This article lists all available log messages on a single page for easy reference.
- Navigation links for this page:
- JSON fields
- Block Summary
- Reject Summary
- Back-end messages
- Session start and end messages
- Other messages
JSON fields
All Security Gate log messages are written in JSON format. This is a list of all available JSON fields including a short description. The column CEF Alias shows the field aliases used in CEF exports.
Field Name | CEF Alias | Description |
|---|---|---|
| Log message ID. | |
| Log message category. | |
| cs1 | ID of the request. |
| cs2 | ID of the session the request belongs to. |
| Request correlation ID. | |
| Second request correlation ID. | |
| Third request correlation ID. | |
| destinationServiceName | Mapping name used to handle the request. |
| Entry URL of the request. | |
| request | Entry path of the request. |
| request | Query parameters of the entry URL. |
| suser | Audit token set by the authentication server. This usually represents an individual user. |
| Technical client ID extracted from request. | |
| Display name of the technical client. | |
| Label of the technical client. | |
| Subscription ID of the technical client. | |
| Tenant of the requested mapping or virtual host. | |
| Threat handling mode. | |
| dhost | The FQDN of the virtual host. |
| dst / c6a3 | The IP address the virtual host is listening on. |
| dpt | The port the virtual host is listening on. |
| app | The HTTP protocol used in the request. |
| The HTTP protocol version used in the request. | |
| The back-end host the request was sent to. | |
| The IP address of the back-end host the request was sent to. | |
| The port of the back-end host the request was sent to. | |
| The protocol of the back-end host the request was sent to. | |
| requestMethod | The HTTP method used in the request. |
| cn1 | The HTTP status code delivered to the client. |
| The user agent header sent by the client. | |
| The accept-language header sent by the client. | |
| Back-end URL of the request. | |
| The redirect URL delivered to the client. | |
| requestContext | The referrer URL sent by the client. |
| in | The number of bytes received from the client. |
| out | The number of bytes received from the back-end. |
| cn2 | The duration1 from the moment all request headers have been read up from the client to the point where all response data has been sent to the client. |
| The duration1 the gateway requires to filter the request. The measured time is a fraction of | |
| The duration1 from establishing the connection between gateway and back-end to receiving the first response byte from the back-end. The measured time is a fraction of | |
| Currently not functional. | |
| Currently not functional. | |
| The duration1 from reading the first response header from the back-end to receiving the last byte of a response from the back-end. The measured time is a fraction of | |
| The total duration1 required to handle the WebSocket connection. The time measurement starts after the handshake (HTTP upgrade). | |
| src / c6a2 | The IP address of the client. Usually, this is the connection IP address ( |
| The IP address from which the front-end TCP connection was established. | |
| The port from which the front-end TCP connection was established. | |
| The IP address the client connected to. | |
| The port the client connected to. | |
| The IP address Airlock Gateway used to connect to the back-end server. | |
| The port Airlock Gateway used to connect to the back-end server. | |
| The IP address of the back-end server Airlock Gateway connected to. | |
| The port of the back-end server Airlock Gateway connected to. | |
| Continent code resolved for the client IP address ( | |
| Country code resolved for the client IP address ( | |
| cs3 | Latitude and longitude resolved for the client IP address ( |
| Number of bytes received from the client (WebSocket). | |
| Number of bytes sent to the client (WebSocket). | |
| The ID of the TLS session on the front-end. | |
| The TLS protocol that has been negotiated on the front-end. | |
| The TLS cipher that has been negotiated on the front-end. | |
| The subject's distinguished name (DN) of the TLS client certificate. | |
| Flag indicating whether the session was authenticated or not. | |
| Count of authenticated sessions. | |
| The licensed limit of authenticated sessions. | |
| Total count of sessions. | |
| Reason for connection or session termination. | |
| Lifetime of the session in seconds. | |
| Reject type for the rejected request. | |
| Technology used to block the attack. | |
| cs4 | Type of the blocked attack. |
| Name of the rule that triggered the block. | |
| Short name of the rule that triggered the block. | |
| Matching IP list names. | |
| Name of the deny rule group that triggered the block. | |
| Short name of the deny rule group that triggered the block. | |
| act | Action taken by Airlock Gateway for this request. |
| Violated constraint that led to the block. | |
| Description of where the error/block was detected. | |
| Filename | |
| The error code returned by libcurl. | |
| The measured request rate (requests per second). | |
| The licensed request rate (requests per second). | |
| Anomaly Shield application. | |
| Anomaly Shield session anomaly tag. | |
| msg | Message describing the log event. |
| This field is only added when the truncation mechanism has skipped one or more fields. It is added with the value |
| 1 | The time base for Syslog and Elasticsearch is in microseconds, for Kibana and CSV output in milliseconds. |
Block Summary
A block message will be written whenever a request is blocked, giving a short description of why the request was blocked. The log ID of block messages starts with BLOCK- or BLOCKDET-.
