oracle.oci.oci_waas_waf_log_facts – Fetches details about one or multiple WafLog resources in Oracle Cloud Infrastructure¶
Note
This plugin is part of the oracle.oci collection (version 5.2.0).
You might already have this collection installed if you are using the ansible
package.
It is not included in ansible-core
.
To check whether it is installed, run ansible-galaxy collection list
.
To install it, use: ansible-galaxy collection install oracle.oci
.
To use it in a playbook, specify: oracle.oci.oci_waas_waf_log_facts
.
New in version 2.9.0: of oracle.oci
Synopsis¶
Fetches details about one or multiple WafLog resources in Oracle Cloud Infrastructure
Gets structured Web Application Firewall event logs for a WAAS policy. Sorted by the timeObserved in ascending order (starting from the oldest recorded event).
Requirements¶
The below requirements are needed on the host that executes this module.
python >= 3.6
Python SDK for Oracle Cloud Infrastructure https://oracle-cloud-infrastructure-python-sdk.readthedocs.io
Parameters¶
Parameter | Choices/Defaults | Comments |
---|---|---|
access_rule_key
list
/ elements=string
|
Filters logs by access rule key.
|
|
action
list
/ elements=string
|
|
Filters logs by Web Application Firewall action.
|
api_user
string
|
The OCID of the user, on whose behalf, OCI APIs are invoked. If not set, then the value of the OCI_USER_ID environment variable, if any, is used. This option is required if the user is not specified through a configuration file (See
config_file_location ). To get the user's OCID, please refer https://docs.us-phoenix-1.oraclecloud.com/Content/API/Concepts/apisigningkey.htm. |
|
api_user_fingerprint
string
|
Fingerprint for the key pair being used. If not set, then the value of the OCI_USER_FINGERPRINT environment variable, if any, is used. This option is required if the key fingerprint is not specified through a configuration file (See
config_file_location ). To get the key pair's fingerprint value please refer https://docs.us-phoenix-1.oraclecloud.com/Content/API/Concepts/apisigningkey.htm. |
|
api_user_key_file
string
|
Full path and filename of the private key (in PEM format). If not set, then the value of the OCI_USER_KEY_FILE variable, if any, is used. This option is required if the private key is not specified through a configuration file (See
config_file_location ). If the key is encrypted with a pass-phrase, the api_user_key_pass_phrase option must also be provided. |
|
api_user_key_pass_phrase
string
|
Passphrase used by the key referenced in
api_user_key_file , if it is encrypted. If not set, then the value of the OCI_USER_KEY_PASS_PHRASE variable, if any, is used. This option is required if the key passphrase is not specified through a configuration file (See config_file_location ). |
|
auth_purpose
string
|
|
The auth purpose which can be used in conjunction with 'auth_type=instance_principal'. The default auth_purpose for instance_principal is None.
|
auth_type
string
|
|
The type of authentication to use for making API requests. By default
auth_type="api_key" based authentication is performed and the API key (see api_user_key_file) in your config file will be used. If this 'auth_type' module option is not specified, the value of the OCI_ANSIBLE_AUTH_TYPE, if any, is used. Use auth_type="instance_principal" to use instance principal based authentication when running ansible playbooks within an OCI compute instance. |
cert_bundle
string
|
The full path to a CA certificate bundle to be used for SSL verification. This will override the default CA certificate bundle. If not set, then the value of the OCI_ANSIBLE_CERT_BUNDLE variable, if any, is used.
|
|
client_address
list
/ elements=string
|
Filters logs by client IP address.
|
|
config_file_location
string
|
Path to configuration file. If not set then the value of the OCI_CONFIG_FILE environment variable, if any, is used. Otherwise, defaults to ~/.oci/config.
|
|
config_profile_name
string
|
The profile to load from the config file referenced by
config_file_location . If not set, then the value of the OCI_CONFIG_PROFILE environment variable, if any, is used. Otherwise, defaults to the "DEFAULT" profile in config_file_location . |
|
country_code
list
/ elements=string
|
Filters logs by country code. Country codes are in ISO 3166-1 alpha-2 format. For a list of codes, see ISO's website.
|
|
country_name
list
/ elements=string
|
Filter logs by country name.
|
|
fingerprint
list
/ elements=string
|
Filter logs by device fingerprint.
|
|
http_method
list
/ elements=string
|
|
Filter logs by HTTP method.
|
incident_key
list
/ elements=string
|
Filter logs by incident key.
|
|
log_type
list
/ elements=string
|
|
Filter by log type. For more information about WAF logs, see Logs.
|
origin_address
list
/ elements=string
|
Filter by origin IP address.
