Log push from suspicious origins

I’m working on a cyber security project that involves log analisis, but I’m space constrained. To get around this, I thought that rather than push all logs, to push all traffic whose origin meets a certain waf criteria.

Many times when you see waf events, not all traffic from one origin is blocked by the WAF, and a pretty big chunk gets through without matching any waf policies. How can I create a logpush configuration that pushes all logs whose corresponding IP for example has had X blocks in waf?

Hi there,

I do not believe it is possible to do exactly what you are asking for here - (eg. only trigger sending logs when a certain threshold his exceeded)

Here is a screenshot from the settings from LogPush.

You can create a filtered log to specify logs from a specific IP and you can choose to send a sample of these requests - but you cant set logs to push on specific threshold being reached.

1 Like

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.