Imperva WAF Log Enablement And Extraction Guide

Important Note

Imperva documentation access and exact UI flows vary by product line and account permissions. Use your product-specific Imperva guide to confirm the exact menu path, but keep the exported output in a structured format that preserves security event context.

Enable Logging

1. Confirm whether your deployment is Imperva Cloud WAF or an Imperva-managed/on-prem variant, because the extraction path differs by product family.
2. Enable Imperva's SIEM or log-integration path for security events and access logs in the WAF product you operate.
3. Prefer an export method that preserves structured records such as JSON, CEF, LEEF, or key-value syslog messages.

Extract or Export the Logs

4. For Imperva Cloud WAF, use the vendor-supported log integration path to retrieve security events and access logs through API or object-storage export, depending on your deployment and entitlement.
5. For syslog-driven deployments, capture the structured event feed on your collector and save the raw files into the aiFObserve workspace.
6. Before conversion, verify that the logs retain the action, client IP, URL/host, rule context, timestamp, and request identity values needed for downstream classification.

Important Fields to Preserve

• action
• client IP
• host
• URL/path
• timestamp
• rule/policy
• request ID/support ID
• user agent