|
|
||
| After saving a log profile, deploy it to your NGINX instances to enable logging of WAF security events. See [Deploy log profiles]({{< ref "/nginx-one-console/waf-integration/log-profiles/deploy-log-profiles.md" >}}) for detailed deployment steps. | ||
|
|
||
| The deployment process configures the required NGINX directives (`app_protect_security_log_enable` and `app_protect_security_log`) and ensures the log profile bundle is accessible to your instances. For detailed information about these directives and their configuration options, see [Security log directives]({{< ref "/waf/logging/security-logs.md#directives-in-nginxconf" >}}). | ||
|
|
||
| For container-specific setup requirements, see the [Log profiles]({{< ref "/nginx-one-console/waf-integration/overview.md#log-profiles" >}}) configuration section in the overview. | ||
|
|
||
| ## Review and manage log profiles | ||
|
|
||
| From NGINX One Console, you can review the log profiles you've saved. For detailed information about reviewing and managing log profiles, see [Review log profiles]({{< ref "/nginx-one-console/waf-integration/log-profiles/review-log-profiles.md" >}}). | ||
70 changes: 70 additions & 0 deletions
70
content/nginx-one-console/waf-integration/log-profiles/deploy-log-profiles.md
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,70 @@ | ||
| --- | ||
| title: "Deploy log profiles" | ||
| weight: 660 | ||
| toc: false | ||
| nd-content-type: how-to | ||
| nd-product: NONECO | ||
| nd-summary: Deploy WAF log profiles in NGINX One Console to instances or Config Sync Groups via Actions > Deploy or through the config editor (Add File > Existing Log Profile), auto-compiling if needed, then verify deployment by confirming directives and checking security log output. | ||
| --- | ||
|
sylwang marked this conversation as resolved.
|
||
|
|
||
| After you've set up a log profile, it won't capture security events until you deploy it to instances or Config Sync Groups. | ||
|
|
||
| ## Before you begin | ||
|
|
||
| Before following the steps in this document, create a log profile in NGINX One Console that you're ready to deploy. | ||
|
|
||
| ## Deploy a log profile | ||
|
|
||
| To deploy a log profile from NGINX One Console, take the following steps: | ||
|
|
||
| 1. Select **WAF** > **Log Profiles**. | ||
| 1. Select the log profile that you're ready to deploy. | ||
| 1. From **Actions**, select **Deploy**. | ||
| 1. In the **Deploy Log Profile** window that appears, you can confirm the name of the current log profile. NGINX One Console defaults to the selected log profile. | ||
| 1. In the **Target** section, select Instance or Config Sync Group. | ||
| 1. In the drop-down menu that appears, select the instance or Config Sync Group. | ||
| 1. Choose how to deploy the log profile: | ||
| - **Add a new log profile path**: Specify a new file path where the log profile bundle should be deployed | ||
| - **Update all log profiles**: Sync all log profiles on the target instance or Config Sync Group. This updates all existing log profiles by compiling their latest JSON contents into bundles and deploying them to all existing file paths | ||
|
|
||
| If the log profile has not already been compiled for the WAF compiler version used by the target instance or Config Sync Group, NGINX One Console automatically compiles it into a bundle before deployment. | ||
|
|
||
| ## Alternative: Deploy during configuration editing | ||
|
|
||
| You can also deploy a log profile directly when editing the NGINX configuration for an instance or Config Sync Group. This method integrates log profile deployment into your regular configuration workflow. | ||
|
|
||
| To deploy a log profile using the configuration editor: | ||
|
|
||
| 1. Select **Instances** or **Config Sync Groups** and choose the target instance or Config Sync Group. | ||
| 1. Select the **Configuration** tab and then **Edit Configuration**. | ||
| 1. Select **Add File** and then choose **Existing Log Profile**. | ||
| 1. In the **Select a Log Profile** drop-down menu, select the log profile you want to deploy. | ||
| 1. In **Log Profile Destination**, specify the file path where the log profile bundle should be deployed, such as `/etc/nginx/app_protect/log_default.tgz`. | ||
| 1. Select **Add**. NGINX One Console displays a code snippet with the required directives. | ||
| 1. Paste the code snippet into your NGINX configuration. The snippet includes: | ||
|
sylwang marked this conversation as resolved.