Every message will log the fields listed in the JSON fields. Some fields may be left out when there is no value available, and others may write <n/a> instead.
List of log messages:
Message ID | Attack Type | Block Type | Description |
|---|---|---|---|
WR-SG-BLOCK-108-01 | Filter evasion | Multipart Parser | illegal boundary characters "..." found in multipart POST. |
WR-SG-BLOCK-108-02 | Filter evasion | Multipart Parser | multiple content-disposition headers found in multipart POST. |
WR-SG-BLOCK-108-03 | Filter evasion | Multipart Parser | nesting level (...) exceeded in multipart POST. |
WR-SG-BLOCK-108-04 | Filter evasion | Multipart Parser | Syntax Error in multipart POST: no delimiter found in the request body "...". |
WR-SG-BLOCK-108-05 | Filter evasion | Multipart Parser | delimiter found in multipart header "...". |
WR-SG-BLOCK-108-06 | Filter evasion | Multipart Parser | multiple multipart boundary definitions found in the content-type header "...". |
WR-SG-BLOCK-108-07 | Filter evasion | Multipart Parser | Syntax Error in multipart POST: Error while parsing multipart header "...". |
WR-SG-BLOCK-108-08 | Filter evasion | Multipart Parser | multipart boundary definition not found in content-type header "...". |
WR-SG-BLOCK-108-10 | Filter evasion | Multipart Parser | Syntax Error in multipart POST: Missing newline characters ... |
WR-SG-BLOCK-108-11 | Filter evasion | Multipart Parser | Syntax Error in multipart POST: Missing delimiter. |
WR-SG-BLOCK-108-20 | Unsafe multipart headers | Multipart Parser | Multipart header blacklist rule was triggered by multipart header "...". |
WR-SG-BLOCK-108-21 | Unsafe multipart headers | Multipart Parser | Multipart header allowlist rule was triggered by multipart header "...". |
WR-SG-BLOCK-108-30 | Filter evasion | Multipart Parser | Error while decoding multipart content: ...: "...". |
WR-SG-BLOCK-108-35 | Filter evasion | Multipart Parser | Trailing characters found after encoded content "...". |
WR-SG-BLOCK-108-40 | Filter evasion | Multipart Parser | Filename was empty but content was not. |
WR-SG-BLOCK-109-01 | Filter evasion | JSON Parser | JSON syntaxerrormessage: "..." in ... |
WR-SG-BLOCK-109-02 | Filter evasion | JSON Parser | Failed to sanitize JSON data (UTF8) in ... |
WR-SG-BLOCK-109-03 | Filter evasion | JSON Parser | Failed to convert JSON data (from ... to UTF-8) in ... |
WR-SG-BLOCK-117-01 | Filter evasion | GraphQL | Multiple definition error: "..." |
WR-SG-BLOCK-117-02 | Filter evasion | GraphQL | Query syntax error: "..." |
WR-SG-BLOCK-117-03 | Noncompliant API usage | GraphQL | Validation error in operation: "..." |
WR-SG-BLOCK-117-04 | Filter evasion | GraphQL | Forbidden action in operation "..." : "..." |
WR-SG-BLOCK-118 | Denial of service | GraphQL | Limit exceeded in operation "..." : "..." |
WR-SG-BLOCK-120-01 | URL tampering | URL Encryption | Decryption failed for request URL using passphrase-based encryption. URL has been modified by the client or was encrypted for a different user session using session-based encryption. |
WR-SG-BLOCK-120-02 | URL tampering | URL Encryption | Decryption failed for request URL using session-based encryption. The URL has been modified by client. |
WR-SG-BLOCK-120-03 | URL tampering | URL Encryption | The request URL is not or incorrectly encrypted (unrecognized/wrong encryption mode). |
WR-SG-BLOCK-120-04 | URL tampering | URL Encryption | Decryption failed for the encrypted request URL. URL belongs to an unknown (expired or otherwise different) session or the passphrase has changed. |
