Security Events Reference

Objective

This guide presents reference information on the various fields of the security event types (WAF, Bot Defense, API, Service Policy).

WAF Security Event

This table presents reference information on WAF security event types.

WAF Client Details

NameTypeDescriptionValues
asnstringAutonomous system identifier represented by both name and number. More about autonomous systems: https://en.wikipedia.org/wiki/Autonomous_system_(Internet)For Example: GOOGLE(15169)
as_numberstringAutonomous system number. https://en.wikipedia.org/wiki/Autonomous_system_(Internet)For Example: 15169
as_orgstringAutonomous system name. https://en.wikipedia.org/wiki/Autonomous_system_(Internet)For Example: GOOGLE
citystringClient's city name.For Example: Paris
countrystringClient's country ISO 3166-2 (two-letter) code. https://en.wikipedia.org/wiki/ISO_3166-2For Example: US
latitudestringClient's geo location latitude. Latitude is a horizontal line that measures the distance north or south of the equator.
longitudestringClient's geo location longitude. Longitude is a vertical line which measures east or west of the meridian in Greenwich, UK.
regionstringClient's region name.
snistringServer name indication, the extension of TLS protocol.
src_ipstringThe source IP of the client.For Example: 212.150.5.74
tls_fingerprintstringIdentification of a client based on the fields in its Client Hello message during a TLS handshake.
userstringUser identifier as configured in User Identification Policy. If not configured, the system uses src_ip as a default user identifier.For Example: IP-212.150.5.74

WAF Device Details

NameTypeDescriptionValues
browser_typestringClient's browser type. This information is taken from HTTP User-Agent header therefore it's populated for HTTP traffic only.For Example: Chrome
device_typestringClient's device type. This information is taken from HTTP User-Agent header therefore it's populated for HTTP traffic only.For Example: iPhone

WAF HTTP Protocol Details

NameTypeDescriptionValues
authoritystringauthority = [userinfo "@"] host [":" port]For Example: www.google.com
domainstringPart of URL which is user-friendly form of IP address.
http_versionstringHTTP Protocol version.For Example: HTTP/1.1
methodstringValid HTTP method.HEAD/GET/POST/OPTIONS… The value will be METHOD_UNSPECIFIED for non-http requests.
original_pathstringRequest path before decoding.
reg_headersstringRequest headers.
req_pathstringRequest path after decoding.
req_paramsstringQuery parameters.
user_agentstringValue of HTTP User-Agent header.
x_forwarded_forstringValue of HTTP X-Forwarded-For header.

WAF Request Details

NameTypeDescriptionValues
dst_ipstringIP of the upstream server.
dst_portnumberDestination port on the upstream server.
req_headers_sizenumberRequest headers size in bytes.
req_sizenumberRequest size in bytes.
src_portstringSource port of the client.

WAF Response Details

NameTypeDescriptionValues
rsp_codestringResponse codeNote: the value will be 0 if request is blocked.
rsp_code_classnumberResponse code class2xx, 3xx, 4xx, 5xx
rsp_sizenumberResponse sizeNote: the value will be 0 if request is blocked.

WAF Details

NameTypeDescriptionValues
calculated_actionstringWAF recommended action.Valid Values: allow report block
actionstringWAF actual action.
waf_modestringWAF mode (Deprecated, will be removed in one of the upcoming releases).allow, report, block
bot_info.namestringThe name of the detected bot.For Example: Bing. Default: UNKNOWN
bot_info.typestringThe type of the detected bot.For Example: Search Engine Default: UNKNOWN
bot_info.classificationstringBot classification.We support 3 bot classification types: Malicious, Suspicious, Bening Default: UNKNOWN
bot_info.anomalystringExplains how WAF detected the bot.For Example: Suspicious HTTP Headers, Invalid HTTP Headers, Search Engine Verification Failed
attack_typesarrayA list of all detected attack types.Each attack in the list is represented by name. For instance: ATTACK_TYPE_PREDICTABLE_RESOURCE_LOCATION
signaturesarrayA list of all detected WAF signatures (patterns).Signature section below provides a detailed structure of signature.
violationsarrayA list of all detected violations.Violation section below provides a detailed structure of violation.

