Closed
Description
Describe the bug
The format_string value in log_sm.json is missing critical security event fields, which results in incomplete logging for security monitoring in NGINX App Protect WAF.
A user commented via the doc feedback survey:
The format of the string is wrong.
"format_string": "%blocking_exception_reason%,%dest_port%,%ip_client%,%severity%,%uri%",
You can find the correct one, here
https://docs.nginx.com/nginx-instance-manager/monitoring/security-monitoring/configure/set-up-app-protect-instances/
Actual format_string
Expected format_string
"format_string":
"%blocking_exception_reason%,%dest_port%,%ip_client%,%is_truncated_bool%,"
"%method%,%policy_name%,%protocol%,%request_status%,%response_code%,"
"%severity%,%sig_cves%,%sig_set_names%,%src_port%,%sub_violations%,"
"%support_id%,%threat_campaign_names%,%violation_rating%,%vs_name%,"
"%x_forwarded_for_header_value%,%outcome%,%outcome_reason%,%violations%,"
"%violation_details%,%bot_signature_name%,%bot_category%,%bot_anomalies%,"
"%enforced_bot_anomalies%,%client_class%,%client_application%,"
"%client_application_version%,%transport_protocol%,%uri%,%request%"