Reading Shield event logs may aid your search for either potential security flaws in your domains architecture, identifying IP patterns, false positives and more. But it's also important to understand how to search the logs correctly.
Dashboard event logs has a basic overview of
- The logged IP (with ASN) and date.
- The condition of the log (logged/blocked)
- The ruleID, with the basic description of said rule
- The logged request headers (excluding headers removed in WAF overview where applicable)
With some of this information at hand, you can decide whether its legitimate or triggered erroneously, and acted upon accordingly - for example:
- Disable the rule entirely via the meatball menu (far right of the triggered rule)
- Add an Edge Rule to override Shield settings on a specific condition (for example whitelisting office IPs on specific URLs/methods where a custom Access List definition may be too restricted)
Some fields are omitted in dashboard logs currently, the API provides more intricate data to the logs triggered
{
"logId": "fdd9209e-89a2-483b-a256-e652ccd64fd4",
"timestamp": 1760254909048,
"log": "{\"ServerZoneId\":6,\"Message\":\"Oracle SQL Information Leakage\",\"Url\":\"REDACTED\",\"RemoteIp\":\"REDACTED\",\"UrlEncodedBody\":null,\"Headers\":[{\"Name\":\"Host\",\"Value\":\"REDACTED\"},{\"Name\":\"User-Agent\",\"Value\":\"Go-http-client/1.1\"},{\"Name\":\"Accept-Encoding\",\"Value\":\"identity\"},{\"Name\":\"Range\",\"Value\":\"bytes=0-5242879\"},{\"Name\":\"CDN-SliceRange\",\"Value\":\"bytes=0-5242879\"},{\"Name\":\"X-Forwarded-Proto\",\"Value\":\"https\"},{\"Name\":\"CDN-RequestStateCode\",\"Value\":\"ON\"},{\"Name\":\"CDN-RequestId\",\"Value\":\"083513c371dad35ce067f7c74adf604c\"}],\"TriggerMatch\":{\"Key\":\"RX\",\"Value\":\"\\u003C!DOCTYPE html PUBLIC \\u0022-//W3C//DTD XHTML 1.0 Transitional//EN\\u0022 \\u0022DTD/xhtml1-transitional.dtd\\u0022\\u003E\\n\\u003Chtml xmlns=\\u0022http://www.w3.org/1999/xhtml\\u0022\\u003E\\u003Chead\\u003E\\n\\u003Cstyle type=\\u0022text/css\\u0022\\u003E\\nbody {background-color: #fff; color: #222; font-family: sans-serif;}\\npre {margin: 0; font-family: monospace;}\\na:link {color: #009; text-decoration: none; background-color: #fff;}\\na:hover {text-decoration: underline;}\\ntable {border-collapse: collapse; border: 0; width: 934px; box-shadow: 1px 2px 3px #ccc;}\\n.center {text-align: center;}\\n.center table {margin: 1em auto; text-align: left;}\\n.center th {text-align: center !important;}\\ntd, th {border: 1px solid #666; font-size: 75%; vertical-align: baseline; padding: 4px 5px;}\\nth {position: sticky; top: 0; background: inherit;}\\nh1 {font-size: 150%;}\\nh2 {font-size: 125%;}\\n.p {text-align: left;}\\n.e {background-color: #ccf; width: 300px; font-weight: bold;}\\n.h {background-color: #99c; font-weight: bold;}\\n.v {background-color: #ddd; max-width: 300px; overflow-x: auto; word-wrap: br\"}}",
"labels": {
"asn": "14061",
"country": "CA",
"ruleId": "951120",
"severity": "",
"method": "GET",
"ruleGroup": "",
"status": "Logged",
"serverZone": "DE"
}
},
{
"logId": "cff3dbcf-8d98-4a57-9aae-727e1aeb6316",
"timestamp": 1760254907710,
"log": "{\"ServerZoneId\":6,\"Message\":\"Restricted File Access Attempt\",\"Url\":\"REDACTED\",\"RemoteIp\":\"REDACTED\",\"UrlEncodedBody\":null,\"Headers\":[{\"Name\":\"Host\",\"Value\":\"REDACTED\"},{\"Name\":\"User-Agent\",\"Value\":\"Go-http-client/1.1\"},{\"Name\":\"Accept-Encoding\",\"Value\":\"identity\"},{\"Name\":\"Range\",\"Value\":\"bytes=0-5242879\"},{\"Name\":\"CDN-SliceRange\",\"Value\":\"bytes=0-5242879\"},{\"Name\":\"X-Forwarded-Proto\",\"Value\":\"https\"},{\"Name\":\"CDN-RequestStateCode\",\"Value\":\"ON\"},{\"Name\":\"CDN-RequestId\",\"Value\":\"906cf8fe4eb828b49424624bd2ec4578\"}],\"TriggerMatch\":{\"Key\":\"PMF\",\"Value\":\"/.git/config\"}}",
"labels": {
"asn": "14061",
"country": "CA",
"ruleId": "930130",
"severity": "",
"method": "GET",
"ruleGroup": "",
"status": "Logged",
"serverZone": "DE"
}
}The API logs reveal some additional data for reviewing, including the 'TriggerMatch' field. This includes the actual trigger data related to the rule (where applicable).