WR-SG-BLOCK-120-05 | URL tampering | URL Encryption | Request URL is PBE encrypted but SBE is configured. |
WR-SG-BLOCK-131-01 | Filter evasion | ParameterNormalization | Filter notification: parameter normalization failed on data "..." using default charset:... fallback:... |
WR-SG-BLOCK-131-02 | Filter evasion | ParameterNormalization | Filter notification: parameter normalization failed on data "..." using charset from content-type:... |
WR-SG-BLOCK-131-03 | Filter evasion | ParameterNormalization | Filter notification: parameter normalization not possible from unsupported charset derived from content-type "..." |
WR-SG-BLOCK-131-04 | Filter evasion | ParameterNormalization | Filter notification: ... in path "...". UTF-8 is enforced. |
WR-SG-BLOCK-131-05 | Filter evasion | ParameterNormalization | Filter notification: ... in header "...". UTF-8 is enforced. |
WR-SG-BLOCK-131-06 | Filter evasion | ParameterNormalization | Filter notification: ... in ... "...". UTF-8 is enforced. |
WR-SG-BLOCK-131-07 | Filter evasion | ParameterNormalization | Filter notification: Charset encoding "..." found in Content-Type header. UTF-8 is enforced. |
WR-SG-BLOCK-131-08 | Filter evasion | BodyNormalization | Filter notification: ... in body of content-type "...". UTF-8 is enforced. |
WR-SG-BLOCK-135-01 | Parameter tampering | URL Encryption | Location parameter "..." with value "..." is invalid: ... |
WR-SG-BLOCK-111-00 | URL tampering | Allow Rule | no allow rule matched |
WR-SG-BLOCK-111-06 | Request tampering | Allow Rule | Content-Type of request (...) does not match Content-Type pattern "..." , path pattern:"..." |
WR-SG-BLOCK-111-05 | Request tampering | Allow Rule | HTTP method "..." does not match the method pattern "..." |
WR-SG-BLOCK-111-04 | Parameter tampering | Allow Rule | Parameter value is not allowed. Value "..." of parameter "..." does not match value pattern "..." , path pattern:"..." |
WR-SG-BLOCK-111-08 | Parameter tampering | Allow Rule | Parameter "..." is not allowed because there is no parameter rule defined that would match the parameter name. The parameter value would be"..." ,pathpattern:"..." |
WR-SG-BLOCK-111-07 | Parameter tampering | Allow Rule | The request must contain a parameter matching pattern "..." , path pattern:"..." |
WR-SG-BLOCK-111-20 | URL tampering | Parameter Limits | Path has length ..., but at most ... would be allowed |
WR-SG-BLOCK-111-21 | Parameter tampering | Parameter Limits | There are ... parameters, but at most ... would be allowed |
WR-SG-BLOCK-111-22 | Parameter tampering | Parameter Limits | Length of parameter name "..." is ... bytes, but at most ... bytes would be allowed |
WR-SG-BLOCK-111-23 | Parameter tampering | Parameter Limits | Value "..." of parameter "..." contains ... bytes, but at most ... bytes would be allowed |
WR-SG-BLOCK-117-01 | Filter evasion | GraphQL | Multiple definition error: ... |
WR-SG-BLOCK-117-02 | Filter evasion | GraphQL | Query syntaxerror: ... |
WR-SG-BLOCK-117-03 | Noncompliant API usage | GraphQL | Validation error in operation "...": ... |
WR-SG-BLOCK-117-04 | Filter evasion | GraphQL | Forbidden action in operation "...": ... |
WR-SG-BLOCK-118 | Denial of service | GraphQL | Limit exceeded in operation "...": ... |
WR-SG-BLOCK-115 | ... | OpenAPI | ... |
WR-SG-BLOCKDET-115 | ... | OpenAPI | ...... |
WR-SG-BLOCK-116 | ... | JSON Limits | ... |
WR-SG-BLOCK-122-00 | Parameter tampering | FormProtection | Parameter "..." is illegal according to form signature |
WR-SG-BLOCK-122-02 | Parameter tampering | FormProtection | Value "..." of parameter "..." is illegal according to form signature |
