Every block message will log the fields listed in the following table. Some fields may be left out when there is no value available, others may write "<n/a>" instead.
Field Name | Description |
|---|---|
req_id | ID of the request |
sess_id | ID of the session the request belongs to |
corr_id | Request correlation ID |
corr_id_2 | Second request correlation ID |
corr_id_3 | Third request correlation ID |
mapping | Mapping name used to handle the request |
audit_token | Audit token set by the authentication server. This usually represents an individual user. |
tech_client_id | Technical client ID extracted from request. |
tech_client_display_name | Display name of the technical client. |
tech_client_label | Label of the technical client. |
tech_client_subscription_id | Subscription ID of the technical client. |
tenant | Tenant of the requested mapping or virtual host |
th_mode | Threat handling mode |
vhost | The FQDN of the virtual host |
vhost_ip | The IP address the virtual host is listening on |
vhost_port | The port the virtual host is listening on |
vhost_proto | The HTTP protocol used in the request |
client_ip | The IP address of the client. Usually, this is the connection IP address (front_src_ip). If a reverse proxy or load balancer is in place and sets the X-Forwarded-For header, Airlock WAF can be configured to use the X-Forwarded-For value as client_ip |
geoip_continent | Continent code resolved for the client IP address (client_ip) |
geoip_country | Country code resolved for the client IP address (client_ip) |
geoip_location | Latitude and longitude resolved for the client IP address (client_ip) |
sess_auth | Flag indicating whether the session was authenticated or not |
block_type | Technology used to block the attack |
attack_type | Type of the blocked attack |
constraint | Violated constraint that lead to the block |
position | Description of where the error/block was detected |
message | Message describing the log event |