Difficult to filter noise from Firewall Event Log with VaultPress enabled

waf
wordpress

#1

Hi there,

I have the various WordPress firewall rules enabled for my site, including rule WP0020 “Disable WAF for Verified VaultPress backup requests” as I use that plugin. The Firewall Events log is full of 100s of WP0020 entries every day for a range of IPs, which makes it difficult to use the log (or filter the noise from it), short of either:

  1. Manually going through every page of the event log; or,
  2. Manually searching for specific rules I think may generally be triggered.

Neither of these is particularly ideal as I’m likely to miss something critical.

It’d be awesome if I could:

  1. Filter events by Action Taken so that I can either show or hide whitelist actions;
  2. Sort the table by any column; and,
  3. Add additional event filters for Location and Date Range (in addition to #1 above and the existing Ray ID, IP Address, and Rule ID) as it’s occasionally useful to narrow the result set down by such criteria.

This would allow me to easily filter out the noise of the VaultPress rule and surface important events that actually need my attention.

Thanks! :relaxed: :pray:


#2

As an example, here’s a typical page out of 1000s that are all largely the same – just from within the last 3-4 hours. I ended up manually whitelisting the 192.0.64.0/18 range (which, because Cloudflare limits IP ranges to /16 or /24, I had to add each subnet individually) as that was easier than trawling through the WAF log trying to find any non-whitelisted nugget!


#3

This topic was automatically closed after 14 days. New replies are no longer allowed.