Log fields

Every block message will log the fields listed in the following table. Some fields may be left out when there is no value available, others may write "<n/a>" instead.

Field Name

Description

req_id

ID of the request

sess_id

ID of the session the request belongs to

corr_id

Request correlation ID

corr_id_2

Second request correlation ID

corr_id_3

Third request correlation ID

mapping

Mapping name used to handle the request

audit_token

Audit token set by the authentication server. This usually represents an individual user.

tech_client_id

Technical client ID extracted from request.

tech_client_display_name

Display name of the technical client.

tech_client_label

Label of the technical client.

tech_client_subscription_id

Subscription ID of the technical client.

tenant

Tenant of the requested mapping or virtual host

th_mode

Threat handling mode

vhost

The FQDN of the virtual host

vhost_ip

The IP address the virtual host is listening on

vhost_port

The port the virtual host is listening on

vhost_proto

The HTTP protocol used in the request

client_ip

The IP address of the client. Usually, this is the connection IP address (front_src_ip). If a reverse proxy or load balancer is in place and sets the X-Forwarded-For header, Airlock WAF can be configured to use the X-Forwarded-For value as client_ip

geoip_continent

Continent code resolved for the client IP address (client_ip)

geoip_country

Country code resolved for the client IP address (client_ip)

geoip_location

Latitude and longitude resolved for the client IP address (client_ip)

sess_auth

Flag indicating whether the session was authenticated or not

block_type

Technology used to block the attack

attack_type

Type of the blocked attack

constraint

Violated constraint that lead to the block

position

Description of where the error/block was detected

message

Message describing the log event