WR-SG-BLOCK-122-03 | Parameter tampering | FormProtection | Value length of parameter "..." (... bytes) exceeds maximum allowed length (... bytes). |
WR-SG-BLOCK-122-04 | Parameter tampering | FormProtection | Form signature ID is invalid. |
WR-SG-BLOCK-122-05 | Parameter tampering | FormProtection | Value "..." for parameter "..." of type "..." is invalid according to validation pattern "..." |
WR-SG-BLOCK-122-06 | Parameter tampering | FormProtection | Required parameters {...} have been omitted |
WR-SG-BLOCK-130 | Cross-site request forgery | CSRFProtection | CSRF attack detected. CSRF token is invalid or missing. |
WR-SG-BLOCK-190 | Botaccess | Bot Management | The client does not support cookies: ... |
WR-SG-BLOCK-110-01 | ... | Deny Rule | Deny rule was triggered |
WR-SG-BLOCK-112 | Unwanted IP | IP Allowlist | IP allowlist did not match |
WR-SG-BLOCK-113 | ... | ThreatIntelligence | Bad IP detected |
WR-SG-BLOCK-114 | Blacklisted IP | IP Blacklist | IP blacklistmatched |
WR-SG-BLOCKDET-110-01 | ... | Deny Rule | Blockedpath: "..." |
WR-SG-BLOCKDET-110-02 | ... | Deny Rule | Blockedmethod: "..." |
WR-SG-BLOCKDET-110-03 | ... | Deny Rule | Blocked Content-Type: "..." |
WR-SG-BLOCKDET-110-05 | ... | Deny Rule | Blockedparameter: "...=..." (...) |
WR-SG-BLOCKDET-110-06 | ... | Deny Rule | Blocked header: "...: ..." |
WR-SG-BLOCK-140-01 | Parameterpollution | HTTP Parameter Pollution | Multiple parameters with the same name "..." and different types (..., ...) found. |
WR-SG-BLOCK-145 | Filter evasion | Web Listener Checks | Maximum request body size exceeded |
WR-SG-BLOCK-125 | Parameter tampering | DyVE | Parameter "..." with value "..." is illegal according to dynamic value endorsement. |
WR-SG-BLOCK-150-01 | Behaviour anomaly | Client Fingerprinting | Client Fingerprinting: Blocking request. |
WR-SG-BLOCK-150-02 | Behaviour anomaly | Client Fingerprinting | Client Fingerprinting: Blocking request and terminating session. |
WR-SG-BLOCK-160 | Denial of service | DOSThresholds | Maximum number of allowed requests (...) within ... seconds for this IP (...) reached. |
WR-SG-BLOCK-180 | RecurringAttack | Dynamic IP Blacklist | Blocked due to Dynamic IP blacklist. |
WR-SG-BLOCK-170 | Illegalpayload | ICAP | ICAP service "..." at ...:... blocked in REQMOD. |
WR-SG-BLOCK-161 | Denial of service | DOSThresholds | Maximum number of allowed sessions (...) for this IP reached. |
WR-SG-BLOCK-155 | Behaviour anomaly | Anomaly Shield | Session anomaly detected. Matched rule "..." with Trigger(s) "...". Executingblockaction(s) "...". |
WR-SG-BLOCK-156 | Behaviour anomaly | Anomaly Shield | IP blocked due to previous anomalous behavior detected by Anomaly Shield rule. |
Request Summary
Airlock Gateways' own access log format replaced the classic access-log of Apache, the Request Summary. For each request such a summary will be written. The summary is enhanced with much more information about the request than a normal HTTPd log line can provide. The request summary will be logged with the log ID WR-SG-SUMMARY.
Every message will log the fields listed in the JSON fields. Some fields may be left out when no value is available, and others may write <n/a> instead.
List of log messages:
Message ID | Description |
|---|---|
WR-SG-SUMMARY | Request processed |
WR-SG-SUMMARY-LP | Session logout propagation with URL "{}" |
Reject Summary
A request may be rejected due to errors or system limitations. In that case a reject message will be logged. The log ID of reject messages start with "REJECT-".