WAF Signature Details

NameTypeDescriptionValues
idnumberResponse codeFor Example: 200010019
namestringHuman friendly description of the signature.For Example: “windows access”
accuracystring/enumSignature accuracy. Represents detection certainty.We support 3 kinds of accuracy: high_accuracy, medium_accuracy, low_accuracy
attack_typestringAttack vector.
contextstringThe place in request/response where this signature is detected.For Example: parameter (filePath)
matching_infostringDetailed explanation where the signature is detected.
statestring/enumSignature status.Enabled - active AutoSuppressed - excluded internally by ML engine

WAF Violation Details

NameTypeDescriptionValues
namestring/enumUnique violation identifier.For Example: VIOL_EVASIONS_DIRECTORY_TRAVERSALS
contextstringThe place in request/response where this violation is detected.For Example: url
attack_typestring/enumAttack vector.
matching_infostringDetailed explanation where the violation is detected.
statestring/enumViolation status.For more details, please, see signatures

WAF Metadata Details

NameTypeDescriptionValues
app_typestringApplication profile type name.
sec_event_typestringSecurity event type.For WAF security event the value always will be “waf_sec_event”
sec_event_namestringSecurity event name.For WAF security event the value always will be “WAF”
cluster_namestringF5DC cluster name to which request was routed.For Example: pa2-par-int-ves-io
hostnamestringHostname of machine which generated this log record.For Example: master-0
messageidstringUnique log type identifier.For WAF security event the value always will be c102667e-dea5-4551-b495-71bf4217a9f6
namespacestringA workspace within tenant's space in which the virtual host was created.
req_idstringUnique request identifier.
tenantstringOrganization or group of users sharing common access with specific privileges to F5DC resources.
vh_namestringVirtual host name.
srcstringThe “source” of the service which is sending the request.Case 1. If this is a service-to-service communication happening via envoy (like v8s service etc) this value will be the name of the service. For Example: S:lilac-edge-node-6.lilac-edge Case 2. If this is mTLS src then the value will be the first SAN in the client certificate. Case 3. If not Case1/2, Its a request coming from a client via public internet etc, then the value will appear as: N:public
src_instancestringDetails of the instance which generated the traffic.Case 1. If this is service-to-service communication happening via envoy (like v8s service etc). The value will be an instance of the service (for eg pod name like in recommendationservice-69cddc6ffb-m794d) Case 2. If this is mTLS src_instance, the value will be the Subject Name in the client certificate. Case 3. If this is request from a public client, then the value will be the country detected by geo lookup

Bot Defense Security Event

This table presents reference information on bot defense security event types.

Bot Defense Client Details

NameTypeDescriptionValues
as_numberstringAutonomous system number. https://en.wikipedia.org/wiki/Autonomous_system_(Internet)For Example: 15169
as_orgstringAutonomous system name. https://en.wikipedia.org/wiki/Autonomous_system_(Internet)For Example: GOOGLE
asnstringAutonomous system identifier represented by both name and number. More about autonomous systems: https://en.wikipedia.org/wiki/Autonomous_system_(Internet) For Example: GOOGLE(15169)
citystringClient's city name.For Example: Paris
countrystringClient's country ISO 3166-2 (two-letter) code. https://en.wikipedia.org/wiki/ISO_3166-2For Example: US
latitudestringClient's geo location latitude. Latitude is a horizontal line that measures the distance north or south of the equator.
longitudestringClient's geo location longitude. Longitude is a vertical line which measures east or west of the meridian in Greenwich, UK.
networkstringSource IP network.
regionstringClient's region name.
src_ipstringThe source IP of the client.For Example: 212.150.5.74
src_portstringThis is the src port of the client.
userstringUser identifier as configured in User Identification Policy. If not configured, the system uses src_ip as a default user identifier.For Example: IP-212.150.5.74

Bot Defense Device Details

NameTypeDescriptionValues
browser_typestringClient's browser type. This information is taken from HTTP User-Agent header therefore it's populated for HTTP traffic only.For Example: Chrome
device_typestringClient's device type. This information is taken from HTTP User-Agent header therefore it's populated for HTTP traffic only.For Example: iPhone

Bot Defense Server Details

NameTypeDescriptionValues
dst_ipstringDestination ip on the origin server.
dst_portstringDestination port on the origin server.For Example: 443

Bot Defense TLS Details

NameTypeDescriptionValues
tls_fingerprintstringSL-TLS Fingerprint

Bot Defense HTTP Request/Response Details

NameTypeDescriptionValues
tls_fingerprintstringauthority = [userinfo "@"] host [":" port]For Example: www.google.com
domainstringExtracted domain from authority
http_versionstringValid HTTP protocol version.HTTP10/HTTP11/HTTP2 The value will be PROTOCOL_UNSPECIFIED for non-http requests.
methodjson stringValid HTTP method.HEAD/GET/POST/OPTIONS… The value will be METHOD_UNSPECIFIED for non-http requests.
req_headersstringRequest headers. The system logs request headers only if API discovery is enabled and sample it up to 25%.
req_headers_sizestringRequest headers size.
req_idstringUnique request identifier.
req_pathstringRequest path.
req_sizestringRequest size.
rsp_codestringRespond code.
rsp_code_classstringRespond code class.2xx, 3xx, 4xx, 5xx
rsp_sizestringRespond size.
user_agentstringValue of HTTP User-Agent header.
x_forwarded_forstringValue of HTTP X-Forwarded-For header.

