Support » Plugin: NinjaFirewall (WP Edition) - Advanced Security » Question about parsing log files (.php files)

  • Resolved kimkuhlman

    (@kimkuhlman)


    Hi,

    LOVE this plugin. I started getting strange activity, including from my own IP address, so I would like to be able to parse the log files downloaded from the server rather than cut and paste the logs individually from the NFW logs dashboard. Can you provide an information on how to interpret those files? Thanks in advance!

    The page I need help with: [log in to see the link]

Viewing 4 replies - 1 through 4 (of 4 total)
  • Plugin Author nintechnet

    (@nintechnet)

    Hi,

    There are 12 fields, enclosed in square brackets:

    * Epoch time.
    * Time to process the request (could be ‘0’ if the log line is informative, e.g., admin logged in).
    * The domain name.
    * The incident unique ID.
    * The firewall rule ID that blocked the request (could be be ‘0’ if not a rule).
    * Log level (1:CRITICAL, 2:HIGH, 3:MEDIUM, 4:UPLOAD, 5:INFO, 6:DEBUG_ON).
    * Client IP.
    * Returned HTTP code (400, 403…).
    * Request method (GET, POST…).
    * Script name.
    * Descrition of the incident.
    * The data (or payload). By default, it is hexencoded.

    Thanks SO much for the quick response! And thank you for such a useful plugin. Is there a way to change the encoding scheme? I’m interested in working with you further on an ongoing security issue with one of the sites I host, if you’re interested. All the best! Kim

    Oh, and BTW, is there a listing of the firewall rule IDs somewhere?

    I also found the page that has info. about changing the encoding.

    Thanks again,

    Kim

    Plugin Author nintechnet

    (@nintechnet)

    There’s no listing of the rules, but just a quick overview in the “Rules Editor” page. Full details are written to the log when the rule is triggered. There’s no documentation either, because we change them often.

    Regarding the log encoding, you can switch to Base64 or none (I don’t recommend to disabled encoding), but I assume you have found the online doc on our website.

Viewing 4 replies - 1 through 4 (of 4 total)
  • You must be logged in to reply to this topic.