# Log Exporter Output
Link11 WAAP can stream traffic events via [Log Exporters](/console-walkthrough/system/log-exporters.md), e.g. to a SIEM solution.
## Data collection
Each active Log Exporter streams events continually, in near-real time.
L11WAAP gathers events for a few seconds, or until a certain amount of data has been accumulated, and then sends them all together. The latency between the actual events occurring and their receipt at the destination will generally be less than 30 seconds.
## Data protocols
L11WAAP sends logs using the [Syslog RFC 5424 protocol](https://datatracker.ietf.org/doc/html/rfc5424).
The available transport protocols are:
* TCP
* TCP + TLS (requires SSL certificate)
* UDP (not MVP)
## Data format
By default, event messages are only sent for requests blocked by L11WAAP.
{% hint style="info" %}
The following requests are not included in the event stream:
* Requests passed by L11WAAP (**unless** the Log Exporter is in ["all" mode](/console-walkthrough/system/log-exporters.md#requests-to-export))
* Requests challenged by L11WAAP, but not blocked
* Requests blocked by the origin
{% endhint %}
Each line is structured as follows:
\VERSION ISOTIMESTAMP HOSTNAME APPLICATION PID MESSAGEID STRUCTURED-DATA MSG
...with these fields:
| Field | Description | Default value |
| --------------- | -------------------- | ------------------------------------------- |
| PRI | priority | 13 \[log audit] |
| VERSION | version | 1 |
| ISOTIMESTAMP | timestamp of message | timestamp in ISO format |
| HOSTNAME | hostname | reblazer |
| APPLICATION | application | - \[a hyphen, i.e. no data] |
| PID | process id | - \[a hyphen, i.e. no data] |
| MESSAGEID | message id | - \[a hyphen, i.e. no data] |
| STRUCTURED-DATA | structured Data | - \[a hyphen, i.e. no data] |
| MSG | message body | The rest of the message (see details below) |
| END OF LINE | Custom EOL string | \*\*NF\*\* \[meaning "nothing follows"] |
Each message body contains the following fields, separated by spaces, in the order shown. Strings are enclosed in double quotes.
| Field | Data type | Notes |
| ------------------------ | --------- | -------------------------------------------------------------------------------------------------------------------------------------- |
| REMOTE\_ADDR | string | |
| TIMESTAMP | timestamp | |
| STATUS | integer | |
| BYTES\_SENT | integer | |
| REQUEST | string | Path only, without the query |
| BLOCKED | boolean | |
| IS\_HUMAN | boolean | |
| BLOCK\_REASON | string | The reason that a request was blocked. If more than block reason exists, only the first will be included. |
| GEOIP\_COUNTRY\_NAME | string | |
| GEOIP\_COUNTRY\_CODE | string | |
| REQUEST\_ID | string | |
| CAPTURED\_VECTOR | string | Relevant only for content filter rules; includes the type of the field (e.g. header) and its name. |
| REQUEST\_TIME | float | |
| UPSTREAM\_ADDR | string | Will be a hyphen if the request did not reach the upstream. |
| UPSTREAM\_RESPONSE\_TIME | float | Will be a hyphen if the request did not reach the upstream. |
| UPSTREAM\_STATUS | integer | The status code returned by the upstream server, if any. Will be a hyphen if the request did not reach the upstream. |
| DOMAIN\_NAME | string | The server group. |
| HOST | string | |
| REFERER | string | |
| HTTP\_USER\_AGENT | string | |
| ORGANIZATION | string | |
| SSL\_PROTOCOL | string | |
| ENCODED\_REQUEST | string | Only included if [Include encoded request data](/console-walkthrough/system/log-exporters.md#include-encoded-request-data) is enabled. |
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://waap.docs.link11.com/reference-information/log-exporter-output.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.