Link11 WAAP
v5
v5
  • Link11 WAAP Documentation
  • Release Notes
  • Known Issues
  • User Guide
    • Introduction to Link11 WAAP
  • How Link11 WAAP Works
    • Traffic Filtering Process
    • Traffic Reporting and Analytics
    • Policy Mapping and Traffic Routing
    • Tagging
    • UI Overview and Common Elements
  • Console UI Walkthrough
    • Analytics
      • Dashboard
      • Events Log
    • Security
      • Global Filters
      • Flow Control Policies
      • Security Policies
      • Rate Limit Rules
      • ACL Profiles
      • Actions
      • Dynamic Rules
      • Quarantined
      • Content Filter
        • Content Filter Profiles
        • Content Filter Rules
    • Sites
      • Server Groups
      • Proxy Templates
      • Mobile Application Groups
      • Backend Services
      • Edge Functions
      • DNS Records
      • SSL
        • Load Balancers
        • Certificates
    • System
      • Interactive Challenge
      • SSO Configuration
      • Purge CDN Cache
      • Users Management
      • Security Alerts
      • Log Exporters
      • Version Control
      • System DB
      • Publish Changes
    • Account
  • Using the product
    • Best Practices
      • Saving and Publishing Your Changes
      • Enabling Passive Challenges
      • Understanding and Diagnosing Traffic Issues
    • How Do I...
      • Authenticate mobile app users
      • Ban, unban, and allowlist traffic sources
      • Bypass Link11 WAAP for loadtesting or other purposes
      • Configure a new path/section of a site
      • Control caching behavior
      • Enable GraphQL traffic
      • Enable mTLS (mutual TLS)
      • Protect sensitive information in logs and analytics
      • Quickly block an attacker
      • Redirect or block HTTP traffic
      • Run custom code
      • Set rate limits and exemptions
      • Stream event data to a SIEM solution or other destination
    • The Link11 WAAP API
      • Overview
      • Internal data structures
      • Using Swagger UI
      • Using curl
  • Reference Information
    • Acronyms
    • API
      • API access to traffic data
      • Types of namespaces
      • Namespace reference
        • ACL Profiles
        • Actions
        • Backend Services
        • Certificates
        • Configs
        • Content Filter Profiles
        • Content Filter Rules
        • Data queries
        • Dynamic Rules
        • Edge Functions
        • Flow Control Policies
        • Global Filters
        • Load Balancers
        • Log Exporters
        • Mobile Application Groups
        • Planets
        • Proxy Templates
        • Rate Limit Rules
        • Security Alerts
        • Security Policies
        • Server Groups
        • Tags
        • Tools
        • Users
    • Hostile Bot Detection / LWCSI
      • Environmental detection and browser verification
      • Client authentication
      • Biometric behavioral verification
    • HTTP Response Codes
    • Log Exporter Output
    • Pattern Matching Syntax
    • Query Filter Syntax and Best Practices
  • Support
Powered by GitBook
On this page
  • Data collection
  • Data protocols
  • Data format

Was this helpful?

Export as PDF
  1. Reference Information

Log Exporter Output

PreviousHTTP Response CodesNextPattern Matching Syntax

Last updated 1 month ago

Was this helpful?

Link11 WAAP can stream traffic events via , e.g. to a SIEM solution.

Data collection

Each active Log Exporter streams events continually, in near-real time.

L11WAAP gathers events for a few seconds, or until a certain amount of data has been accumulated, and then sends them all together. The latency between the actual events occurring and their receipt at the destination will generally be less than 30 seconds.

Data protocols

L11WAAP sends logs using the .

The available transport protocols are:

  • TCP

  • TCP + TLS (requires SSL certificate)

  • UDP (not MVP)

Data format

By default, event messages are only sent for requests blocked by L11WAAP.

The following requests are not included in the event stream:

  • Requests passed by L11WAAP (unless the Log Exporter is in "all" mode)

  • Requests challenged by L11WAAP, but not blocked

  • Requests blocked by the origin

Each line is structured as follows:

<PRI>VERSION ISOTIMESTAMP HOSTNAME APPLICATION PID MESSAGEID STRUCTURED-DATA MSG

...with these fields:

Field
Description
Default value

PRI

priority

13 [log audit]

VERSION

version

1

ISOTIMESTAMP

timestamp of message

timestamp in ISO format

HOSTNAME

hostname

reblazer

APPLICATION

application

- [a hyphen, i.e. no data]

PID

process id

- [a hyphen, i.e. no data]

MESSAGEID

message id

- [a hyphen, i.e. no data]

STRUCTURED-DATA

structured Data

- [a hyphen, i.e. no data]

MSG

message body

The rest of the message (see details below)

END OF LINE

Custom EOL string

**NF** [meaning "nothing follows"]

Each message body contains the following fields, separated by spaces, in the order shown. Strings are enclosed in double quotes.

Field
Data type
Notes

REMOTE_ADDR

string

TIMESTAMP

timestamp

STATUS

integer

BYTES_SENT

integer

REQUEST

string

Path only, without the query

BLOCKED

boolean

IS_HUMAN

boolean

BLOCK_REASON

string

The reason that a request was blocked. If more than block reason exists, only the first will be included.

GEOIP_COUNTRY_NAME

string

GEOIP_COUNTRY_CODE

string

REQUEST_ID

string

CAPTURED_VECTOR

string

Relevant only for content filter rules; includes the type of the field (e.g. header) and its name.

REQUEST_TIME

float

UPSTREAM_ADDR

string

Will be a hyphen if the request did not reach the upstream.

UPSTREAM_RESPONSE_TIME

float

Will be a hyphen if the request did not reach the upstream.

UPSTREAM_STATUS

integer

The status code returned by the upstream server, if any. Will be a hyphen if the request did not reach the upstream.

DOMAIN_NAME

string

The server group.

HOST

string

REFERER

string

HTTP_USER_AGENT

string

ORGANIZATION

string

SSL_PROTOCOL

string

Log Exporters
Syslog RFC 5424 protocol