Cloud WAF Log Integration

Retrieve your Imperva access and event logs from the Imperva cloud repository and archive or push these events into your SIEM solution.

Overview

Imperva creates the following comprehensive and detailed logs:

• Security logs provide a detailed alert for each suspicious event detected by the Imperva proxy while protecting your network throughout its globally distributed network. All logs include the account ID and site ID references, which enables drill down into each individual customer/site.
• Access logs specify every request and response sent between your customers and the Imperva proxy. This is all the traffic that would have been sent between end users and your origin server, including traffic that Imperva served from its cache.

Imperva supports CEF, LEEF, and W3C log formats and provides event reporting of in-depth event information, such as attacker geo-location and client application signature.

Access logs are typically synchronized within 10 minutes, although it may take up to 30 minutes or more depending on system load. Security log files typically arrive within 3-5 minutes of the event.

Log integration modes

Imperva provides several modes of log integration:

• Retrieve (Pull mode): Log integration API. Your logs are saved in a dedicated Imperva cloud in a repository created for you. Imperva enables you to upload a public key to encrypt your log files, activate Imperva log collection, change the logging level, and download log files from the Imperva storage repository to your network.

  Log storage: Logs are aggregated at the Imperva log repository and are kept up to 48 hours or until the stored logs reach 500MB. (Logs may be retained for up to 5 additional days for internal troubleshooting purposes before they are permanently deleted.) When one of these limits is reached, the system uses a cyclic override process in which the first written file is the first to be deleted in order to leave space for a new log file. Logs are stored per account.

  Log index file: Imperva provides a Log Index file that specifies the log files generated for you. This Index file lists which log files are available to download. The index file is not modified based on which log files have already been downloaded. It always contains the full list of available log files at any given moment.

• Receive (Push mode): Automatic log integration via SFTP, Amazon S3, or Splunk HEC. Your logs are pushed upon creation to your pre-defined repository . Logs are automatically transferred from the Imperva cloud repository to your repository. No log data is stored in Imperva at any time.

Encryption

You can choose to implement log encryption for Imperva logs. Logs are encrypted by a private-public key pair that you generate, to help safeguard the privacy of your data when stored in the Imperva cloud repository. The encryption is done automatically at the Imperva cloud repository. You need to decrypt the log files after download.

If you are using the receive (push) option for log integration, the best practice recommendation discourages using encryption. As the logs are not written to the Imperva cloud repository, the risk of log exposure is minimal.

Predefined SIEM packages

Predefined SIEM application packages which automate the loading of events from the Imperva cloud into your SIEM are available. These predefined packages come ready-made to manipulate and display each Imperva log event in your SIEM dashboard in order to facilitate reporting automation, prioritized mitigation, and general event handling.

Packages are available for:

• Micro Focus ArcSight (Express/ESM)
• Splunk
• McAfee Enterprise Security Manager
• GrayLog
• Sumo Logic
• LogRhythm

Several additional platforms provide SIEM integrations with Imperva:

• IBM QRadar
• AlienVault USM Anywhere
• Microsoft Sentinel (For details, see Imperva integration with Microsoft Azure Sentinel.)
• Elastic SIEM (For details, see Imperva Cloud WAF Integration for Elastic SIEM.)

• Chronicle (For details, see Collect Imperva Web Application Firewall logs.)

Connector

If you choose the retrieve mode to access the logs, a sample Python script and configuration file are available for download to assist you with the process. Imperva does not maintain this script. It is hosted in GitHub and managed by the open source community.

Event suppression

In some cases, Imperva may use an event suppression mechanism, where some events are discarded and not included in the logs:

• Security logs: Imperva applies a “smart” suppression mechanism to protect SIEM resources, which can be exhausted by logging similar attack traffic, especially during DDoS attack.

• Access logs: Imperva applies a suppression mechanism when the rate of events reaches 2K requests per second for an account.

The log integration process

This section provides an overview of the log integration process. To configure Imperva log integration, do the following:

Set up log integration

Enable and configure log integration in the Imperva Cloud Security Console.

Prerequisites: If you are implementing log integration using the push mode (automatic log integration via SFTP, Amazon S3, or Splunk HEC), make sure that Imperva IP addresses can access your site. For details, see Imperva IP addresses .

For accounts with sub accounts: Logs for sub accounts can be activated from both the parent account and the sub accounts, as follows:

Accounts Log Levels page	In the parent account: Activate logs for sub accounts. Logs are collected for all sites in the selected sub accounts and retrieved according to the method configured in the Log Configuration page in the parent account.
Sites Log Levels page	In a sub account: Activate logs for any sites in the sub account. Logs are collected for all sites in the sub account and retrieved according to the method configured in the Log Configuration page in the sub account.

To configure log integration:

Follow these steps to configure your logs.

1. Log in. Log into your my.imperva.com account and navigate to the Log Configuration page:

   1. On the top menu bar, click Account > Account Management.

   2. On the sidebar, click SIEM Logs > Log Configuration.

2. Create a connection. In the Connections table, click Add connection.

   1. Select the SIEM vendor and delivery method you want to use for receiving logs.

   2. Configure the connection for your selected delivery method.

   For more details, see Configure the SIEM Log Integration.