Bot Defense Details

NameTypeDescriptionValues
bot_defense.automation_typestringThe reason why client is detected as a bot.Token Missing, Rate Limit Exceeded, Threat Intelligence, Token Blacklisted, Token Expired, Native Token Missing, Payload Replay, Token Invalid, Native Token Invalid, AI Payload Invalid, Native Token Blacklisted, AI Payload Missing
bot_defense.insightstringShape bot classification.HUMAN, GOODBOT, MALICIOUS, UNAVAILABLE
bot_defense.recommendationstringShape Bot Defense recommended action.Action_alert, Action_block, Action_redirect
actionstringBot Defense action.allow, block

Bot Defense Metadata Details

NameTypeDescriptionValues
app_typestringApplication profile type name.
cluster_namestringF5DC cluster name to which request was routed.For Example: pa2-par-int-ves-io
hostnamestringHostname of machine which generated this log record.For Example: master-0
messageidstringUnique log type identifier.For access log the value always will be dea91c9a-beed-4561-67af-ab4112426b1f
namespacestringA workspace within tenant's space in which the virtual host was created.namespace
sec_event_namestringSecurity event name.BOT Defense Violation
sec_event_typestringSecurity event type.bot_defense_sec_event
sitestringWhich cluster handled the req.For Example: "ams9-ams”
snistringHostname sni
srcstringThe “source” of the service which is sending the request.Case 1. If this is a service-to-service communication happening via envoy (like v8s service etc.) this value will be the name of the service. For Example: S:lilac-edge-node-6.lilac-edge Case 2. If this is mTLS src then the value will be the first SAN in the client certificate. Case 3. If not Case1/2, It's a request coming from a client via public internet etc., then the value will appear as: N:public
src_instancestringDetails of the instance which generated the traffic.Case 1. If this is service-to-service communication happening via envoy (like v8s service etc.). The value will be an instance of the service (for e.g., pod name like in recommendationservice-69cddc6ffb-m794d) Case 2. If this is mTLS src_instance, the value will be the Subject Name in the client certificate. Case 3. If this is request from a public client, then the value will be the country detected by geo lookup.
src_sitestringThis is the F5DC site (RE or CE etc.) which receives the request from the client.This is the site where client traffic is hitting. For Example: dc12-ash If the client is close to dc12 and traffic from client is coming to dc12. It could be also CE, if the LB is exposed via CE.
tenantstringOrganization or group of users sharing common access with specific privileges to F5DC resources.
timestringEvent generated time
vh_namestringTenant's virtual host name.
vhost_idstringTenant's virtual host ID.

Service Policy Security Event

This table presents reference information on security policy security event types.

Service Policy Client Details

NameTypeDescriptionValues
as_numberstringAutonomous system number. https://en.wikipedia.org/wiki/Autonomous_system_(Internet)For Example: 15169
as_orgstringClient's region name.
asnstringAutonomous system identifier represented by both name and number. More about autonomous systems: https://en.wikipedia.org/wiki/Autonomous_system_(Internet)For Example: GOOGLE(15169)
citystringClient's city name.For Example: GOOGLE
countrystringClient's country ISO 3166-2 (two-letter) code. https://en.wikipedia.org/wiki/ISO_3166-2For Example: GOOGLE(15169)
latitudestringClient's geo location latitude. Latitude is a horizontal line that measures the distance north or south of the equator.For Example: Paris
longitudestringClient's geo location longitude. Longitude is a vertical line which measures east or west of the meridian in Greenwich, UK.For Example: US
mtlsstringMutual TLS authentication between clients and HTTPS load balancer.
regionstringClient's region name.
snistringSNI (Server Name Indication) is a TLS extension that helps secure web connections on shared hosting by allowing clients to specify the desired domain.
src_ipstringThe source IP of the client.For Example: 212.150.5.74
tls_cipher_suitestringTLS cipher suite negotiated during handshake.For Example: TLSv1_3/TLS_AES_128_GCM_SHA256
tls_fingerprintstringIdentification of a client based on the fields in its Client Hello message during a TLS handshake.
tls_versionstringTLS version is a specific iteration of the Transport Layer Security protocol, used to secure data during transmission over networks.TLSv1_3, TLSv1_2..
userstringUser identifier as configured in User Identification Policy. If not configured, the system uses src_ip as a default user identifier.For Example: IP-212.150.5.74

