Skip to main content
Skip table of contents

ASM Violations Events

Vendor Documentation

https://techdocs.f5.com/kb/en-us/products/big-ip_asm/manuals/product/asm-implementations-12-1-0/14.html

https://my.f5.com/manage/s/article/K37655278

https://my.f5.com/manage/s/article/K9435

Classification

Rule Name

Rule Type

Common Event

Classification

ASM Violations Events

Base Rule

Security Violation

Other Security

Illegal Parameter

Sub Rule

Bad Parameter

Information

Illegal Meta Character In Header

Sub Rule

Illegal Characters

Error

Data Guard: Information Leakage Detected

Sub Rule

Data Leak Detected

Warning

Illegal Url Length

Sub Rule

Url Too Long

Warning

Illegal URL

Sub Rule

Illegal URL

Error

Illegal Post Data Length

Sub Rule

Wrong Message Length

Error

Illegal Request Length

Sub Rule

Wrong Message Length

Error

Illegal Host Name

Sub Rule

Hostname Not Found

Warning

Illegal File Type

Sub Rule

Hostname Not Found

Warning

Successful Request

Sub Rule

Request Approved

Other Audit Success

Automated Client Access

Sub Rule

Object Access

Access Success

Mapping with LogRhythm Schema

Device Key in Log Message

LogRhythm Schema

Data Type

Schema Description

N/A

N/A

N/A

CEF:Version

N/A

N/A

N/A

Device Vendor

N/A

<vmid>

Text/String

Device Product

N/A

N/A

N/A

Device Version

N/A

N/A

N/A

Device Event Class ID

N/A

<vendorinfor>
<tag1>

Text/String

Name

N/A

<severity>

Number

Severity The severity level of the detected violation.

dvchost

<sname>

Text/String

unit_hostname BIG-IP system FQDN
The host name of the BIG-IP ASM. This option is useful if multiple BIG-IP ASM systems within the network are logging to the same syslog server; available in BIG-IP 9.4.5 and later.

dvc

N/A

N/A

BIG-IP system management IP address

cs1

<policy>

Text/String

The name of the BIG-IP ASM policy for which the violation was triggered; available in BIG-IP 9.4.5 and later.

cs1Label

N/A

N/A

policy_name - Name of the security policy
reporting the violation

cs2

<group>

Text/String

The http_class_name option returns the name of the HTTP policy name the security policy is attached to in BIG-IP 11.3.0 and later. In BIG-IP 11.1.0 through 11.2.1, this option provides the name of the http_class profile the security policy is attached to.

cs2Label

N/A

N/A

http_class_name

deviceCustomDate1

N/A

N/A

The date the BIG-IP ASM policy was applied. This option is useful for tracking policy changes; available in BIG-IP 9.4.5 and later.

deviceCustomDate1Label

N/A

N/A

policy_apply_date

externalId

N/A

N/A

Internally-generated integer to assist with client access support.
The support ID is reported when a violation is triggered; available in BIG-IP 9.4.5 and later.

act

<action>

Text/String

The status of client request made to Web Application as assigned by the BIG-IP ASM.

The possible values reported by this option are the following:

blocked - The request was blocked due to a violation encountered. A blocking response page was returned to the client.
alerted - The request contain violations but does not blocked (Typical in cases where the enforcement mode is set to transparent)
passed - successful request with no any violations

This option replaces the request_blocked option, available in BIG-IP 10.0.0 and later.

cn1

<responsecode>

Number

The HTTP response code returned by the back-end server (application). This information is only relevant for requests that are not blocked.

cn1Label

N/A

N/A

response_code

src

<sip>

IP Address

Client source IP address. Source IP of the client originating the request (Note: if a proxy is being used, this may differ from the IP in the X-forwarded-for header). Available in BIG-IP 10.2.0 and later.

spt

<sport>

Number

Client protocol source port. The source port of the client. Available in BIG-IP 10.1.0 and later.

dst

<dip>

IP Address

Requested service IP address. IP address of the virtual server. Available in BIG-IP 10.1.0 and later.

dpt

<dport>

Number

Requested service listening port number. The port used on the BIG-IP ASM local virtual server. Available in BIG-IP 10.1.0 and later.

requestMethod

<command>

Text/String

HTTP method requested by client. The method of request. For example, GET, POST, HEAD.

app

<protname>

Text/String

The protocol used, HTTP or HTTPS if terminating SSL on the BIG-IP ASM.

cs5

N/A

N/A

X-Forwarding header information. This option is commonly used when proxies are involved to track the originator of the request; available in BIG-IP 9.4.5 and later.

cs5Label

N/A

N/A

x_forwarded_for_header_value Value of the XFF HTTP header

rt

N/A

N/A

Current date and time in the format: MMM
DD YYYY HH:MM:SS

deviceExternalId

N/A

N/A

N/A

cs4

<threatname>

Text/String

Name of identified attack. List of comma separated names of suspected attacks identified in a transaction. Available in BIG-IP 10.1.0 and later.

cs4Label

N/A

N/A

attack_type

cs6

N/A

N/A

Country/city location information. A string indicating the geographic location from which the request originated. Available in BIG-IP 10.1.0 and later.

cs6Label

N/A

N/A

geo_location

c6a1

N/A

N/A

N/A

c6a1Label

N/A

N/A

device_address

c6a2

N/A

N/A

N/A

c6a2Label

N/A

N/A

source_address

c6a3

N/A

N/A

N/A

c6a3Label

N/A

N/A

destination_address

c6a4

N/A

N/A

List of IP intelligence categories found for an IP address. Logs the IP Intelligence information for the requesting client's IP Address. Requires an active IPI subscription for meaningful results. Available in BIG-IP 11.2.0 through 11.2.1 as ip_reputation. In BIG-IP 11.3.0 and later, it is renamed as ip_address_intelligence.

c6a4Label

N/A

N/A

ip_address_intelligence

msg

<subject>

Text/String

N/A

suid

N/A

N/A

N/A

suser

N/A

N/A

Displays the username that sent the request, if a username is associated with the session. Displays N/A if the username is not available to the system. Available in BIG-IP 11.1.0 and later.

cn2

<threatid>

Number

Returns the Severity Rating for any violations logged. Available in BIG-IP 11.6.0 and later.

cn2Label

N/A

N/A

violation_rating

cn3

N/A

N/A

The device identification number of the device that made the request. Available in BIG-IP 12.1.0 and later.

cn3Label

N/A

N/A

device_id

threatCampaignNames

N/A

N/A

Threat campaign names of the matched threat campaigns.

stagedThreatCampaignNames

N/A

N/A

Threat campaign name of the matched staged threat campaign.

microservice

N/A

N/A

The configured microservice that was matched (uri + port).

Ipv4AddressIntelligence

N/A

N/A

Logs the IP Intelligence information for the requesting client's IP Address. Requires an active IPI subscription for meaningful results. Available in BIG-IP 11.2.0 through 11.2.1 as ip_reputation. In BIG-IP 11.3.0 and later, it is renamed as ip_address_intelligence.

IpIntelligenceCategory

N/A

N/A

N/A

request

N/A

N/A

The entire request including headers, query string, and data. When this option is selected, the headers option is removed from this list as it is automatically included.

cs3Label

N/A

N/A

full_request

cs3

N/A

N/A

N/A

cn4

N/A

N/A

Number of violations

cn4Label

N/A

N/A

violation_counter

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close