Log Exporter Output

Link11 WAAP can stream traffic events via , e.g. to a SIEM solution.

Data collection

Each active Log Exporter streams events continually, in near-real time.

L11WAAP gathers events for a few seconds, or until a certain amount of data has been accumulated, and then sends them all together. The latency between the actual events occurring and their receipt at the destination will generally be less than 30 seconds.

Data protocols

L11WAAP sends logs using the .

The available transport protocols are:

TCP
TCP + TLS (requires SSL certificate)
UDP (not MVP)

Data format

By default, event messages are only sent for requests blocked by L11WAAP.

The following requests are not included in the event stream:

Requests passed by L11WAAP (unless the Log Exporter is in "all" mode)
Requests challenged by L11WAAP, but not blocked
Requests blocked by the origin

Each line is structured as follows:

<PRI>VERSION ISOTIMESTAMP HOSTNAME APPLICATION PID MESSAGEID STRUCTURED-DATA MSG

...with these fields:

Field

Description

Default value

PRI

priority

13 [log audit]

VERSION

version

ISOTIMESTAMP

timestamp of message

timestamp in ISO format

HOSTNAME

hostname

reblazer

APPLICATION

application

- [a hyphen, i.e. no data]

PID

process id

- [a hyphen, i.e. no data]

MESSAGEID

message id

- [a hyphen, i.e. no data]

STRUCTURED-DATA

structured Data

- [a hyphen, i.e. no data]

MSG

message body

The rest of the message (see details below)

END OF LINE

Custom EOL string

**NF** [meaning "nothing follows"]

Each message body contains the following fields, separated by spaces, in the order shown. Strings are enclosed in double quotes.

Field

Data type

Notes

REMOTE_ADDR

string

TIMESTAMP

timestamp

STATUS

integer

BYTES_SENT

integer

REQUEST

string

Path only, without the query

BLOCKED

boolean

IS_HUMAN

boolean

BLOCK_REASON

string

The reason that a request was blocked. If more than block reason exists, only the first will be included.

GEOIP_COUNTRY_NAME

string

GEOIP_COUNTRY_CODE

string

REQUEST_ID

string

CAPTURED_VECTOR

string

Relevant only for content filter rules; includes the type of the field (e.g. header) and its name.

REQUEST_TIME

float

UPSTREAM_ADDR

string

Will be a hyphen if the request did not reach the upstream.

UPSTREAM_RESPONSE_TIME

float

Will be a hyphen if the request did not reach the upstream.

UPSTREAM_STATUS

integer

The status code returned by the upstream server, if any. Will be a hyphen if the request did not reach the upstream.

DOMAIN_NAME

string

The server group.

HOST

string

REFERER

string

HTTP_USER_AGENT

string

ORGANIZATION

string

SSL_PROTOCOL

string

PreviousHTTP Response Codes NextPattern Matching Syntax

Last updated 12 days ago

Was this helpful?

Data collection

Each active Log Exporter streams events continually, in near-real time.

Data format

By default, event messages are only sent for requests blocked by L11WAAP.

The following requests are not included in the event stream:

Requests passed by L11WAAP (unless the Log Exporter is in "all" mode)
Requests challenged by L11WAAP, but not blocked
Requests blocked by the origin

Each line is structured as follows:

<PRI>VERSION ISOTIMESTAMP HOSTNAME APPLICATION PID MESSAGEID STRUCTURED-DATA MSG

...with these fields:

Field

Description

Default value

PRI

priority

13 [log audit]

VERSION

version

ISOTIMESTAMP

timestamp of message

timestamp in ISO format

HOSTNAME

hostname

reblazer

APPLICATION

application

- [a hyphen, i.e. no data]

PID

process id

- [a hyphen, i.e. no data]

MESSAGEID

message id

- [a hyphen, i.e. no data]

STRUCTURED-DATA

structured Data

- [a hyphen, i.e. no data]

MSG

message body

The rest of the message (see details below)

END OF LINE

Custom EOL string

**NF** [meaning "nothing follows"]

Each message body contains the following fields, separated by spaces, in the order shown. Strings are enclosed in double quotes.

Field

Data type

Notes

REMOTE_ADDR

string

TIMESTAMP

timestamp

STATUS

integer

BYTES_SENT

integer

REQUEST

string

Path only, without the query

BLOCKED

boolean

IS_HUMAN

boolean

BLOCK_REASON

string

The reason that a request was blocked. If more than block reason exists, only the first will be included.

GEOIP_COUNTRY_NAME

string

GEOIP_COUNTRY_CODE

string

REQUEST_ID

string

CAPTURED_VECTOR

string

Relevant only for content filter rules; includes the type of the field (e.g. header) and its name.

REQUEST_TIME

float

UPSTREAM_ADDR

string

Will be a hyphen if the request did not reach the upstream.

UPSTREAM_RESPONSE_TIME

float

Will be a hyphen if the request did not reach the upstream.

UPSTREAM_STATUS

integer

The status code returned by the upstream server, if any. Will be a hyphen if the request did not reach the upstream.

DOMAIN_NAME

string

The server group.

HOST

string

REFERER

string

HTTP_USER_AGENT

string

ORGANIZATION

string

SSL_PROTOCOL

string