Service Policy Device Details

NameTypeDescriptionValues
browser_typestringClient's browser type. This information is taken from HTTP User-Agent header therefore it's populated for HTTP traffic only.For Example: Chrome
device_typestringClient's device type. This information is taken from HTTP User-Agent header therefore it's populated for HTTP traffic only.For Example: iPhone

Service Policy Request Details

NameTypeDescriptionValues
dststringThe detail of the destination/origin server where the request is going to.If this is a vk8s service, then the value will be S:< service name >, For example: S:frontend.arcadia-trading For something like a DNS endpoint, the value will be S:< dns name >, For example: S:prod.croix-rouge.fr if endpoint or origin server is public ip, the value will appear like this: S:185.15.129.72 Note: for FWD PROXY/Connect Proxy cases, the dst will be 2 level URL of the destination for eg something like yahoo.com or google.com
dst_instancestringDetail of the specific destination instance where requests are going to.For vk8s service, the value will be Pod name. For example: ingress-kong-757d459b79-nc7hd This pod name is associated with the dst above. If this is DNS endpoint, the value will be IP address of the endpoint. If destination itself was configured to be a public ip (static) then this field will be set to STATIC. For Proxy cases, the value will be Country code of the destination IP (where traffic is headed to)
dst_ipstringDestination ip of the origin serverFor Example: 185.15.129.72
dst_portstringDestination port on the origin server.For Example: 443
dst_sitestringSite which is used to send the traffic to the endpoint / origin server.In most cases the value will be the same as RE Site (for example: pa2-par), which got the traffic. But it can be a CE Site, if the endpoint is discovered in CE. Or another RE, if the endpoint discovered in that RE is used.
duration_with_data_tx_delaystringlast_downstream_tx_byte - first_upstream_tx_byteIndicates how much "time" it took to process the request/response inside XC LB. (like eg WAF, API detection, service policy, Bot detection, etc if enabled) + time upstream spent to process
duration_with_no_data_tx_delaystringfirst_downstream_tx_byte - first_upstream_tx_byteLike duration_with_data_tx_delay, except that reference is taken from the moment first byte is sent to client
rtt_downstream_secondsstringRound trip of connection to downstream (client).
rtt_upstream_secondsstringRound trip of connection to the upstream/origin server.
sitestringThis is the F5DC site (RE or CE etc.) which receives the request from the client.This is the site where client traffic is hitting. It could be also CE, if the LB is exposed via CE.
srcstringThe “source” of the service which is sending the request.Case 1. If this is a service-to-service communication happening via envoy (like v8s service etc) this value will be the name of the service. For example: S:lilac-edge-node-6.lilac-edge Case 2. If this is mTLS src then the value will be the first SAN in the client certificate Case 3. If not Case1/2, It's a request coming from a client via public internet etc, then the value will appear as: N:public
src_instancestringDetails of the instance which generated the traffic.Case 1. If this is service-to-service communication happening via envoy (like v8s service etc). The value will be an instance of the service (for eg pod name like in recommendationservice-69cddc6ffb-m794d) Case 2. If this is mTLS src_instance, the value will be the Subject Name in the client certificate. Case 3. If this is request from a public client, then the value will be the country detected by geo lookup
src_portstringThis is the src port of the client.
src_sitestringThis is the F5DC site (RE or CE etc.) which receives the request from the client.This is the site where client traffic is hitting. For example: dc12-ash If the client is close to dc12 and traffic from client is coming to dc12. It could be also CE, if the LB is exposed via CE
time_to_first_downstream_tx_bytestringTime interval between the first downstream byte received and the first downstream byte sent. There may be a considerable delta between the time_to_first_upstream_rx_byte and this field due to filters. Additionally, the same caveats apply as documented in time_to_last_downstream_tx_byte about not accounting for kernel socket buffer time, etc.
time_to_first_upstream_rx_bytestringTime interval in seconds between the first downstream byte received and the first upstream byte received (i.e., time it takes to start receiving a response).
time_to_first_upstream_tx_bytestringTime interval between the first downstream byte received and the first upstream byte sent. There may by considerable delta between time_to_last_rx_byte and this value due to filters. Additionally, the same caveats apply as documented in time_to_last_downstream_tx_byteabout not accounting for kernel socket buffer time, etc.
time_to_last_downstream_tx_bytestringTime interval between the first downstream byte received and the last downstream byte sent. Depending on protocol, buffering, windowing, filters, etc. there may be a considerable delta between time_to_last_upstream_rx_byte and this field. Note also that this is an approximate time. In the current implementation it does not include kernel socket buffer time. In the current implementation it also does not include send window buffering inside the HTTP/2 codec. In the future it is likely that work will be done to make this duration more accurate.
time_to_last_upstream_rx_bytestringTime interval in seconds between the first downstream byte received and the last upstream byte received (i.e. time it takes to receive a complete response).
time_to_last_upstream_tx_bytestringTime interval between the first downstream byte received and the last upstream byte sent. There may by considerable delta between time_to_last_rx_byte and this value due to filters. Additionally, the same caveats apply as documented in time_to_last_downstream_tx_byte about not accounting for kernel socket buffer time, etc.

