Access log field reference

The access log follows the Elastic Common Schema (ECS). The information in this article can be used to look up the meaning of log fields and configure a CR Telemetry based on the listed log fields and command operators.

  • Log field types:
  • Some log fields show logging output using standard Envoy command operators. See online Envoy command operators documentation for details.
  • Other log fields use custom command operators to show logging output. The corresponding custom command operators are listed in the table.

Log field reference table

Log field

Description

Custom command operators
(Envoy command operators not shown)

@timestamp

Timestamp of the logged request.

airlock.deny_rules

  • .block_reason – Explanation (reason) why a request has been blocked.
  • .matches[].rule_key – Identifies deny rules that have been triggered by the request.
  • .matches[].rule_id – Internal deny rule ID used by Ergon for debugging purposes.
  • .matches[].level – Security level of the matching deny rule.
  • .matches[].threat_handling_mode – Can be set to LogOnly or Block.

%DENY_RULES%

airlock.graphql

  • .reference – GraphQL reference name.
  • .request.failed_validation – Log is enriched with a detailed message.
  • .threat_handling_mode – Can be set to LogOnly or Block.
  • airlock.response – Block message airlock_request_blocked_graphql.

%GRAPHQL%

airlock.header_rewrites

Shows a list of header rewrite actions applied on request or response headers. Requires operationalMode to be set to Integration.

  • Each item in the list contains the following fields:
  • .request.headers – List of headers that have been rewritten.
  • .request.action – Informs about the rewrite action that has been performed on one or more headers.
    • Example:
    • remove
  • .request.type – Informs about the rule type that has been applied.
    • Example:
    • remove-rule
    • allow-rule
  • .request.applied_rules – Names the header rewrite rules that have been applied.

%HEADER_REWRITES%

airlock.openapi

  • .reference – OpenAPI reference name.
  • .request.failed_validation – Log is enriched with a detailed message.
  • .threat_handling_mode – Can be set to LogOnly or Block.

%OPENAPI%

airlock.http.request.accept_language

Contains the values of the Accept-Language request header.

airlock.http.response.redirect_url

Contains the redirect URL extracted from the Location response header.

airlock.limits

For a complete list of logged limits and their defaults, see CR Limits reference documentation.

  • Additional information:
  • Path length (path is logged in field url.path)
  • Parameter value length (incl. parameter name and value)
  • Parameter name length (incl. parameter name)
  • JSON key length (incl. json_path and key)
  • JSON value length (incl. json_path and value)

%LIMITS%

airlock.log_correlation.connection_id

Shows the connection ID respectively stream ID. These IDs allow correlating access and application log entries for in-depth analysis.

Application log example:
"ConnectionId":<X>, "StreamId":<Y>

%LOG_CORRELATION%

airlock.log_correlation.stream_id

airlock.parser.matches

Shows the reason if parsing fails.

  • Application log example:
  • "failed_check": "json_syntax", "message": "Error message from parser..."
  • Correlating response.details log could be airlock_request_blocked_parser.

%PARSER%

airlock.response.details

Shows a response code with detailed information.

airlock.response.flags

The Envoy access log response flags provides additional information about response or connection.

airlock.upstream.destination.ip

Direct remote destination IP address of the upstream.

airlock.upstream.destination.port

Direct remote destination port of the upstream.

airlock.upstream.http.version

Shows the HTTP version (1.1/2) of the upstream traffic.

%UPSTREAM_HTTP_VERSION%

destination.ip

Direct destination IP address of the Pod containing the Microgateway Engine sidecar.

destination.port

Direct destination port of the Pod containing the Microgateway Engine sidecar.

ecs.version

Our logging is built on a version of the Elastic Common Schema (ECS) reference.

event.category

ECS categorization field.
For the access log, event.category is always "web".

event.dataset

Name of the dataset.
For the access log, this is envoy.access.

event.duration

Duration of the request in nanoseconds as recorded by the Microgateway Engine.

%DURATION_IN_NANOSECONDS%

event.end

Time the response was finished by the Microgateway Engine.

%END_TIME(%Y-%m-%dT%T.%3f%z)%

event.kind

ECS categorization field.
For the access log, event.kind is always "event".

event.module

Module that recorded the event, i.e. envoy.

event.outcome

ECS categorization field.
Indicates the status of the filtering process. When the Microgateway Engine works correctly, the status "success" is shown.
Note that "success" is displayed even if a request was blocked – see also event.type categorization.

event.start

Time the Microgateway Engine received the request.

event.type

ECS categorization field.

Indicates whether a request has been forwarded to the upstream.

  • Available event types:
  • [ "access", "denied" ] if a deny rule blocks a request.
  • [ "access", "allowed" ] if the request was forwarded to the upstream.
  • [ "access", "error" ], see airlock.response.details for more information about the error.

%EVENT_TYPE%

http.request.bytes

Total request size in bytes (body and headers).

%REQUEST_HEADERS_AND_BODY_BYTES%

http.request.mime_type

MIME type of the request body.

%REQ_MIME_TYPE%

http.request.body.bytes

Request body size in bytes.

http.request.id

UID of the HTTP request.

http.request.method

HTTP method of the request.

http.request.referrer

Value of the Referer request header.

http.response.body.bytes

Response body size in bytes.

http.response.bytes

Total response size in bytes (body and headers).

%RESPONSE_HEADERS_AND_BODY_BYTES%

http.response.mime_type

MIME type of the response body.

%RESP_MIME_TYPE%

http.response.status_code

HTTP response code.

http.version

Shows the HTTP version (1.1/2) of the application's downstream traffic.

%HTTP_VERSION%

log.level

"info" for all access log entries.

log.logger

"access" for all access log entries.

  • Other possible values:
  • "application" for Microgateway Engine log entries.

network.forwarded_ip

Shows the identified Downstream remote IP settings.

observer.product

Airlock Microgateway

observer.type

The type of observer that created the log entry, i.e. "waap" for Web Application and API Protection.

observer.vendor

Ergon Informatik AG

observer.version

Release version of the Airlock Microgateway, i.e. 4.0.0.

%ENVIRONMENT(ENGINE_VERSION)%

source.ip

Direct remote source IP address of the downstream, as detected by the Microgateway Engine.

source.port

Direct remote source port of the downstream, as detected by the Microgateway Engine.

url.domain

Domain/IP without port number as extracted from the host header.

%HTTP_HOST%

url.path

Path of the request without query string.

Example:
"/my-webapp"

%REQ_QUERY(:PATH)%

url.query

Query string of the request. Note that the ? is excluded from the string.

user_agent.original

Unparsed user agent string.

Example:
Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36

Airlock Microgateway specific response code details

The following response code details can appear in the airlock.response.details log field:

Response code details

Description

airlock_request_blocked_deny_rule

A deny rule detected malicious data. The request was blocked.

airlock_request_blocked_encoding

The request contains data with invalid encoding (UTF-8 required). The request was blocked.

airlock_request_blocked_limit

A limit was exceeded. The request was blocked.

airlock_request_blocked_parser

The request contains data that could not be parsed, for example due to a syntax error in JSON data. The request was blocked.

Further information and links: