Manual Chapter : Alert Logs

Applies To:

Show Versions Show Versions

BIG-IP ASM

  • 13.1.0
Manual Chapter

Viewing the alert log

You can view the alert log to see detailed information on possible or actual attacks on your encrypted data.
  1. On the Main tab, click System > Logs > Data Protection .
    The Data Protection log appears. The Data Protection log displays the following alert information:
    • Timestamp: The date and time when the system logged the alert information.
    • Host: The name of the host that logged the alert information.
    • Client IP: The IP address of the victim of the alert.
    • Event URL: The URL of the site that was in use when the alert was sent.
    • User Name: The name of the client-side user who performed the action that triggered the alert.
    • Event Type: The type of the alert, which will be one of the following:
      • VCRYPT: Server-side Encryption Error alerts. These alerts are created when the BIG-IP system detects an error in the Application Layer Encryption component.
      • AJAX_VCRYPT: Encryption Alerts for the Full AJAX payload. These alerts are created when the BIG-IP system detects an encryption or decryption error in the full AJAX payload.
      • JS_VCRYPT: Client-side Encryption Error Alerts. These alerts are created when the BIG-IP DataSafe JavaScript detects an error in the Application Layer Encryption component.
      • COMPONENTS_VALIDATION: Server-side Missing Components Alerts. These alerts are created when the BIG-IP system detects missing BIG-IP DataSafe components on a protected web page.
      • JS_MISSING_COMPONENTS: Client-side Missing Components Alerts. These alerts are created when the BIG-IP DataSafe JavaScript detects missing BIG-IP DataSafe components on a protected web page.
    • Component: The alert sub-type.
  2. To view additional information on an alert, click the More Details link in the far-right column.
    Clicking this link displays the following additional information on an alert:
    • Defined Value: This is used only in Encryption Staging Mode, when Component = VCRYPT_STAGING_MODE_FAILED. The parameter name is displayed along with the type of problem, which will be either MISMATCH or MISSING.
    • Resolved Value: This is used only in Encryption Staging Mode, when Component = VCRYPT_STAGING_MODE_FAILED. The parameter name is displayed along with the type of problem, which will be either MISMATCH or MISSING.
    • Details: The information displayed here varies depending on the alert type.
    • Additional Info: The information displayed here varies depending on the alert type.
    • URL Name: The URL of the site from where the alert was sent, as configured in the BIG-IP. This can differ from the Event URL, for example if a wildcard URL was configured in the BIG-IP.
    • Client IP Geolocation: The geographic location of the client IP.
    • Transaction ID: An HTTP transaction ID generated by AVR for the Risk Engine.
    • Guid: An internal ID generated by BIG-IP DataSafe for identifying the user whose action generated the alert.
    • User Agent: The user's browser type and operating system.
    • HTTP Referrer: The URL of the web page that was visited just before the Alert URL was visited.