cancel
Showing results for 
Search instead for 
Did you mean: 

More detailed event log?

Highlighted
New Contributor

More detailed event log?

In our event log we get this error:

 

WARNRule Zeus AFM Enforcer, xxxxSSL: Rejecting this request because the request body is too large (max size is 65536 bytes)

 

Is there any way to get the event log to display more details so that we can see the URL that is generating this error?

 

Thanks!

5 REPLIES
Occasional Contributor

Re: More detailed event log?

Hi!

 

There's no option for that in the enforcer rule itself, but of course you can knock up a quick TrafficScript rule to log any offending requests before the enforcer rule runs.  Something like this should do the trick:

 

$body_size = string.length( http.getBody() );
if( $body_size > 65536 ) {
   log.info( "Large body encountered (" . $body_size . " bytes).  URL: " . http.getRawURL() );
}

 

/Brian

New Contributor

Re: More detailed event log?

That works great!!  Thanks!!

New Contributor

Re: More detailed event log?

The rule seemed to be working great, but then I got word that some customers requests were being dropped.

 

Is there anything in using this rule that could cause requests to be dropped?

 

The vserver is setup like this.

 

Whitelist Rule

Large Body Rule

AFM Enforcer Rule

 

Thanks,

 

Wayne

Occasional Contributor

Re: More detailed event log?

No, that rule won't drop any requests other that when the requests are bigger than the configured TrafficScript limit; if that case occurs, you would see a line in the event log.

 

There are many reasons that requests could be dropped: network timeout being reached, client (or server) closing the connection, attack being blocked by the Application Firewall…  Your best bet would be to find a reproducible dropped request and work from there.

Occasional Contributor

Re: More detailed event log?

Hi Wayne,

 

I've had a few further thoughts on this.

 

If a request body is particularly large, it'll still be entirely read in with this rule.  That would take some time, so you may be hitting network timeouts whilst the body is read.  We can modify the rule to read less and still have the same effect; we do this by reading one byte more than the maximum that we want to allow, but only one byte more:

 

$max_body_size = 65536;

$body_size = string.length( http.getBody( $max_body_size + 1 ) );
if( $body_size > $max_body_size ) {
   log.info( "Large body encountered (" . $body_size . " bytes).  URL: " . http.getRawURL() );
}

 

Does this help?

 

/Brian