schema:Juniper.Accessdescription:Juniper.Access logs for all traffic coming to and from the box.referenceURL:https://www.juniper.net/documentation/en_US/webapp5.6/topics/reference/w-a-s-access-log.htmlfields: - name:timestamprequired:truedescription:Log entry timestamptype:timestamptimeFormats: - '%b %d %H:%M:%S'isEventTime:true - name:hostnamedescription:The hostname of the appliancetype:stringindicators: - hostname - name:log_leveldescription:The importance level of a log entry. Can be TRACE, DEBUG, INFO, WARN, or ERROR.type:string - name:threaddescription:The specific thread that is handling the request or response.type:string - name:unique_request_keydescription:The key used to uniquely identify requests.type:string - name:typedescription:Whether the HTTP packet is a client request, or a server response (REQUEST,RESPONSE).type:string - name:stagedescription:Whether the HTTP packet is being logged before or after Security Engine processes it (and potentially manipulates it).type:string - name:proxy_client_ipdescription:The incoming client IP. Since WebApp Secure works around a Nginx proxy, the client IP will most-likely be '127.0.0.1'.type:stringindicators: - ip - name:urldescription:The full request or response URL.type:stringindicators: - domain
Juniper.Audit
The audit log contains log entries that indicate non-idempotent (state changing) actions performed on WebApp Secure.
schema:Juniper.Auditdescription:Juniper.Audit The audit log contains log entries that indicate non-idempotent (state changing) actions performed on WebApp Secure.referenceURL:https://www.juniper.net/documentation/en_US/webapp5.6/topics/reference/w-a-s-incident-log-format.htmlfields: - name:timestamprequired:truedescription:Log entry timestamptype:timestamptimeFormats: - '%b %d %H:%M:%S'isEventTime:true - name:hostnamedescription:The hostname of the appliancetype:stringindicators: - hostname - name:log_leveldescription:The importance level of a log entry. Can be TRACE, DEBUG, INFO, WARN, or ERROR.type:string - name:messagedescription:The message. Can indicate any of the previously mentioned actions.type:string - name:api_keydescription:The key used to perform the action described in the message.type:string - name:login_ipdescription:The IP address the user performed logged in fromtype:stringindicators: - ip - name:usernamedescription:The user that performed the logintype:stringindicators: - username
Juniper.Firewall
Juniper.Firewall stores information about dropped packets from the iptables firewall.
schema:Juniper.Firewalldescription:Juniper.Firewall stores information about dropped packets from the iptables firewall.referenceURL:https://www.juniper.net/documentation/en_US/webapp5.6/topics/reference/w-a-s-incident-log-format.htmlfields: - name:timestamprequired:truedescription:Log timestamptype:timestamptimeFormats: - '%b %d %H:%M:%S'isEventTime:true - name:hostnamedescription:Hostnametype:stringindicators: - hostname - name:eventdescription:Event nametype:string - name:DSTdescription:Destination IP addresstype:stringindicators: - ip - name:DPTdescription:Destination porttype:int - name:SRCdescription:Source IP addresstype:stringindicators: - ip - name:SPTdescription:Source porttype:int - name:TTLdescription:IP TTL in millisecondstype:bigint - name:IDdescription:Packet idtype:bigint - name:MACdescription:MAC addresstype:stringindicators: - mac - name:LENdescription:Packet lengthtype:int - name:TOSdescription:Packet Type of Service fieldtype:string - name:PRECdescription:Packet precedence bitstype:string - name:RESdescription:Reserved bitstype:string - name:RSTdescription:Packet is RSTtype:boolean - name:SYNdescription:Packet is SYNtype:boolean - name:DFdescription:Packet has do not fragment flagtype:boolean - name:INdescription:Input interfacetype:string - name:OUTdescription:Output interfacetype:string - name:PROTOdescription:Protocoltype:string - name:WINDOWdescription:Transmit windowtype:int
Juniper.MWS
Juniper.MWS is the main log file for most WebApp Secure logging needs. All messages that don't have a specific log location are sent, by default, to mws.log.