Service Policy HTTP Details

NameTypeDescriptionValues
api_endpointstringThe endpoint (path) of the request.
authoritystringauthority = [ userinfo "@" ] host [ ":" port ]For Example: www.google.com
domainstring
methodstringValid HTTP method.HEAD/GET/POST/OPTIONS… The value will be METHOD_UNSPECIFIED for non-http requests.
networkstringNetwork value.
original_authoritystringOriginal authority.
original_pathstringRequest path.
protocolstringValid HTTP protocol version.HTTP10/HTTP11/HTTP2 The value will be PROTOCOL_UNSPECIFIED for non-http requests.
proxy_typestringType of Proxy to be used while connecting from one virtual network to another.
req_bodystringRequest body. The system logs request headers only if API discovery is enabled and sample it up to 25%.
req_headersstringRequest headers. The system logs request headers only if API discovery is enabled and sample it up to 25%.
req_parametersstringQuery parameters.
req_pathstringRequest path.
req_sizestringRequest size in bytes.
schemestringValid HTTP scheme.https/http The value will be empty for non-http requests.
user_agentstringValue of HTTP User-Agent header.
x_forwarded_forstringValue of HTTP X-Forwarded-For header.

Service Policy Response Details

NameTypeDescriptionValues
response_flagsstringAdditional details about the response or connection if any above and beyond the standard response code.
rsp_bodystringResponse body.
rsp_codestringResponse code.
rsp_code_classstringResponse code class.2xx, 3xx, 4xx, 5xx
rsp_code_detailsstringResponse code reason.This is the list of all possible response code details. These values may change. https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_conn_man/response_code_details
rsp_headersstringResponse headers.
rsp_sizestringResponse size in bytes.

Service Policy Details

NameTypeDescriptionValues
actionstringAction to enforce on the request when matching service policy rule.
ip_riskstringIP risk as it appears in Webroot IP reputation database.Valid Values: LOW_RISK MEDIUM_RISK HIGH_RISK
ip_trustcorestringThe score between 0 and 100. Represents IP trust. 100 means high trust low risk, 0 means low trust high risk.Numeric string value between 0 and 100.
ip_trustworthinessstringProperty describing IP trustworthiness (the opposite of risk).Valid Values: LOW MEDIUM HIGH
malicious_user_mitigation_actionstringMalicious user mitigation action if malicious user feature is configured.Valid Values: MUM_NONE MUM_BLOCK_TEMPORARILY MUM_JAVASCRIPT_CHALLENGE MUM_CAPTCHA_CHALLENGE
policystringThe name of the last executed service policy.
policy_namespacestringThe namespace of the last executed service policy.
policy_rulestringThe name of the last executed service policy rule.
policy_rule_descriptionstringDescription of service policy rule as it appears in configuration.
policy_setstringThe name of the last executed service policy set.
rate_limiter_actionstringRate limiter result.Valid Values: fail pass none or empty string
resultstringService policy result.Valid Values: allow deny default_allow default_deny

Service Policy Metadata Details

NameTypeDescriptionValues
app_typestringApplication profile type name.
cluster_namestringF5DC cluster name to which request was routed.For Example: pa2-par-int-ves-io
connected_timestringConnection start time.
connected_statestringConnection state.
hostnamestringHostname of machine which generated this log record.For Example: master-0
lb_portstringLoad balancer port.For Example: 443
messageidstringUnique log type identifier.For access log the value always will be dea91c9a-beed-4561-67af-ab4112426b1f
namespacestringA workspace within tenant's space in which the virtual host was created.
req_idstringUnique request identifier.
sec_event_namestringSecurity event name.
sec_event_typestringSecurity event type.Values: SVC_POLICY_SEC_EVENT BOT_DEFENSE_SEC_EVENT WAF_SEC_EVENT API_SEC_EVENT
tenantstringOrganization or group of users sharing common access with specific privileges to F5DC resources.
terminated_timestringConnection terminated time.
timestringEvent generated time
timeseries_enabledboolIndicates that DDoS protection is enabled for this LB.
vh_namestringTenant's virtual host name.
vh_typestringVirtual host type.Valid Values: VIRTUAL_SERVICE HTTP_LOAD_BALANCER API_GATEWAY TCP_LOADBALALNCER PROXY LOCAL_K8S_API_GATEWAY CDN_LOADBALALNCER

API Security Event

This table presents reference information on API security event types.

