oracle.oci.oci_waas_waf_log_facts – Fetches details about one or multiple WafLog resources in Oracle Cloud Infrastructure

Note

This plugin is part of the oracle.oci collection (version 4.13.0).

You might already have this collection installed if you are using the ansible package. It is not included in ansible-core. To check whether it is installed, run ansible-galaxy collection list.

To install it, use: ansible-galaxy collection install oracle.oci.

To use it in a playbook, specify: oracle.oci.oci_waas_waf_log_facts.

New in version 2.9.0: of oracle.oci

Synopsis

  • Fetches details about one or multiple WafLog resources in Oracle Cloud Infrastructure

  • Gets structured Web Application Firewall event logs for a WAAS policy. Sorted by the timeObserved in ascending order (starting from the oldest recorded event).

Requirements

The below requirements are needed on the host that executes this module.

Parameters

Parameter Choices/Defaults Comments
access_rule_key
list / elements=string
Filters logs by access rule key.
action
list / elements=string
    Choices:
  • BLOCK
  • DETECT
  • BYPASS
  • LOG
  • REDIRECTED
Filters logs by Web Application Firewall action.
api_user
string
The OCID of the user, on whose behalf, OCI APIs are invoked. If not set, then the value of the OCI_USER_ID environment variable, if any, is used. This option is required if the user is not specified through a configuration file (See config_file_location). To get the user's OCID, please refer https://docs.us-phoenix-1.oraclecloud.com/Content/API/Concepts/apisigningkey.htm.
api_user_fingerprint
string
Fingerprint for the key pair being used. If not set, then the value of the OCI_USER_FINGERPRINT environment variable, if any, is used. This option is required if the key fingerprint is not specified through a configuration file (See config_file_location). To get the key pair's fingerprint value please refer https://docs.us-phoenix-1.oraclecloud.com/Content/API/Concepts/apisigningkey.htm.
api_user_key_file
string
Full path and filename of the private key (in PEM format). If not set, then the value of the OCI_USER_KEY_FILE variable, if any, is used. This option is required if the private key is not specified through a configuration file (See config_file_location). If the key is encrypted with a pass-phrase, the api_user_key_pass_phrase option must also be provided.
api_user_key_pass_phrase
string
Passphrase used by the key referenced in api_user_key_file, if it is encrypted. If not set, then the value of the OCI_USER_KEY_PASS_PHRASE variable, if any, is used. This option is required if the key passphrase is not specified through a configuration file (See config_file_location).
auth_purpose
string
    Choices:
  • service_principal
The auth purpose which can be used in conjunction with 'auth_type=instance_principal'. The default auth_purpose for instance_principal is None.
auth_type
string
    Choices:
  • api_key ←
  • instance_principal
  • instance_obo_user
  • resource_principal
The type of authentication to use for making API requests. By default auth_type="api_key" based authentication is performed and the API key (see api_user_key_file) in your config file will be used. If this 'auth_type' module option is not specified, the value of the OCI_ANSIBLE_AUTH_TYPE, if any, is used. Use auth_type="instance_principal" to use instance principal based authentication when running ansible playbooks within an OCI compute instance.
cert_bundle
string
The full path to a CA certificate bundle to be used for SSL verification. This will override the default CA certificate bundle. If not set, then the value of the OCI_ANSIBLE_CERT_BUNDLE variable, if any, is used.
client_address
list / elements=string
Filters logs by client IP address.
config_file_location
string
Path to configuration file. If not set then the value of the OCI_CONFIG_FILE environment variable, if any, is used. Otherwise, defaults to ~/.oci/config.
config_profile_name
string
The profile to load from the config file referenced by config_file_location. If not set, then the value of the OCI_CONFIG_PROFILE environment variable, if any, is used. Otherwise, defaults to the "DEFAULT" profile in config_file_location.
country_code
list / elements=string
Filters logs by country code. Country codes are in ISO 3166-1 alpha-2 format. For a list of codes, see ISO's website.
country_name
list / elements=string
Filter logs by country name.
fingerprint
list / elements=string
Filter logs by device fingerprint.
http_method
list / elements=string
    Choices:
  • OPTIONS
  • GET
  • HEAD
  • POST
  • PUT
  • DELETE
  • TRACE
  • CONNECT
Filter logs by HTTP method.
incident_key
list / elements=string
Filter logs by incident key.
log_type
list / elements=string
    Choices:
  • ACCESS
  • PROTECTION_RULES
  • JS_CHALLENGE
  • CAPTCHA
  • ACCESS_RULES
  • THREAT_FEEDS
  • HUMAN_INTERACTION_CHALLENGE
  • DEVICE_FINGERPRINT_CHALLENGE
  • ADDRESS_RATE_LIMITING
Filter by log type. For more information about WAF logs, see Logs.
origin_address
list / elements=string
Filter by origin IP address.
protection_rule_key
list / elements=string
Filter by protection rule key.
referrer
list / elements=string
Filter by referrer.
region
string
The Oracle Cloud Infrastructure region to use for all OCI API requests. If not set, then the value of the OCI_REGION variable, if any, is used. This option is required if the region is not specified through a configuration file (See config_file_location). Please refer to https://docs.us-phoenix-1.oraclecloud.com/Content/General/Concepts/regions.htm for more information on OCI regions.
request_url
list / elements=string
Filter by request URL.
response_code
list / elements=integer
Filter by response code.
tenancy
string
OCID of your tenancy. If not set, then the value of the OCI_TENANCY variable, if any, is used. This option is required if the tenancy OCID is not specified through a configuration file (See config_file_location). To get the tenancy OCID, please refer https://docs.us-phoenix-1.oraclecloud.com/Content/API/Concepts/apisigningkey.htm
text_contains
string
A full text search for logs.
threat_feed_key
list / elements=string
Filter by threat feed key.
time_observed_greater_than_or_equal_to
string
A filter that matches log entries where the observed event occurred on or after a date and time specified in RFC 3339 format. If unspecified, defaults to two hours before receipt of the request.
time_observed_less_than
string
A filter that matches log entries where the observed event occurred before a date and time, specified in RFC 3339 format.
user_agent
list / elements=string
Filter by user agent.
waas_policy_id
string / required
The OCID of the WAAS policy.

