ewalker-waf-alerts

Get alerts from eWalker WAF devices.

ewalker-waf-alerts [profile=PROFILE] [duration=NUM{mon|w|d|h|m|s}] [from=yyyyMMddHHmmss] [to=yyyyMMddHHmmss] [order=ORDER]

profile=PROFILE: eWalker WAF connect profile code
duration=NUM{mon|w|d|h|m|s}: Scan only recent data. You should use s(second), m(minute), h(hour), d(day), mon(month) time unit. For example, 10s means data from 10 seconds earlier.
from=yyyyMMddHHmmss: Start time of range. yyyyMMddHHmmss format. If you omit time part, it will be padded by zero.
to=yyyyMMddHHmmss: End time of range. yyyyMMddHHmmss format. If you omit time part, it will be padded by zero.
order=ORDER: Scan direction. desc or asc.

Output Fields

Field	Type	Name	Description
_time	Date	Time	Log time
profile	String	Connect profile	eWalker WAF connect profile code
es_index	String	Index	Elastic index name
es_id	String	ID	Elastic log id
src_ip	IP address	Source IP	Client IP address
dst_ip	IP address	Destination IP	Server IP address
target_url	String	Target URL	Policy is determined by wildcard path
category	String	Category	e.g. Trust IP, Rule
owasp	String	OWASP code	e.g. A01:2021 - Broken Access Control
rule_id	Integer	Rule ID	e.g. 4027
signature	String	Signature	e.g. Get Slowloris attack
action	String	Action	e.g. PERMIT, DETECT, BLOCK
count	Integer	Count	Detect count
status	Integer	Status	HTTP status code. e.g. 200
method	String	Method	HTTP method
path	String	Path	e.g. /
query	String	Query	e.g. input=`cat /etc/passwd`
match_target	String	Match target	e.g. url query
match_data	String	Match data	e.g. input=`cat /etc/passwd`
match_offset	Integer	Match offset	e.g. 10
match_length	Integer	Match length	e.g. 12
match	String	Match info
start_time	Date	Start time
end_time	Date	End time
request_headers	String	Request headers
response_headers	String	Response headers