API Client Details

NameTypeDescriptionValues
as_numberstringAutonomous system number. https://en.wikipedia.org/wiki/Autonomous_system_(Internet)For Example: 15169
as_orgstringAutonomous system name. https://en.wikipedia.org/wiki/Autonomous_system_(Internet)For Example: GOOGLE
asnstringAutonomous system identifier represented by both name and number. More about autonomous systems: https://en.wikipedia.org/wiki/Autonomous_system_(Internet)For Example: GOOGLE(15169)
citystringClient's city name.For Example: Paris
countrystringClient's country ISO 3166-2 (two-letter) code. https://en.wikipedia.org/wiki/ISO_3166-2For Example: US
latitudestringClient's geo location latitude. Latitude is a horizontal line that measures the distance north or south of the equator.
longitudestringClient's geo location longitude. Longitude is a vertical line which measures east or west of the meridian in Greenwich, UK.
mtlsboolMutual TLS authentication between clients and HTTPS load balancer.
networkstringSource IP network.
regionstringClient's region name.
src_ipstringThe source IP of the client.For Example: 212.150.5.74
src_portstringThis is the src port of the client.
userstringUser identifier as configured in User Identification Policy. If not configured, the system uses src_ip as a default user identifier.For Example: IP-212.150.5.74

API Device Details

NameTypeDescriptionValues
browser_typestringClient's browser type. This information is taken from HTTP User-Agent header therefore it's populated for HTTP traffic only.For Example: Chrome
device_typestringClient's device type. This information is taken from HTTP User-Agent header therefore it's populated for HTTP traffic only.For Example: iPhone

API TLS Details

NameTypeDescriptionValues
tls_cipher_suitestringDestination ip on the origin server.
tls_fingerprintstringDestination port on the origin server.For Example: 443
tls_versionstringTLS version is a specific iteration of the Transport Layer Security protocol, used to secure data during transmission over networks.TLSv1_3, TLSv1_2..

API Request Details

NameTypeDescriptionValues
dststringThe detail of the destination/origin server where the request is going to.If this is a vk8s service, then the value will be S:< service name >, For Example: S:frontend.arcadia-trading For something like a DNS endpoint, the value will be S:< dns name >, For example: S:prod.croix-rouge.fr if endpoint or origin server is public ip, the value will appear like this: S:185.15.129.72 Note: for FWD PROXY/Connect Proxy cases, the dst will be 2 level URL of the destination for eg something like yahoo.com or google.com.
dst_instancestringDetail of the specific destination instance where requests are going to.For vk8s service, the value will be Pod name. For example: ingress-kong-757d459b79-nc7hd This pod name is associated with the dst above. If this is DNS endpoint, the value will be IP address of the endpoint. If destination itself was configured to be a public ip (static) then this field will be set to STATIC. For Proxy cases, the value will be Country code of the destination IP (where traffic is headed to).
dst_ipstringDestination ip of the origin server.
dst_portstringDestination port on the origin server.For Example: 443
dst_sitestringSite which is used to send the traffic to the endpoint / origin server.In most cases the value will be the same as RE Site (for example: pa2-par), which got the traffic. But it can be a CE Site, if the endpoint is discovered in CE. Or another RE, if the endpoint discovered in that RE is used.
duration_with_data_tx_delaystringlast_downstream_tx_byte - first_upstream_tx_byteIndicates how much "time" it took to process the request/response inside XC LB. (like eg WAF, API detection, service policy, Bot detection, etc if enabled) + time upstream spent to process.
duration_with_no_data_tx_delaystringfirst_downstream_tx_byte - first_upstream_tx_byteLike duration_with_data_tx_delay, except that reference is taken from the moment first byte is sent to client.
rtt_downstream_secondsstringRound trip of connection to downstream (client).
rtt_upstream_secondsstringRound trip of connection to the upstream/origin server.
time_to_first_downstream_tx_bytestringTime interval between the first downstream byte received and the first downstream byte sent. There may be a considerable delta between the time_to_first_upstream_rx_byte and this field due to filters. Additionally, the same caveats apply as documented in time_to_last_downstream_tx_byte about not accounting for kernel socket buffer time, etc.
time_to_first_upstream_rx_bytestringTime interval in seconds between the first downstream byte received and the first upstream byte received (i.e., time it takes to start receiving a response).
time_to_first_upstream_tx_bytestringTime interval between the first downstream byte received and the first upstream byte sent. There may by considerable delta between time_to_last_rx_byte and this value due to filters. Additionally, the same caveats apply as documented in time_to_last_downstream_tx_byteabout not accounting for kernel socket buffer time, etc.
time_to_last_downstream_tx_bytestringTime interval between the first downstream byte received and the last downstream byte sent. Depending on protocol, buffering, windowing, filters, etc. there may be a considerable delta between time_to_last_upstream_rx_byte and this field. Note also that this is an approximate time. In the current implementation it does not include kernel socket buffer time. In the current implementation it also does not include send window buffering inside the HTTP/2 codec. In the future it is likely that work will be done to make this duration more accurate.
time_to_last_upstream_rx_bytestringTime interval in seconds between the first downstream byte received and the last upstream byte received (i.e. time it takes to receive a complete response).
time_to_last_upstream_tx_bytestringTime interval between the first downstream byte received and the last upstream byte sent. There may by considerable delta between time_to_last_rx_byte and this value due to filters. Additionally, the same caveats apply as documented in time_to_last_downstream_tx_byte about not accounting for kernel socket buffer time, etc.

