Log fields

Every block message will log the fields listed in the following table. Some fields may be left out when there is no value available, others may write "<n/a>" instead.

Field Name
Description
req_id
ID of the request
sess_id
ID of the session the request belongs to
corr_id
Request correlation ID
corr_id_2
Second request correlation ID
corr_id_3
Third request correlation ID
mapping
Mapping name used to handle the request
audit_token
Audit token set by the authentication server. This usually represents an individual user.
tech_client_id
Technical client ID extracted from request.
tech_client_display_name
Display name of the technical client.
tech_client_label
Label of the technical client.
tech_client_subscription_id
Subscription ID of the technical client.
tenant
Tenant of the requested mapping or virtual host
th_mode
Threat handling mode
vhost
The FQDN of the virtual host
vhost_ip
The IP address the virtual host is listening on
vhost_port
The port the virtual host is listening on
vhost_proto
The HTTP protocol used in the request
client_ip
The IP address of the client. Usually, this is the connection IP address (front_src_ip). If a reverse proxy or load balancer is in place and sets the X-Forwarded-For header, Airlock WAF can be configured to use the X-Forwarded-For value as client_ip
geoip_continent
Continent code resolved for the client IP address (client_ip)
geoip_country
Country code resolved for the client IP address (client_ip)
geoip_location
Latitude and longitude resolved for the client IP address (client_ip)
sess_auth
Flag indicating whether the session was authenticated or not
block_type
Technology used to block the attack
attack_type
Type of the blocked attack
constraint
Violated constraint that lead to the block
position
Description of where the error/block was detected
message
Message describing the log event