schema:Juniper.MWSdescription:Juniper.MWS is the main log file for most WebApp Secure logging needs. All messages that don't have a specific log location are sent, by default, to mws.log.referenceURL:https://www.juniper.net/documentation/en_US/webapp5.6/topics/reference/w-a-s-mws-log.htmlfields: - name:timestampdescription:The date of the log entry, in UTC.type:timestamptimeFormats: - '%b %d %H:%M:%S'isEventTime:true - name:hostnamedescription:The appliance hostname.type:stringindicators: - hostname - name:log_leveldescription:The importance level of a log entry. Can be TRACE, DEBUG, INFO, WARN, or ERROR.type:string - name:service_namedescription:The WebApp Secure service that generated the log entry.type:string - name:service_componentdescription:The specific component that is issuing the log message.type:string - name:log_messagedescription:The message. This can be anything, but usually contains information to help you narrow down problems or confirm certain events have occurred as they should.type:string
Juniper.Postgres
Juniper.Postgres contains logs of manipulations on the schema of the database that WebApp Secure uses, as well as any errors that occurred during database operations.
schema:Juniper.Postgresdescription:Juniper.Postgres contains logs of manipulations on the schema of the database that WebApp Secure uses, as well as any errors that occurred during database operations.referenceURL:https://www.juniper.net/documentation/en_US/webapp5.6/topics/reference/w-a-s-postgres-log.htmlfields: - name:timestamprequired:truedescription:Log entry timestamptype:timestamptimeFormats: - '%b %d %H:%M:%S'isEventTime:true - name:hostnamedescription:The hostname of the machinetype:string - name:piddescription:The process ID of the postgres instance.type:int - name:group_id_majordescription:Group id major numbertype:int - name:group_id_minordescription:Group id minor numbertype:int - name:sql_error_codedescription:The SQL error code.type:string - name:session_iddescription:A somewhat unique session identifier that can be used to search for specific lines in the log.type:stringindicators: - trace_id - name:message_typedescription:The type of the message. Can be LOG, WARNING, ERROR, or STATEMENT.type:string - name:messagedescription:The message.type:string
Juniper.Security
Juniper.Security Webapp Secure is configured to log security incidents to mws-security.log. All security alerts should be sent to security.log (previously named security-alert.log). There are different types of security incidents that will be a part of this log: new profiles, security incidents, new counter responses.
schema:Juniper.Securitydescription:|- Juniper.Security Webapp Secure is configured to log security incidents to mws-security.log. All security alerts should be sent to security.log (previously named security-alert.log). There are different types of security incidents that will be a part of this log: new profiles, security incidents, new counter responses.referenceURL:https://www.juniper.net/documentation/en_US/webapp5.6/topics/reference/w-a-s-log-format.htmlfields: - name:timestamprequired:truedescription:Log entry timestamptype:timestamptimeFormats: - '%b %d %H:%M:%S'isEventTime:true - name:hostnamedescription:The hostname of the appliancetype:stringindicators: - hostname - name:log_leveldescription:The importance level of a log entry. Can be TRACE, DEBUG, INFO, WARN, or ERROR.type:string - name:servicedescription:The WebApp Secure service that triggered the security log entry.type:string - name:categorydescription:Log entry categorytype:string - name:profile_iddescription:The numerical ID assigned to the Profile that caused the security alert, or the profile ID that received a Response.type:string - name:profile_namedescription:The friendly name assigned to the Profile that caused the security alert, or the Profile that received a Response.type:string - name:pubkeydescription:The Public ID that can be used in conjunction with the Support_Processor to unblock Profiles.type:string - name:incidentdescription:The name of the incident that triggered this security alert.type:string - name:severitydescription:The numerical severity of the incident that triggered this security alert. This can be a number from 0 to 4, inclusive.type:smallint - name:source_ipdescription:The IP the request that generated this alert originated from.type:stringindicators: - ip - name:user_agentdescription:The client's user agent string that generated this alert.type:string - name:urldescription:The request URL that generated this alert.type:stringindicators: - url - name:countdescription:The number of times the profile triggered this incident. This is used for certain incidents to decide whether or not to elevate the profile or increase the responses on the profile.type:int - name:fake_responsedescription:Whether or not (true or false) the response sent back to the client was a fake one created by WebApp Secure.type:boolean - name:response_codedescription:The numerical code for the response issued.type:string - name:response_namedescription:The friendly name for the response issued on the profile indicated in the alert.type:string - name:created_datedescription:The date and time the response was created.type:timestamptimeFormats: - '%Y-%m-%d %H:%M:%S.%f' - name:delay_datedescription:The date and time the response is set to be delayed until.type:timestamptimeFormats: - '%Y-%m-%d %H:%M:%S.%f' - name:expiration_datedescription:The date and time the response is set to expire.type:timestamptimeFormats: - '%Y-%m-%d %H:%M:%S.%f' - name:response_configdescription:The configuration used in this response. Displayed as an XML-like node.type:string - name:silent_runningdescription:Whether or not this Counter Response was set to be silent with the Silent Running service at the time of activation.type:boolean