API HTTP Details

NameTypeDescriptionValues
api_endpointstringThe endpoint (path) of the request.api_endpoint
authoritystringauthority = [ userinfo "@" ] host [ ":" port ]For Example: www.google.com
content-typestringValue of HTTP Content-Type header.
domainstring
http_versionstringValid HTTP protocol version.HTTP10/HTTP11/HTTP2 The value will be PROTOCOL_UNSPECIFIED for non-http requests.
methodstringValid HTTP method.HEAD/GET/POST/OPTIONS… The value will be METHOD_UNSPECIFIED for non-http requests.
networkstringNetwork value.
original_authoritystringOriginal authority.original_authority
original_pathstringRequest path.original_path
protocolstringValid HTTP protocol version.HTTP10/HTTP11/HTTP2 The value will be PROTOCOL_UNSPECIFIED for non-http requests.
proxy_typestringType of Proxy to be used while connecting from one virtual network to another.proxy_type
referrerstringRequest path.Value of HTTP Referer header.
req_headersjson stringRequest headers. The system logs request headers only if API discovery is enabled and sample it up to 25%.
req_headers_sizeintRequest headers size.
req_idstringUnique request identifier.
req_pathstringRequest path.
req_sizestringRequest size in bytes.
rsp_codestringResponse code.
rsp_code_classstringResponse code class.2xx, 3xx, 4xx, 5xx
rsp_sizestringResponse size.
schemestringValid HTTP scheme.https/http The value will be empty for non-http requests.
user_agentstringValue of HTTP User-Agent header.
x_forwarded_forstringValue of HTTP X-Forwarded-For header.

API Response Details

NameTypeDescriptionValues
response_flagsstringAdditional details about the response or connection if any above and beyond the standard response code.
rsp_code_detailsstringResponse code reason.This is the list of all possible response code details. These values may change. https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_conn_man/response_code_details
rsp_headersstringResponse headers.

