I'm looking for documentation on the violation_details XML output for 11.x. I'm trying to understand more about the individual messages. Below is an example. This is for signature 200007002 which I can see in the details, and the signature name is Directory Traversal attempt ""/..%255c. When I check the ASM GUI I do see this string captured and the violation details in the ASM GUI call it out highlighted all friendly-like. The violation details in the syslog give no indication of this. Because the logs are truncated in the GUI and the actual syslog, the user request portion does not have the attack either.
So some documentation would be helpful since each violation has a different core set of information. Violation_details is also listed in the manual to contain the full information so it is confusing as to why the GUI would show the attack clear as day when selecting violation details, but the syslog contains rather values that look more like cookies and no it was not a session cookie or any parameter with a name matching below that was hit.
<?xml version='1.0' encoding='UTF-8'?><request-violations>42VIOL_ATTACK_SIGNATURErequest2000070026c2VsZWN0ZWRQcm92aWRlck5hbWU9MTEyMiZzZWxlY3RlZERhdGVSYW5nZT0yeWVhcnMmc3RhcnREYXRlPS8uLiUyNTVjLi4lMjU1Yy4uJTI1NWMuLiUyNTVjLi4lMjU1Yy4uJTI1NWMuLiUyNTVjLi4lMjU1Yy4uJTI1NWMuLiU=618</request-violations>
The output in the buffer tag is base64 encoded....
Here are some docs you may find useful with respect to remote logging:
That really helped :) I was sieving through some raw logs & couldn't quite figure out the encoded violation details at first.