|
||
| - `app_protect_security_log_enable on` | ||
| - `app_protect_security_log` with the log profile bundle path and destination | ||
|
|
||
| For example: | ||
| ``` | ||
| app_protect_security_log_enable on; | ||
| app_protect_security_log /etc/nginx/log-profile-bundle.tgz syslog:server=localhost:514; | ||
| ``` | ||
|
|
||
| 1. Select **Next** and then **Save and Publish**. | ||
|
|
||
| For more information about adding files through the configuration editor, see [Add a file to a Config Sync Group]({{< ref "/nginx-one-console/nginx-configs/config-sync-groups/add-file-csg.md" >}}) or [Add a file to an instance]({{< ref "/nginx-one-console/nginx-configs/one-instance/add-file.md" >}}). | ||
|
|
||
| ## Verify log profile deployment | ||
|
|
||
| After deployment, verify that your log profile is active on the target instances or Config Sync Groups: | ||
|
|
||
| 1. Confirm that the NGINX configuration includes the required directives: | ||
| - `app_protect_security_log_enable on` | ||
| - `app_protect_security_log` with the correct log profile bundle path and destination | ||
|
|
||
| 2. Check that security logs are being generated at the configured destination (file path or syslog server). | ||
|
|
||
| 3. Review the log entries to ensure they match the format and filter settings you configured in the log profile. | ||
|
|
||
| To troubleshoot log profile deployment issues, see the [Container-related configuration requirements]({{< ref "/nginx-one-console/waf-integration/overview.md#container-related-configuration-requirements" >}}) section to ensure volumes and paths are correctly configured. | ||
28 changes: 28 additions & 0 deletions
28
content/nginx-one-console/waf-integration/log-profiles/log-profile-api.md
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,28 @@ | ||
| --- | ||
| title: "Set log profiles through the API" | ||
| weight: 810 | ||
| toc: true | ||
| nd-content-type: reference | ||
| nd-product: NONECO | ||
| nd-summary: NGINX One Console API enables full CRUD management of WAF log profiles, plus listing deployments (target, time, status) and compiling profiles into .tgz bundles for specific WAF compiler versions with optional download. | ||
| --- | ||
|
sylwang marked this conversation as resolved.
|
||
|
|
||
| You can use F5 NGINX One Console API to manage log profiles. With our API, you can: | ||
|
sylwang marked this conversation as resolved.
|
||
|
|
||
| - [List log profiles]({{< ref "/nginx-one-console/api/api-reference-guide/#operation/listWafLogProfiles" >}}) | ||
| - Returns WAF log profiles. | ||
| - [Create a log profile]({{< ref "/nginx-one-console/api/api-reference-guide/#operation/createWafLogProfile" >}}) | ||
| - Creates WAF log profile. | ||
| - [Get log profile details]({{< ref "/nginx-one-console/api/api-reference-guide/#operation/getWafLogProfile" >}}) | ||
| - Returns WAF log profile details, including the JSON configuration contents. | ||
| - [Update log profile details]({{< ref "/nginx-one-console/api/api-reference-guide/#operation/updateWafLogProfile" >}}) | ||
| - Updates WAF log profile details. | ||
| - [Delete a log profile]({{< ref "/nginx-one-console/api/api-reference-guide/#operation/deleteWafLogProfile" >}}) | ||
| - Deletes WAF log profile. | ||
| - [List log profile deployments]({{< ref "/nginx-one-console/api/api-reference-guide/#operation/listWafLogProfileDeployments" >}}) | ||
| - Returns WAF log profile deployments, providing details such as: | ||
| - Target of the deployment, either an instance or CSG | ||
| - Time of deployment | ||
| - Deployment status | ||
| - [Compile a log profile]({{< ref "/nginx-one-console/api/api-reference-guide/#operation/compileWafLogProfile" >}}) | ||
| - Compiles the log profile into a bundle (.tgz) for a specific WAF compiler version. Use `download=true` to download the compiled bundle, or `download=false` to retrieve the compilation status (whether the bundle is already compiled or compilation is pending). | ||
Oops, something went wrong.
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.