API Details

NameTypeDescriptionValues
actionstringAsPI actual action.
oas_req_StatusstringOpen API Specification validation result for HTTP request.Valid Values: OpenAPIBodyTooLongSkipped OpenAPISpecNotFound OpenAPIPathNotFound OpenAPIViolation OpenAPIValidationSuccessful OpenAPIRateLimitExceeded OpenAPIErrorInternalServerError OpenAPIErrorServiceUnavailabl OpenAPIErrorNotAccaptable OpenAPISkip
oas_rsp_statusstringOpen API Specification validation result for HTTP response.Valid Values: OpenAPIViolation OpenAPIValidationSuccessful OpenAPISkipped
policy_hits.ip_riskstringIP risk as it appears in Webroot IP reputation database.Valid Values: LOW_RISK MEDIUM_RISK HIGH_RISK
policy_hits.ip_trustscorestringThe score between 0 and 100. Represents IP trust. 100 means high trust low risk, 0 means low trust high risk.Numeric string value between 0 and 100.
policy_hits.ip_trustworthinessstringProperty describing IP trustworthiness (the opposite of risk).Valid Values: LOW MEDIUM HIGH
policy_hits.malicious_user_mitigation_actionstringMalicious user mitigation action if malicious user feature is configured.Valid Values: MUM_NONE MUM_BLOCK_TEMPORARILY MUM_JAVASCRIPT_CHALLENGE MUM_CAPTCHA_CHALLENGE
policy_hits.oas_request_propertiesstringThe properties of the current http request that needs Open API Specification validation.
policy_hits.oas_response_propertiesstringThe properties of the current http response that needs Open API Specification validation.
policy_hits.oas_response_validation_actionstringThe desired action to be taken in case the Open API Specification validation fails for the http response.
policy_hits.oas_validation_actoinstringThe desired action to be taken in case the Open API Specification validation fails for the http request.
policy_hits.policystringThe name of the last executed service policy.
policy_hits.policy_namespacestringThe policy namespace.
policy_hits.policy_rulestringThe name of the last executed service policy rule.
policy_hits.policy_setstringThe name of the last executed service policy set.
policy_hits.rate_limiter_actionstringRate limiter result.Valid Values: fail pass none or empty string
policy_hits.rate_limiter_user_idstringDetected User-ID for the rate limiting.
policy_hits.resultstringService policy result.Valid Values: allow deny default_allow default_deny
recommended_actionstringPI recommended action.Valid Values: low report block
signatures.accuracystringThe accuracy of signature match.
signatures.attack_typestringThe detected attack type.
signtures.contextstringIn which context (HTTP Request/Response) the signature detection was.
signatures.idstringSignature ID.
signatures.id_namestringSignature ID and name concatenation.
signature.matching_infostringExtended information where the suspicious data was which triggered the signature detection.
signature.namestringSignature name.
signature.statestringIf we enforce the signature in case it got catch.
violations.contextstringIn which context (HTTP Request/Response) the violation detection was.
violations.descriptionstringThe Open API Specification violation explanation.
violations.fieldstringHeader or Parameter name which trigger the Open API Specification violation.
violations.propertystringWhich property under Open API Specification triggers the violation detection.

API Metadata Details

NameTypeDescriptionValues
app_typestringApplication profile type name.
cluster_namestringF5DC cluster name to which request was routed.For Example: pa2-par-int-ves-io
connected_timestringConnection start time.
connected_statestringConnection state.
hostnamestringHostname of machine which generated this log record.For Example: master-0
lb_portstringLoad balancer port.For Example: 443
messageidstringUnique log type identifier.For access log the value always will be dea91c9a-beed-4561-67af-ab4112426b1f
namespacestringA workspace within tenant's space in which the virtual host was created.namespace
sec_event_namestringSecurity event name.App Security Misconfiguration, API Rate Limiting, OpenAPI Validation Failure, API Protection Rule, OpenAPI Fall Through
sec_event_typestringSecurity event type.api_sec_event
sitestringWhich cluster handled the req.For Example: "ams9-ams”
snistringHostname sni
srcstringThe “source” of the service which is sending the request.Case 1. If this is a service-to-service communication happening via envoy (like v8s service etc.) this value will be the name of the service. For Example: S:lilac-edge-node-6.lilac-edge Case 2. If this is mTLS src then the value will be the first SAN in the client certificate. Case 3. If not Case1/2, It's a request coming from a client via public internet etc., then the value will appear as: N:public
src_instancestringDetails of the instance which generated the traffic.Case 1. If this is service-to-service communication happening via envoy (v8s service etc.). The value will be an instance of the service (for e.g., pod name like in recommendationservice-69cddc6ffb-m794d) Case 2. If this is mTLS src_instance, the value will be the Subject Name in the client certificate. Case 3. If this is request from a public client, then the value will be the country detected by geo lookup.
src_sitestringThis is the F5DC site (RE or CE etc.) which receives the request from the client.This is the site where client traffic is hitting. For Example: dc12-ash If the client is close to dc12 and traffic from client is coming to dc12. It could be also CE, if the LB is exposed via CE.
tenantstringOrganization or group of users sharing common access with specific privileges to F5DC resources.
terminated_timestringConnection terminated time.
timestringEvent generated time.
timeseries_enabledboolIndicates that DDoS protection is enabled for this LB.
vh_namestringTenant's virtual host name.
vh_typestringVirtual host type.Valid Values: VIRTUAL_SERVICE HTTP_LOAD_BALANCER API_GATEWAY TCP_LOADBALALNCER PROXY LOCAL_K8S_API_GATEWAY CDN_LOADBALALNCER
vhost_idstringTenant's virtual host ID.Valid Values: VIRTUAL_SERVICE HTTP_LOAD_BALANCER API_GATEWAY TCP_LOADBALALNCER PROXY LOCAL_K8S_API_GATEWAY CDN_LOADBALALNCER