F5 WAF Log Enablement And Extraction Guide

Enable Logging

1. Enable security logging in the relevant `http`, `server`, or `location` context with `app_protect_security_log_enable on;`.
2. Configure the `app_protect_security_log` directive with a built-in or custom logging profile such as `log_all` or `log_blocked`.
3. Choose a destination supported by F5 WAF for NGINX, such as syslog, an absolute file path, or `stderr` for containerized collection.

Extract or Export the Logs

4. If the destination is a local file, copy the resulting JSON or log file from the mounted path into the aiFObserve workspace.
5. If the destination is syslog, capture the feed on your log collector and save the raw export into the workspace.
6. If the destination is `stderr` in a containerized deployment, retrieve the logs from the `waf-enforcer` container or Kubernetes deployment logs.

Important Fields to Preserve

• support/request ID
• action
• violations or security event fields
• client IP
• host
• URI
• timestamp
• user agent