Examples

- name: List waf_logs
  oci_waas_waf_log_facts:
    # required
    waas_policy_id: "ocid1.waaspolicy.oc1..xxxxxxEXAMPLExxxxxx"

    # optional
    time_observed_greater_than_or_equal_to: 2013-10-20T19:20:30+01:00
    time_observed_less_than: 2013-10-20T19:20:30+01:00
    text_contains: text_contains_example
    access_rule_key: [ "access_rule_key_example" ]
    action: [ "BLOCK" ]
    client_address: [ "client_address_example" ]
    country_code: [ "country_code_example" ]
    country_name: [ "country_name_example" ]
    fingerprint: [ "fingerprint_example" ]
    http_method: [ "OPTIONS" ]
    incident_key: [ "incident_key_example" ]
    log_type: [ "ACCESS" ]
    origin_address: [ "origin_address_example" ]
    referrer: [ "referrer_example" ]
    request_url: [ "request_url_example" ]
    response_code: [ "56" ]
    threat_feed_key: [ "threat_feed_key_example" ]
    user_agent: [ "user_agent_example" ]
    protection_rule_key: [ "protection_rule_key_example" ]

Return Values

Common return values are documented here, the following are the fields unique to this module:

Key Returned Description
waf_logs
complex
on success
List of WafLog resources

Sample:
[{'access_rule_key': 'access_rule_key_example', 'action': 'action_example', 'address_rate_limiting_key': 'address_rate_limiting_key_example', 'captcha_action': 'captcha_action_example', 'captcha_expected': 'captcha_expected_example', 'captcha_fail_count': 'captcha_fail_count_example', 'captcha_received': 'captcha_received_example', 'client_address': 'client_address_example', 'country_code': 'country_code_example', 'country_name': 'country_name_example', 'device': 'device_example', 'domain': 'domain_example', 'fingerprint': 'fingerprint_example', 'http_headers': {}, 'http_method': 'http_method_example', 'incident_key': 'incident_key_example', 'log_type': 'log_type_example', 'origin_address': 'origin_address_example', 'origin_response_time': 'origin_response_time_example', 'protection_rule_detections': {}, 'referrer': 'referrer_example', 'request_headers': {}, 'request_url': 'request_url_example', 'response_code': 56, 'response_size': 56, 'threat_feed_key': 'threat_feed_key_example', 'timestamp': '2013-10-20T19:20:30+01:00', 'user_agent': 'user_agent_example'}]
 
