Downloading Events Data¶
This topic describes how to download events (logged and blocked events) data for the last five days. One or more CSV files containing the event data of the current day will be generated at the beginning of the next day.
Prerequisites¶
The website to be protected has been added to WAF.
An event file has been generated.
Specification Limitations¶
Each file can include a maximum of 5,000 events. If there are more than 5,000 events, another file is generated.
Only event data for the last five days can be downloaded through the WAF console.
Procedure¶
Log in to the management console.
Click in the upper left corner of the management console and select a region or project.
Click in the upper left corner and choose Web Application Firewall under Security.
In the navigation pane on the left, choose Events.
Click the Download Events tab and download the desired protection data. Table 1 describes the parameters.
¶ Parameter
Description
File Name
The format is file-name.csv.
Number of Events
Total number of blocked and logged events
Note
The maximum number of events in a file is 10,000. If there are more than 10,000 events, another file is generated.
In the Operation column, click Download to download data to the local PC.
Fields in a Protection Event Data File¶
Field | Description | Example Value |
---|---|---|
action | Protective action taken in response to the event | block |
attack | Attack type | SQL Injection |
body | Request content of the attack | N/A |
cookie | Cookie of the attacker | N/A |
headers | Header of the attacker | N/A |
host | Domain name or IP address of the protected website | www.example.com |
id | ID of the event. | 02-11-16-20201121060347-feb42002 |
payload | The part of the attack that causes damage to the protected website | python-requests/2.20.1 |
payload_location | The location of the attack that causes damage or the number of times that the URL is accessed by the attacker | user-agent |
policyid | Policy ID. | d5580c8f6cd4403ebbf85892d4bbb8e4 |
request_line | Request line of the attack | GET / |
rule | ID of the rule against which the event is generated. | 81066 |
sip | Public IP address of the web visitor/attacker | N/A |
time | When the event occurred. | 2020/11/21 0:20:44 |
url | URL of the protected domain name | N/A |