# Log Exporters

<figure><img src="/files/G0wyHBpTBkp26SnAipNn" alt=""><figcaption></figcaption></figure>

## Overview

Log Exporters allow admins to stream event data to an outside destination, e.g. a SIEM solution. Every few seconds, Link11 WAAP bundles and exports the most recent traffic events from its internal logs.

If desired, data values can be truncated according to settings in the [System DB](/console-walkthrough/system/system-db.md#limiting-log-exporter-data-lengths).

{% hint style="info" %}
For details of the protocols and format of the event data, see [Log Exporter Output](/reference-information/log-exporter-output.md).
{% endhint %}

{% hint style="warning" %}
There is a known issue when attempting to create a new Log Exporter. [More info](/known-issues.md#log-exporters)
{% endhint %}

Below is a discussion of the console interface for configuring Log Exporters.&#x20;

## Usage within applications and APIs

Log Exporters operate at the system level. Admins can configure them for specific [server groups](/console-walkthrough/sites/server-groups.md), or for the entire planet.&#x20;

## Administration <a href="#administration" id="administration"></a>

The main Log Exporter window lists all currently defined Log Exporters.

The administration (addition/deletion/editing/versioning) of Log Exporters follows the conventions described [here](/how-link11-waap-works/ui-overview-and-common-elements.md#configuration-and-administration).

## Parameters

<figure><img src="/files/0JfeAuGMR5SwCrHBwKWQ" alt=""><figcaption></figcaption></figure>

### Name

A unique name for use within L11WAAP.

### Status

Whether or not this Log Exporter is currently active.

### Destination IP

The destination IP to which event data will be sent.

### Port

The port to which event data will be sent.

### Server Groups

The specific server groups for which event data will be sent.

### Include encoded request data

When this is enabled, exported data will include a Base64-encoded representation of the HTTP request: its headers, cookies, and query arguments. This enables customer admins to extract and inspect the auth token and other metadata required for customer identification and security analysis.

Request data will be truncated (if necessary) to the [maximum lengths and parameter limits configured in the System DB](/console-walkthrough/system/system-db.md#limiting-log-exporter-data-lengths), then encoded for export.

### Transport protocol

The protocol to use while streaming the event data.

* **TCP:** Event data will be streamed over TCP.
* **TCP + TLS (Trusted)**: Event data will be streamed over HTTPS. When this is selected, an additional control will appear for uploading a PEM file containing the TLS certificate for the data's destination. The system will validate the certificate upon upload.
* **TCP + TLS (Untrusted)**: Event data will be streamed over HTTPS, but the system will not use a certificate.

### Requests to export

* **Blocked**: Export only the requests blocked by L11WAAP.&#x20;
* **All**: Export all the requests blocked or passed by L11WAAP.

{% hint style="info" %}
Note that currently, Log Exporters can not include requests challenged by L11WAAP, or blocked by the origin.
{% endhint %}

## Troubleshooting

If a Log Exporter has been configured but is not streaming data:

1. Verify that it is in [Active mode](#status).
2. If its [Protocol](#transport-protocol) is **TCP + TLS (Trusted)**, verify that the certificate is valid and has not expired.

If a Log Exporter is streaming truncated data, verify the data-length limits set in the [System DB](/console-walkthrough/system/system-db.md#limiting-log-exporter-data-lengths).


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://waap.docs.link11.com/console-walkthrough/system/log-exporters.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.