Link11 WAAP
v2.16
v2.16
  • Link11 WAAP v2.16 Portal
  • Introduction
  • Getting Started
  • Setup Checklists
  • Marketplace onboarding
  • Console UI Walkthrough
    • General UI flow
    • Traffic
      • Traffic Concepts
      • Dashboard
      • View Log
    • Security
      • Security Section Concepts
      • Dynamic Rules
      • Quarantined
      • Profiles
        • Profile Concepts
        • Profiles
        • ACL Policies
        • WAF/IPS Policies
        • Custom Signature
      • Args Analysis
      • Tag Rules
      • Rate Limiting
      • Cloud Functions
    • Settings
      • Web Proxy
      • Backend Services
      • Error Pages
      • SSL
      • DNS
      • Planet Overview
      • Account
  • Using the product
    • Best Practices
      • Saving and Publishing Your Changes
      • Enabling Passive Challenges
      • Using the Reblaze Query Box
      • Understanding and Diagnosing Traffic Issues
    • How Do I...
      • Ban, Unban, and Whitelist Traffic Sources
      • Bypass Rate Limits for Loadtesting
      • Control Caching Behavior
      • Filter by Content
      • Quickly Block an Attacker
      • Secure Traffic from a Third-Party Page
      • Set Rate Limits and Exemptions
      • Set up SIEM/SOC integration
      • Video Tutorials
        • DNS Training
    • API
      • Reblaze REST API
      • Mobile SDK
  • Reference Information
    • Access log-structure
    • Acronyms
    • Deployment Terminology
    • Hostile Bot Detection / RCSI
      • Environmental detection and browser verification
      • Client authentication
      • Biometric behavioral verification
    • HTTP Response Codes
    • Pattern Matching Syntax
    • Signatures
    • Tags
    • TTL Expression Syntax
  • Support
Powered by GitBook
On this page
  • Analyze Traffic Log
  • Log Structure
  • Examples for Log Filters
  • Example 1
  • Example 2
  • Example 3
  • Using the Log

Was this helpful?

Export as PDF
  1. Console UI Walkthrough
  2. Traffic

View Log

Revealing the composition and details of your traffic

PreviousDashboardNextSecurity

Last updated 3 years ago

Was this helpful?

This page provides the ability to review and analyze the most recent traffic, up to and including real time. At first glance, you'll see the origin country, IP address, HTTP message type, the targeted location, time stamp, and status code.

If a security event occurs, this page will allow you to quickly find its root cause.

On the top right of the page, you can select the range of requests displayed: from the most recent 200 events up to the most recent 2500. Choose the desired range (200, 500, 1000, 1500, 2000, or 2500) and then click on the checkmark to set the display.

In the screenshots below, IP addresses are censored for privacy reasons.

Analyze Traffic Log

At the top right of the screen, you can choose the application you want to analyze. The drop-down menu allows you to search for and choose your desired application.

Next to the Query box, you'll see several buttons.

  • The search icon is for applying the requested filters on the log. (Or, just hit "Enter" on the keyboard after typing your query.)

  • The calendar button allows you to specify a certain date or period of time.

  • The Search History button displays your recent searches, so you can re-run them without having to enter them completely from scratch.

  • Export to CSV creates a text-based spreadsheet file.

  • The Help button opens a display with a quick-reference guide to Query box operator syntax.

  • The Clear button removes your current Query box entries.

Log Structure

Log entries are color-coded depending on their type.

  • Passed requests: Black text on a white background.

  • Blocked by Reblaze: Red text on a red background.

  • Blocked by origin (i.e., the upstream server): Red text on a white background.

  • Challenge: Brown text on a yellow background.

Clicking on any log entry will display its details:

This will reveal:

  • The URL that was requested

  • The user agent

  • Optional additional information (not shown in the example above), depending on the request. Example: the referrer.

  • A row of colored labels:

    • Green: Passed request

    • Red: Blocked request

    • Yellow: Explanatory

    • Blue: Informational

  1. HTTP Request Method (GET / POST / PUT...)

  2. HTTP Version

  3. HTTP Response code, and which server sent the code: either the upstream server (noted as "Origin," as in the example above), or the Reblaze proxy.

  4. Resource that was requested (JPG / PNG / HTML / JS, etc.)

  5. Origin Country and Country Initials

  6. IP Classification: Whether the requestor is using an IP from a cloud provider, VPN, TOR, etc. In the example above, the requestor is using a cloud provider. Note that this does not indicate that the request was blocked for this reason. If the current Profile had included an ACL to block cloud users, then the Block reason would say "acl:cloud", and then this "Cloud" notification would appear after it for the IP Classification.

  7. Origin IP address (censored in the example above)

  8. Autonomous System Number (organization/ISP/etc.)

The example above shows a request that was answered with a challenge. It came from a known cloud provider, by curl, to www.example.com.

Examples for Log Filters

Example 1

How to search for one IP (censored in the screenshot below), only showing requests with a GET method during a specific time frame.

Example 2

Using this regex syntax:

status:[4]\d\d

Provides all status codes for 4xx.

Example 3

How to display all requests from a certain country, for "EXE" files, which produced error code 403.

Using the Log

The View Log page has many uses, and it will allow you to learn a lot about your traffic.

This page is a powerful tool for traffic control, and is especially useful when you are first starting to use Reblaze. By revealing the composition of your traffic, it can help you decide which requests you should begin blocking.

The main tool in this section is the Query box for filtering the display; this is quite similar to the one on the Dashboard. It allows you to filter the display and see only the data you wish to analyze. For a full explanation of how to use it, .

The Query box allows you to filter and display specific requests and their details. To show the results graphically instead, you can copy the filter string and paste it into the Query box on the .

Block reason: The reason, if any, that the request was denied. Standard reasons are listed in the list, while others are constructed dynamically (e.g., from a rate limit). A hyphen ("-", as in the example above) means that the request was not denied.

To see full log details for an entry, click on the small magnifier on the right side of the log. This will show all the headers, cookies, and session details.

The above screenshot shows a log entry for a request that was blocked. Note that the Block reason is "Generic Attack [ref 22400000]". The "ref" number is a .

A full explanation of filter syntax, a listing of operators, and tips for quickly building queries is found here: .

click here
Dashboard
Reblaze WAF Signatures
Reblaze Signature reference ID
Using the Reblaze Query Box
View Log Screen
Example log entries
Log Entry Example
Challenged Request Example
Blocked Request example
Example 1 Screen
Example 2 Screen
Example 3 Screen