access_rule_key
string
on success
The `AccessRule` key that matched the request. For more information about access rules, see `UpdateAccessRules`.

Sample:
access_rule_key_example
 
action
string
on success
The action taken on the request, either `ALLOW`, `DETECT`, or `BLOCK`.

Sample:
action_example
 
address_rate_limiting_key
string
on success
The `AddressRateLimiting` key that matched the request. For more information about address rate limiting, see `UpdateWafAddressRateLimiting`.

Sample:
address_rate_limiting_key_example
 
captcha_action
string
on success
The CAPTCHA action taken on the request, `ALLOW` or `BLOCK`. For more information about CAPTCHAs, see `UpdateCaptchas`.

Sample:
captcha_action_example
 
captcha_expected
string
on success
The CAPTCHA challenge answer that was expected.

Sample:
captcha_expected_example
 
captcha_fail_count
string
on success
The number of times the CAPTCHA challenge was failed.

Sample:
captcha_fail_count_example
 
captcha_received
string
on success
The CAPTCHA challenge answer that was received.

Sample:
captcha_received_example
 
client_address
string
on success
The IPv4 address of the requesting client.

Sample:
client_address_example
 
country_code
string
on success
ISO 3166-1 alpha-2 code of the country from which the request originated. For a list of codes, see ISO's website.

Sample:
country_code_example
 
country_name
string
on success
The name of the country where the request originated.

Sample:
country_name_example
 
device
string
on success
The type of device that the request was made from.

Sample:
device_example
 
domain
string
on success
The `Host` header data of the request.

Sample:
domain_example
 
fingerprint
string
on success
The hashed signature of the device's fingerprint. For more information, see `DeviceFingerPrintChallenge`.

Sample:
fingerprint_example
 
http_headers
dictionary
on success
The map of the request's header names to their respective values.

 
http_method
string
on success
The HTTP method of the request.

Sample:
http_method_example
 
incident_key
string
on success
The incident key of a request. An incident key is generated for each request processed by the Web Application Firewall and is used to idenitfy blocked requests in applicable logs.

Sample:
incident_key_example
 
log_type
string
on success
The type of log of the request. For more about log types, see Logs.

Sample:
log_type_example
 
origin_address
string
on success
The address of the origin server where the request was sent.

Sample:
origin_address_example
 
origin_response_time
string
on success
The amount of time it took the origin server to respond to the request, in seconds.

Sample:
origin_response_time_example
 
protection_rule_detections
dictionary
on success
A map of protection rule keys to detection message details. Detections are requests that matched the criteria of a protection rule but the rule's action was set to `DETECT`.

 
referrer
string
on success
The `Referrer` header value of the request.

Sample:
referrer_example
 
request_headers
dictionary
on success
A map of header names to values of the request sent to the origin, including any headers appended by the Web Application Firewall.

 
request_url
string
on success
The path and query string of the request.

Sample:
request_url_example
 
response_code
integer
on success
The status code of the response.

Sample:
56
 
response_size
integer
on success
The size in bytes of the response.

Sample:
56
 
threat_feed_key
string
on success
The `ThreatFeed` key that matched the request. For more information about threat feeds, see `UpdateThreatFeeds`.

Sample:
threat_feed_key_example
 
timestamp
string
on success
The date and time the Web Application Firewall processed the request and logged it.

Sample:
2013-10-20T19:20:30+01:00
 
user_agent
string
on success
The value of the request's `User-Agent` header field.

Sample:
user_agent_example


Authors

  • Oracle (@oracle)