Every message will log the fields listed in the JSON fields. Some fields may be left out when no value is available, and others may write <n/a> instead.
List of log messages:
Message ID | Reject Type | Description |
|---|---|---|
WR-SG-REJECT-105 | System | Error (...) while matching content-type "..." |
WR-SG-REJECT-111-26 | Config | allow rule "...": not properly initialized: ... |
WR-SG-REJECT-115 | Config | OpenAPI configuration is invalid |
WR-SG-REJECT-190 | Config | Redirecting to the cookie check URL: ... |
WR-SG-REJECT-100 | Config | ... is invalid due to malformed pattern |
WR-SG-REJECT-117 | Config | GraphQL configuration is invalid |
WR-SG-REJECT-120 | System | ... failed due to communication error with ip-info-service |
WR-SG-REJECT-140 | Web Listener | Web listener aborted the request with status code ... |
WR-SG-REJECT-141 | Web Listener | Maximum request read time exceeded |
WR-SG-REJECT-101 | Config | No matching mapping found |
WR-SG-REJECT-102 | Config | No matching virtual host found |
WR-SG-REJECT-103 | Config | No matching Back-end Group found |
WR-SG-REJECT-200 | Config | Mapping is under maintenance. Redirecting request to maintenance page at "..." |
WR-SG-REJECT-250 | Config | Running in restricted mode, rejecting request due to missing or invalid license |
WR-SG-REJECT-700 | Access | Required API key not provided. |
WR-SG-REJECT-701 | Access | API Policy Service - ... |
WR-SG-REJECT-702 | Access | API Policy Service - ... |
WR-SG-REJECT-703 | Access | API Policy Service - ... |
WR-SG-REJECT-704 | Limit | API Policy Service - ... |
WR-SG-REJECT-720 | Access | API Policy Service not configured |
WR-SG-REJECT-300 | Access | User not authorized to access mapping: ... |
WR-SG-REJECT-300-01 | Access | Browser is not authorized to access the favicon |
WR-SG-REJECT-301-01 | Config | on-behalf-login error: Basic authentication credentials not set but required by configuration. Aborting request |
WR-SG-REJECT-302-01 | Config | on-behalf-login error: NTLM credentials not set but required by configuration. Aborting request |
WR-SG-REJECT-303-01 | Config | on-behalf-login error: Kerberos credentials not set but required by configuration. Aborting request |
WR-SG-REJECT-801-01 | System | Fatal error during backend request "..." for host "..." (...) |
WR-SG-REJECT-802 | Environment | Backend timeout occurred |
WR-SG-REJECT-804 | Environment | Back-end communication error: All Back-end Hosts ... failed |
WR-SG-REJECT-301-02 | Config | on-behalf-login error: Basic authentication failed. Server returned 401 (not authorized) error. Redirecting request |
WR-SG-REJECT-302-02 | Config | on-behalf-login error: NTLM authentication failed. Server returned 401 (not authorized) error. Redirecting request |
WR-SG-REJECT-303-02 | Config | on-behalf-login error: Kerberos authentication failed for SPN "...". Server returned 401 (not authorized) error. Redirecting request |
WR-SG-REJECT-400 | Config | Request handler mapping error: ......... |
WR-SG-REJECT-401 | Config | Response handler mapping error: ... |
WR-SG-REJECT-505 | Environment | Cannot perform backend failover because the request body has been truncated |
WR-SG-REJECT-520 | System | Back-end state machine: Invalid signal "..." for state "..." |
WR-SG-REJECT-180 | System | Internal stream handler error in ...: ... |
WR-SG-REJECT-181 | System | Child process has been signaled to terminate. |
WR-SG-REJECT-820-02 | Environment | ICAP client: Idle request timeout (...s) on ICAP service "..." at ...:... |
WR-SG-REJECT-820-03 | Environment | ICAP client: Request buffer limit has been exceeded on ICAP service "...", failover not possible |
WR-SG-REJECT-820-04 | Config | ICAP client: Error initializing ... request, ... |
WR-SG-REJECT-820-05 | System | ICAP client: ... |
WR-SG-REJECT-820-06 | Environment | ICAP client: No more servers available for ICAP service "..." |
WR-SG-REJECT-821-01 | Environment | ICAP client: ICAP response parser failed: ... (invalid response from icap server) |
WR-SG-REJECT-821-02 | Environment | ICAP client: No encapsulation header present in ICAP response |
