Generic WAF Log Enablement And Extraction Guide

Important Note

The generic profile is best used when you can supply structured exports with predictable field names. It is also a good staging option before creating a more opinionated vendor-specific preprocessor.

Enable Logging

1. Enable request, policy, or security-event logging on the WAF so both allowed and blocked application traffic can be exported.
2. Choose a structured export path whenever possible: JSON, JSONL, CEF, syslog key-value, or CSV.
3. If the WAF can export only text syslog, preserve the original message format because the aiFObserve generic converter can parse key-value and CEF-style logs.

Extract or Export the Logs

4. Export the WAF logs to a file, bucket, syslog collector, or SIEM destination.
5. Save a representative raw file into the aiFObserve workspace and test the generic converter against it.
6. If field names do not map cleanly on the first pass, adjust your WAF export format so common aliases are present, or preprocess the logs into a normalized CSV/JSON file.

Important Fields to Preserve

• source IP
• destination IP or host
• source/destination port if available
• URL/path
• action
• rule/policy name
• timestamp
• user ID if available
• user agent
• bytes or request/response sizes if available