What file are logs stored for the violations in Security->Event Logs->Protocol->HTTP

Hello Manohar.

These are the tables available:

# mysql -uasm -p`perl -MF5::Cfg -e 'print F5::Cfg::get_mysql_password()'` -e "SHOW TABLES FROM PRX"
+-----------------------------------+
| Tables_in_PRX                     |
+-----------------------------------+
| ACCEPTED_REQUESTS                 |
| BOT_DEFENSE_ANOMALIES             |
| BOT_DEFENSE_ANOMALY_CATEGORIES    |
| BOT_DEFENSE_EVENT_LOG             |
| BOT_DEFENSE_EVENT_LOG_CLEARED     |
| BOT_DEFENSE_EVENT_LOG_PROPERTIES  |
| BOT_INCIDENTS                     |
| BOT_INCIDENT_ANOMALIES            |
| BOT_INCIDENT_ANOMALY_CATEGORIES   |
| BOT_INCIDENT_SUPPORT_IDS          |
| BOT_INCIDENT_TOP_IPS              |
| BRUTE_FORCE_ATTACK_LOG            |
| BRUTE_FORCE_ATTACK_LOG_PROPERTIES |
| BRUTE_FORCE_LEAKED_CREDENTIALS    |
| BRUTE_FORCE_LOGIN_PAGE_STATUS     |
| BRUTE_FORCE_MITIGATED_DEVICE_IDS  |
| BRUTE_FORCE_MITIGATED_IPS         |
| BRUTE_FORCE_MITIGATED_USERNAMES   |
| CLEANDB_LOG                       |
| INCIDENTS                         |
| INCIDENT_SUPPORT_IDS              |
| INCIDENT_TYPES                    |
| PROXY_LOG_CONSUMERS               |
| REQUEST_LOG                       |
| REQUEST_LOG_CLEARED               |
| REQUEST_LOG_PROPERTIES            |
| REQUEST_LOG_SYNC_FILES            |
| REQUEST_LOG_TAGS                  |
+-----------------------------------+

And these are the incident types:

# mysql -uasm -p`perl -MF5::Cfg -e 'print F5::Cfg::get_mysql_password()'` -e "SELECT incident_type_id,incident_type_name,incident_type_display_name FROM PRX.INCIDENT_TYPES"
+------------------+----------------------------+--------------------------------------------+
| incident_type_id | incident_type_name         | incident_type_display_name                 |
+------------------+----------------------------+--------------------------------------------+
|                1 | INFORMATION_LEAKAGE        | Information Leakage                        |
|                2 | MALICIOUS_SESSION          | Malicious Session                          |
|                4 | VULNERABILITY_SCAN         | Vulnerability Scan                         |
|                5 | DISALLOWED_SOURCE          | Access from Malicious or Disallowed Source |
|                6 | SERVER_SIDE_CODE_INJECTION | Server Side Code Injection                 |
|                7 | COMMAND_EXECUTION          | Command Execution                          |
|                8 | DATA_TAMPERING             | Data Tampering                             |
|                9 | SESSION_HIJACKING          | Session Hijacking                          |
|               10 | AUTH_BYPASS                | Authentication/Authorization Bypass        |
|               11 | MALICIOUS_CONTENT          | Malicious Content                          |
|               12 | MALICIOUS_SCAN             | Malicious Scan                             |
|               13 | THREAT_CAMPAIGN            | Threat Campaign                            |
+------------------+----------------------------+--------------------------------------------+

The rest of the work to deep into those SQL Tables.

Please, don't forget to mark my answer as "the best" to help other people to find it.

Regards,

Dario.

Hello Manohar.

PRX.REQUEST_LOG has a column called "support_id".

# mysql -uasm -p`perl -MF5::Cfg -e 'print F5::Cfg::get_mysql_password()'` -e "select * from PRX.REQUEST_LOG where support_id = 9374597410145173508\G"
*************************** 1. row ***************************
                       id: 1
               support_id: 9374597410145173508
        support_id_suffix: 3508

Regards,

Dario.