eCDN-WAF Log OCAPI References

You can request eCDN-WAF log files from Open Commerce API (OCAPI). All OCAPI calls return all fields shown in the JavaScript Object Notation (JSON) log output. The JSON request format provides category, field, and descriptions for the log output. Each realm supports up to 24 pending log request downloads.

Request eCDN-WAF Logs with an OCAPI Call

Now you can view two versions of the eCDN WAF log—the legacy version, and a new version that delivers more comprehensive data. Changes for the new version include adding fields about the firewall type and any actions performed by WAF. Some fields that are now obsolete are removed in the new version because of the recently added fields. We will phase out the older version of the log file in a future release.

You can use OCAPI calls to request either the new log format or the legacy log format. Both calls are identical, with the exception of adding “new_log_fields: true” in the body section for the new log format request.

OCAPI Call for New Log Format
POST https//<yourservername>.demandware.net/s/-/dw/data/v18_8/log_requests/ecdn

HEADER
Authorization: Bearer aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa

REQUEST BODY
{zone_name: "redcliff.de", start_time: "2018-10-04T10:00:00.000Z", end_time: "2018-10-04T11:00:00.000Z", new_log_fields: true}
OCAPI Call for Legacy Log Format
POST https//<yourservername>.demandware.net/s/-/dw/data/v18_8/log_requests/ecdn

HEADER
Authorization: Bearer aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa

REQUEST BODY
{zone_name: "redcliff.de", start_time: "2018-10-04T10:00:00.000Z", end_time: "2018-10-04T11:00:00.000Z"}

JSON Log Outputs

The log outputs differ depending on whether you use the new or the legacy OCAPI calls.

New Log Output
{"CacheStatus":["unknown", "hit", "miss”,"dynamic"]
"ClientCountry":"us",
"ClientDeviceType":"mobile",
"ClientIP":"1.1.1.1"
"Client IP class:'badHost',
"ClientRequestHost":"www.customer.com",
"ClientRequestMethod":"GET",
"ClientRequestURI":"/dw/image/v2/xxxx_PRD/on/demandware.st
atic/-/template/default/uniqueid/productimages/aaaaaa.jpg?sw=470",
"ClientRequestUserAgent":"Mozilla/5.0 (Linux; Android 7.1.1;
XT1650 Build/NCLS26.118-23-13-6-5) AppleWebKit/537.36
(KHTML, like Gecko Chrome/66.0.3359.158 Mobile
Safari/537.36",
"EdgeResponseStatus":xxx,
"EdgeStartTimestamp":1528631882657999872,
"FirewallMatchesActions":["simulate", “challenge”, "drop"],
"FirewallMatchesSources":["firewallRules", “waf”, “rateLimit”],
"FirewallMatchesRuleIDs":["4861c39f2cf84aa985d5d813576d08b8"],
"RayID":"xxxxxxxxxx",
Legacy Log Output
{"ClientCountry":"us",
"ClientDeviceType":"mobile",
"ClientIP":"1.1.1.1"
"Client IP class:'badHost',
"ClientRequestHost":"www.customer.com",
"ClientRequestMethod":"GET",
"ClientRequestURI":"/dw/image/v2/xxxx_PRD/on/demandware.st
atic/-/template/default/uniqueid/productimages/aaaaaa.jpg?sw=
470",
"ClientRequestUserAgent":"Mozilla/5.0 (Linux; Android 7.1.1;
XT1650 Build/NCLS26.118-23-13-6-5) AppleWebKit/537.36
(KHTML, like Gecko Chrome/66.0.3359.158 Mobile
Safari/537.36",
"EdgeResponseStatus":xxx,
"EdgeStartTimestamp":1528631882657999872,
"RayID":"xxxxxxxxxx",
"WAFAction":"unknown",
"WAFFlags":"0",
"WAFMatchedVar":"",
"WAFProfile":"general",
"WAFRuleID":"",
"WAFRuleMessage":""}

Log Field Information

Category Field Description Log Version
general CacheStatus Array of strings that define whether a resource is cached. Possible sources: hit | miss | dynamic New
client ClientCountry Country of the client IP address New / Legacy
client ClientDeviceType Client device type New / Legacy
client ClientIP IP addresses of the client New / Legacy
client ClientIPClass IP that is blocked for bad reputation status New / Legacy
clientRequest ClientRequestHost Host requested by the client New / Legacy
clientRequest ClientRequestMethod HTTP method of client request New / Legacy
clientRequest ClientRequestURI URI requested by the client New / Legacy
clientRequest ClientRequestUserAgent User agent reported by the client New / Legacy
edge EdgeResponseStatus HTTP status code returned by eCDN to the client New / Legacy
edge EdgeStartTimestamp UNIX nanosecond timestamp, the edge received request from the client New / Legacy
edgeWAF FirewallMatchesActions Array of actions (strings) that the eCDN firewall performed on a request: allow | log | simulate | drop | challenge | jschallenge | connection close New
edgeWAF FirewallMatchesSources Array of firewall source types (strings) that have performed actions on a request: asn | country | ip | ipRange | securityLevel | zoneLockdown | waf | firewallRules | uaBlock | rateLimit | bic | hot | l7ddos

The same product appearing multiple times indicates different rules or actions activated.

New
edgeWAF FirewallMatchesRuleIDs Array of RuleIDs (strings) that matched the request New
general RayID Unique request identifier, 64-bit binary ID New / Legacy
edgeWAF WAFAction Action taken by the WAF, if triggered Legacy
edgeWAF WAFFlags More configuration flags: simulate (0x1) | null Legacy
edgeWAF WAFMatchedVar Full name of the most-recently matched variable Legacy
edgeWAF WAFProfile WAF profile: log | med | high Legacy
edgeWAF WAFRuleID ID of the applied WAF rule Legacy
edgeWAF WAFRuleMessage Rule message associated with the triggered rule Legacy
Note: A return of "unknown" for WAFAction or WAFProfile indicates that no rule was triggered on that request. In this case, WAFRuleID and other nearby fields return empty strings as well. This does not mean that a WAFProfile or WAFAction is not set.
X Privacy Update: We use cookies to make interactions with our websites and services easy and meaningful, to better understand how they are used. By continuing to use this site you are giving us your consent to do this. Privacy Policy.