Log File Structure

This topic explains the Incapsula log file structure and provides compatibility information.

In this topic:

Overview

Incapsula log files aggregate the access events and security alerts detected by Incapsula while protecting your network.

A new aggregated log file is saved in the Incapsula Log Repository.

Log file content compatibility

Consider the following when integrating with other tools:

  • We reserve the right to add fields at any time.
  • We will not change a field's name, meaning, or content. If a change is required, we will add an additional field with a similar name for the new content, while continuing to maintain the old field for a reasonable period of time to enable you to update your implementations accordingly.
  • We highly recommend accessing specific fields in the message according to the field name, as opposed to accessing the field by its sequence number or position within the log message, as those may change over time.

Any changes made are communicated in the Release Notes.

Log file name

The format of each log file name is X_Y, where:

X: Specifies the API ID.

Y: Specifies a log sequence number starting from 1.

Log file structure

The log file is comprised of two parts – a header and log events:

Log File Header

The Log File Header contains metadata, as follows:

startTime The start time of the current log file.
endTime The end time of the current log file.
accountID Your Account ID.
Format The format of the events in the log file: CEF , LEEF or W3C (Example Logs).
Checksum An MD5 checksum that verifies that the entire file content has not been tampered with.
publicKeyId Public Key ID.
key The log content decryption key.
configID The configuration ID. Each account has a configuration ID.
W3C fields For W3C format, it is required to present the list of fields.

A string of equal signs |==| appears at the bottom of the log file header, which separates it from the log events described below.

Log Events

Each log file contains multiple log events detected by Incapsula while protecting your network throughout the world. Each event is a paragraph.

The log content is compressed and encrypted with a symmetric key, using an AES algorithm and then encrypted with the public key that you provide using an RSA algorithm.

Log fields

The following table describes the fields that are provided in each log entry for each access and security event. Security events contain all the fields provided for access events and more. The table indicates the name of the field in the CEF, LEEF, and W3C format.

Description CEF LEEF W3C Detailed Description
ID fileId fileId cs-sessionid The unique identification.
Main Client IP src src c-ip The main IP address used by the client.
Additional Client IPS caIP caIP s-caip Additional IP addresses used by the client.
User Agent requestClientApplication requestClientApplication cs(User-Agent) The UserAgent header value.
Request Start Time start start cs-start The time in which this visit started, in UTC. For example: [StartTime=2011/10/07 01:59:00 +0000]
URL request url cs-uri The URL of the request.
Ref ID tag tag s-tag Ref ID.
Country Code ccode calCountryOrRegion cs-countrycode The country code of the site visitor.
City cicode cicode cs-cicode The city code of the site visitor.
Protocol app proto cs-version The request protocol
Request ID deviceExternalId deviceExternalId s-externalid A unique identifier of the request that can be used to correlate with reports and data from Incapsula management console
Referrer ref ref cs(Referrer) The URL of the previous page that the client visited
Method requestMethod requestMethod cs-method The request method.
HTTP Status Code cn1 cn1 sc-status The HTTP response code returned to the client.
X-Forwarded-For xff xff s-xff The X-Forwarded. For request header.
Content Length in in cs-bytes The content length.
Account ID suid suid s-suid The numeric identifier of the account of the site owner.
Account Name Customer Customer s-accountname The account name of the site owner.
Site ID siteid siteid s-siteid The numeric identifier of the site.
Site Name sourceServiceName sourceServiceName s-computername The name of the site.
Request Result act cat sc-action

The method in which Incapsula processed the request:

  • REQ_PASSED: If the request was routed to the site's web server
  • REQ_CACHED_X: If a response was returned from the data center's cache
  • REQ_BAD_X: If a protocol or network error occurred
  • REQ_CHALLENGED_X: If a challenge was returned to the client
  • REQ_BLOCKED_X: If the request was blocked
Source Port cpt srcPort c-port The client port used to communicate the request.
Protocol version ver protoVer cs-provider The TLS version and encryption algorithms used in the request.
PoP name deviceFacility popName sr-pop The Incapsula PoP that handled the request.

For each request that has attack information the following is provided:

Description CEF LEEF W3C Detailed Description
Post Body postbody postbody cs-postbody The post body data of the request.
Server IP sip dst s-ip The IP address of the server.
Server Port spt dstPort s-port The port of the server.
Query String qstr qstr cs-uri-query The query string of the request.
Captcha Support cs1 cs1 s-capsupport Whether or not the client application supports Captcha.
JS Support cs2 cs2 cs-js-support Whether or not the client application supports JavaScript.
Cookies Support cs3 cs3 cs-co-support Whether or not the client application supports cookies.
Visitor ID cs4 cs4 cs-vid The ID of the visitor.
Debug cs5 cs5 cs-clappsig The Incapsula internal attack code.
Client App cs6 cs6 cs-clapp The client application software.
Latitude cs7 cs7 cs-lat The latitude of the event.
Longitude cs8 cs8 cs-long The longitude of the event.
Rule Name cs9 cs9 s-ruleName The threat rule name that this request triggered. For example, SQL Injection,  Blocked IP (ACL)...
Attack ID filePermission filePermission cs-attackid Incapsula attack id.
Attack Type fileType fileType cs-attacktype The type of attack.
Browser Type dproc dproc cs-browsertype The browser type.
Attack Severity This information is presented in the header, not as a separate field. N/A cs-severity

The rule type that was triggered, and the corresponding Incapsula internal rule ID number.

  • ACL: -1
  • SQL Injection: 0
  • Cross Site Scripting: 1
  • Illegal Resource Access: 3
  • Bot Access Control: 4
  • DDoS: 8
  • Backdoor Protect: 9
  • Remote File Inclusion: 10
  • Manual rule (IncapRule): 11

For each request that has delivery rules information the following is provided:

Description CEF LEEF W3C Detailed Description
Delivery Rule Details cs10 cs10 cs-rule JSON describing all actions that were applied to a specific request (detailed JSON structure below)

JSON structure for delivery actions:

Redirect { "rule_id": "<rule id>", "type": "AD_REDIRECT", "int_value": "<redirect code>", "name": "", "orig": "<original url>", "rewrite": "<redirect url>"}
URL Rewrite { "rule_id": "<rule id>", "type": "AD_URL_RW", "int_value": 0, "name": "", "orig": <original url>, "rewrite": <new url> }
Header Rewrite { "rule_id": "<rule id>", "type": "AD_HEADER_RW", "int_value": 0, "name": <header name>", "orig": <original value>", "rewrite": <new value>" }
Add Header { "rule_id": "<rule id>", "type": "AD_HEADER_RW", "int_value": 0, "name": <header name>", "orig": "", "rewrite": <new value>" }
Remove Header { "rule_id": "<rule id>", "type": "AD_HEADER_RW", "int_value": 0, "name": <header name>", "orig": "", "rewrite": "" }
Cookie Rewrite { "rule_id": "<rule id>", "type": "AD_COOKIE_RW", "int_value": 0, "name": <cookie name>", "orig": <original value>", "rewrite": <new value>" }
Add Cookie { "rule_id": "<rule id>", "type": "AD_COOKIE_RW", "int_value": 0, "name": <cookie name>", "orig": "", "rewrite": <cookie value>" }
Remove Cookie { "rule_id": "<rule id>", "type": "AD_COOKIE_RW", "int_value": 0, "name": <cookie name>", "orig": "", "rewrite": "" }
Forward to DC { "rule_id": "<rule id>", "type": "AD_FORWARD_TO_DC", "int_value": <dc id>, "name": "", "orig": "", "rewrite": "" }

Read More