3. Select log types. Click Add log type and then select the Cloud WAF service.

   On the next screen, choose the options that you want for your Cloud WAF logs:

   Search:

   Column

   Option

   Description

   Export to ExcelExport to CSV

   Option	Description
   Log types	Events are collected for both security logs and access logs. Note: These log types are currently provided together. The option to select each log type separately will be available in a future release.
   Default website log level	This option sets the default log level for newly created websites in your account. You can change the log level for any website on the Website Log Levels page, located in Account Management (SIEM Logs > Website Log Levels). Select a default log level for newly created websites. Security Logs: the Imperva Cloud WAF security events log. Security Logs and Access Logs: A comprehensive log of every request and response (access logs), as well as the security events log. None: Logging is disabled.
   Format	Select the format for the log files: CEF (default), W3C, or LEEF.
   Compress logs	By default, log files are compressed. Clear this option to keep the logs uncompressed. Note: If you are using the pull mode to download your logs using the API Connector (Python script), compressed files must be used. Uncompressed files will result in an error (-3).
   Encryption	(Optional) Click Upload Key to upload a public key (2048-bits long) to Imperva. Your log files will be encrypted using this key. For full details, see Enable log encryption.
   SIEM Packages (Optional)	Choose a predefined SIEM application to automate the loading of events from the Imperva cloud into your SIEM. Click a SIEM package to download. Install the downloaded package. For details, see Installing a SIEM Package.
   State	Enabled:Imperva is sending logs for this configuration. Disabled:Imperva is not currently sending logs for this configuration. You can enable the configuration to start sending logs again.

4. Verify that the relevant Imperva SIEM package is receiving events.

Enable log encryption

Imperva uses two layers for encrypting the log events:

• Imperva encrypts events using a symmetric key (AES 128).
• The symmetric key itself is encrypted asymmetrically using a public key (2048) provided during the public key configuration step.

To define Imperva log encryption:

1. Generate a private key by using the command line:

   openssl genrsa -out Private.pem 2048

   1. The private key is created with a .pem extension. Change it to the .key extension.
   2. On the machine on which your SIEM application is installed, save the private key with the .key extension under the config/keys/1 library.

2. Generate a public key by using the command line:

   openssl rsa -in Private.pem -outform PEM -pubout -out Public.pem

3. Upload the public key to Imperva using one of the following options:
   • Cloud Security Console: In Log Setup, use the Upload Key button. For details, see Set up log integration.
   • API: Use the Upload Public Key API in the Traffic Statistics and Logs API.

   Note:  

   • Each time you upload a public key, it is numbered, starting from the single-digit 1. The next time you upload a public key, it will be number two and so on. This number later appears in the Imperva log file header, which indicates which key to use to decrypt the file. Always keep a copy of your old key versions, in case you want to decrypt historical log files.
   • Each time you upload a public key, store the new private key in the new library at the origin server, as follows:
     • config/keys/1
     • config/keys/2
     • config/keys/3
     • etc.

      

4.  Activate the log encryption feature using one of the following options:
   •  Cloud Security Console: In Log Setup, under Encryption, upload a public key (2048-bits long). For details, see Set up log integration.
   •  API: Use the Change Log Collector Configuration Status API under Traffic Statistics and Logs API.

To decrypt the logs, you will need to:

• Use the private key to decrypt the symmetric key.
• Use the symmetric key to decrypt the events in the log file sent by Imperva.

Download the logs

If you choose to manage your logs using the Imperva log integration API, you need to download the logs after they are generated. A sample Python script for implementing the API, referred to as the Connector, as well as installation and configuration instructions, are available in GitHub. The script is managed by the open source community.

Downloading Imperva Logs - Process overview

This section provides an overview of the process you need to follow to download Imperva logs.

The logs.index file lists the log entries that are currently available in the Imperva log repository.

Authentication for access to the logs is performed using the API ID and API Key. These API credentials must be sent in base64 format in the HTTP Authorization header.

1. Download the Imperva logs.index file:

   1. In the Imperva Cloud Security Console, in the SIEM Logs > Log Configuration page, under the Connection used for your Cloud WAF logs, locate the Log Server URI.

   2. To access the logs.index file, use a cURL command in the following format:

      curl -L ' <Log_Server_URI>/logs.index' -H 'Authorization: Basic <BASE64(api_id:api_key)>'

      For example:

      curl -L 'https://logs1.incapsula.com/1234_12345/logs.index' -H 'Authorization: Basic MTIzNDU6IDc4Y2MwMjU5LTBhYmMtNTY3OC0xMjM0LTExMjM5M2JhNjA0ZiA='

2. Send an HTTPS call for each file listed in the index file that you want to download. As new log files are generated, they are numbered sequentially, but may occasionally skip integers.

3. If using encryption, decrypt the files to read the contents, as follows:

   1. Decrypt the key value with the appropriate private key, according to the publicKeyId value. For details, see Log File Structure.

   2. Use the decrypted symmetric key to decrypt the log content.

4. Decompress the files.

   This example shows how to decompress a log file using Linux bash commands:

   csplit -sz 123_345.log -f 123_345.log. /\|\=\=\|/ 
   sed -i '/|==|/d' 123_345.log.01 
   cat 123_345.log.00 > 123_345.log.decompressed 
   zlib-flate -uncompress < 123_345.log.01 >> 123_345.log.decompressed 
   rm 123_345.log.0*

Switch integration modes

You can switch between the retrieve (pull) and receive (push) modes of log integration. If you switch from the Imperva API pull mode to SFTP or Amazon S3 push mode, Imperva continues upload attempts for 90 minutes, after which log files will be lost without the option of retrieval. After 30 minutes, a warning email is sent to your account, according to the e-mail settings defined in Account Settings. If Imperva fails to push the logs to SFTP or Amazon S3 within 90 minutes, another email notification is sent to indicate that action is required.

Read More

• Log Configuration File
• Installing a SIEM Package
• Log File Structure
• Example Logs