WR-SG-REJECT-822-01 | Environment | ICAP client: Error creating HTTP ... |
WR-SG-REJECT-060 | Environment | ICAP client: ICAP response contains HTTP request - This should not happen when ICAP request mode was not REQMOD |
WR-SG-REJECT-061 | Environment | ICAP client: ICAP response contains malformed ... |
WR-SG-REJECT-171 | Environment | ICAP service "..." at ...:... responded in ... with ICAP status code ... |
WR-SG-REJECT-823-01 | Config | ICAP client: Forbidden path change detected during ICAP REQMOD (Client View) from path:... to path:... that would change the mapping from mapping:... to mapping:... , service "..." at ...:... |
WR-SG-REJECT-823-02 | Config | ICAP client: Forbidden path change detected during ICAP REQMOD (Client View) from path:... to path:... (slash is missing) , ICAP service "..." at ...:... |
WR-SG-REJECT-823-03 | Config | ICAP client: Forbidden path change detected for an encrypted request during ICAP REQMOD (Client View) from path ... to path ... ICAP service "..." at ...:... |
WR-SG-REJECT-823-04 | Config | ICAP client: Forbidden query change detected for an encrypted request during ICAP REQMOD (Client View) from query ... to query ..., ICAP service "..." at ...:... |
WR-SG-REJECT-805-01 | System | Idle child timeout for child ... after ... seconds. Invoking child terminator. |
WR-SG-REJECT-805-02 | System | Hard child timeout for child ... after ... seconds. Invoking child terminator. |
WR-SG-REJECT-150-01 | System | Failed to create session. Rejecting request. Reason of failure: ... |
WR-SG-REJECT-150-02 | System | Failed to create session. Rejecting request. Reason of failure: ... |
WR-SG-REJECT-151 | System | Session tracking mode switch to ...:... failed. Rejecting request. |
WR-SG-REJECT-152 | System | Failed to assure session tracking mode. Rejecting request. |
WR-SG-REJECT-560 | System | Allowed number of concurrent authenticated sessions exceeded. Licensed are ..., grace margin is ... and currently used are .... Please contact product support or sales for a license upgrade. |
WR-SG-REJECT-112 | System | Not enough space in credentials store for credential "...". ... bytes used (limit ...) and ... credentials stored |
WR-SG-REJECT-113 | System | Too many entries in credentials store. Limit of ... entries reached. Rejected credential "..." |
WR-SG-REJECT-155 | Config | Request for SSL-tracked Airlock Gateway session uses wrong SSL session. Terminating session. |
WR-SG-REJECT-901 | limit | Virtual host: ... |
WR-SG-REJECT-902 | limit | Mapping: ... |
WR-SG-REJECT-903 | limit | Back-end group: ... |
Back-end messages
Some events that occur during back-end requests will be reported with back messages. Depending on the severity of the event an according reject message may follow.
Every message will log the fields listed in the JSON fields. Some fields may be left out when no value is available, and others may write <n/a> instead.
List of log messages:
Message ID | Description |
|---|---|
WR-SG-BACK-500 | Timeout during back-end request "..." |
WR-SG-BACK-502 | Communication error (...; ...) (errno:...: ...) during backend request "..." |
WR-SG-BACK-503 | HTTP response indicates back-end failure "..." for request "..." |
WR-SG-BACK-506 | Resetting original request for back-end failover |
WR-SG-BACK-510 | Backend request handler: Internal error during back-end request: .... Errno:... ... |
WR-SG-BACK-511 | Backend request handler: Curl multi error during back-end request: CURLMcode:... .... Errno:... ... |
Session start and end messages
There are two messages reporting the start and the end of a session and one message reporting the start of a new TLS session.
Every message will log the fields listed in the JSON fields. Some fields may be left out when no value is available, and others may write <n/a> instead.
Message ID | Description |
|---|---|
WR-SG-SESS-004 | Session created |
WR-SG-SESS-005 | Session finished: {} |
WR-SG-TLS-SESS-START | TLS session started |
Other messages
Message ID | Description |
|---|---|
WR-SG-CONNTRACE | Connection Trace |