The logs provide information about the requests and responses that the application firewall has observed while protecting your web sites and applications. Most important, it logs each connection that matches a signature or a security check. You can observe the logs to determine which connections are matching a signature or security check. You can then use this information, along with your own knowledge about your
protected web sites and applications, to determine whether the connections that each signature or check is matching are valid (false positives). If they are, you can either remove the signature or check from your configuration, or take appropriate measures to mitigate the false positives before you enable blocking for that signature or security check.
Each log contains the following fields:
w Timestamp. The date and time when the connection occurred. w Severity. The severity level of the log.
w Module. The NetScaler module that generated the log entry.
w Event Type. The type of event, such as signature violation or security check violation. w Event ID. The ID assigned to the event.
w Client IP. The IP address of the user whose connection was logged. w Transaction ID. The ID assigned to the transaction that caused the log. w Session ID. The ID assigned to the user session that caused the log.
w Message. The log message. Contains information identifying the signature or security check that triggered the log entry.
You can search on any of these fields, or any combination of information from different fields, to select logs to display, limited only by the capabilities of the tools you use to view the logs. You can observe the signatures by using the application firewall wizard to access the NetScaler syslog viewer, or manually by logging onto the NetScaler appliance or VPX virtual appliance.
w Viewing by using the syslog viewer. You invoke the syslog viewer from one of two locations: the Select Signature Actions page or the Select Advanced Actions page in the application firewall wizard. To invoke the syslog viewer for a signature, in the Select Signature Actions pane click the logs link to the right of that signature. To invoke the syslog viewer for a security check, in the Select Advanced Actions page, security checks list, select that security check, and then beneath the list click the Logs button. Either procedure causes the configuration utility to download the current ns.log file and then display the entries that are relevant to that signature or security check.
The syslog viewer contains the following elements:
• Module list box. The NetScaler module whose logs you want to view. Always set to APPFW for application firewall logs.
• Event Type list box. The type of event. For signatures, this is always APPFW_SIGNATURE_MATCH. For security checks, this is the specific security check that you selected.
• Severity. Lets you specify only logs of a specific severity level. Leave blank to see all logs.
• Find Now button. Search the nslog.file, using the current criteria, and display the logs that match.
• Clear button. Resets your settings to the defaults.
• Logs display window. Displays the logs that meet the current criteria. Log information is displayed in several columns that correspond to the log information fields listed above. You can sort the display by clicking a column heading.
• Log directory. The directory where the logs are stored. If you have archived logs stored in a different directory and want to view those, you can click Browse and browse to that directory to display those logs in the Log files list.
• Log files list. A list of the log files in the Log directory. To download and uncompress an archived log file, select the file, and then click Download. To refresh the display, click Refresh.
• Search in list box. Searches in a particular section of logs when selecting logs to display in the Logs display window. To search something other than the log message, select a different choice.
• Search string. Search for the specified string or regular expression to choose the logs to display in the Logs display window. This field is filled out by the
application firewall wizard for you with the appropriate value to display the logs relevant to the signature or security check that you selected. You can modify the string to choose logs based on different criteria.
• Case Sensitive check box. Select if the Search string is case sensitive.
• Regular Expression check box. Select if the Search string is a regular expression. • Clear button. Resets the syslog viewer to its default settings.
• Go button. Uses the new search criteria to search the ns.log file and displays the results in the Logs display window.
For more information about the application firewall wizard, see The Application Firewall Wizard on page 26.
w Viewing from the command line. Log onto the application firewall appliance, and then type the following command at the NetScaler command prompt:
shell
After the Unix shell is displayed, type the following command to navigate to the directory where the logs are stored:
You can use the vi editor, or any Unix tool of your choice that you have installed on the application firewall appliance, to view the logs and filter the logs for specific entries.