|
|
protection_rule_key
list
/ elements=string
|
Filter by protection rule key.
|
|
realm_specific_endpoint_template_enabled
boolean
|
|
Enable/Disable realm specific endpoint template for service client. By Default, realm specific endpoint template is disabled. If not set, then the value of the OCI_REALM_SPECIFIC_SERVICE_ENDPOINT_TEMPLATE_ENABLED variable, if any, is used.
|
referrer
list
/ elements=string
|
Filter by referrer.
|
|
region
string
|
The Oracle Cloud Infrastructure region to use for all OCI API requests. If not set, then the value of the OCI_REGION variable, if any, is used. This option is required if the region is not specified through a configuration file (See
config_file_location ). Please refer to https://docs.us-phoenix-1.oraclecloud.com/Content/General/Concepts/regions.htm for more information on OCI regions. |
|
request_url
list
/ elements=string
|
Filter by request URL.
|
|
response_code
list
/ elements=integer
|
Filter by response code.
|
|
tenancy
string
|
OCID of your tenancy. If not set, then the value of the OCI_TENANCY variable, if any, is used. This option is required if the tenancy OCID is not specified through a configuration file (See
config_file_location ). To get the tenancy OCID, please refer https://docs.us-phoenix-1.oraclecloud.com/Content/API/Concepts/apisigningkey.htm |
|
text_contains
string
|
A full text search for logs.
|
|
threat_feed_key
list
/ elements=string
|
Filter by threat feed key.
|
|
time_observed_greater_than_or_equal_to
string
|
A filter that matches log entries where the observed event occurred on or after a date and time specified in RFC 3339 format. If unspecified, defaults to two hours before receipt of the request.
|
|
time_observed_less_than
string
|
A filter that matches log entries where the observed event occurred before a date and time, specified in RFC 3339 format.
|
|
user_agent
list
/ elements=string
|
Filter by user agent.
|
|
waas_policy_id
string
/ required
|
The OCID of the WAAS policy.
|
Notes¶
Note
For OCI python sdk configuration, please refer to https://oracle-cloud-infrastructure-python-sdk.readthedocs.io/en/latest/configuration.html
Examples¶
- name: List waf_logs
oci_waas_waf_log_facts:
# required
waas_policy_id: "ocid1.waaspolicy.oc1..xxxxxxEXAMPLExxxxxx"
# optional
time_observed_greater_than_or_equal_to: 2013-10-20T19:20:30+01:00
time_observed_less_than: 2013-10-20T19:20:30+01:00
text_contains: text_contains_example
access_rule_key: [ "access_rule_key_example" ]
action: [ "BLOCK" ]
client_address: [ "client_address_example" ]
country_code: [ "country_code_example" ]
country_name: [ "country_name_example" ]
fingerprint: [ "fingerprint_example" ]
http_method: [ "OPTIONS" ]
incident_key: [ "incident_key_example" ]
log_type: [ "ACCESS" ]
origin_address: [ "origin_address_example" ]
referrer: [ "referrer_example" ]
request_url: [ "request_url_example" ]
response_code: [ "56" ]
threat_feed_key: [ "threat_feed_key_example" ]
user_agent: [ "user_agent_example" ]
protection_rule_key: [ "protection_rule_key_example" ]
Return Values¶
Common return values are documented here, the following are the fields unique to this module:
Key | Returned | Description | |
---|---|---|---|
waf_logs
complex
|
on success |
List of WafLog resources
Sample:
[{'access_rule_key': 'access_rule_key_example', 'action': 'action_example', 'address_rate_limiting_key': 'address_rate_limiting_key_example', 'captcha_action': 'captcha_action_example', 'captcha_expected': 'captcha_expected_example', 'captcha_fail_count': 'captcha_fail_count_example', 'captcha_received': 'captcha_received_example', 'client_address': 'client_address_example', 'country_code': 'country_code_example', 'country_name': 'country_name_example', 'device': 'device_example', 'domain': 'domain_example', 'fingerprint': 'fingerprint_example', 'http_headers': {}, 'http_method': 'http_method_example', 'incident_key': 'incident_key_example', 'log_type': 'log_type_example', 'origin_address': 'origin_address_example', 'origin_response_time': 'origin_response_time_example', 'protection_rule_detections': {}, 'referrer': 'referrer_example', 'request_headers': {}, 'request_url': 'request_url_example', 'response_code': 56, 'response_size': 56, 'threat_feed_key': 'threat_feed_key_example', 'timestamp': '2013-10-20T19:20:30+01:00', 'user_agent': 'user_agent_example'}]
|
|
access_rule_key
string
|
on success |
The `AccessRule` key that matched the request. For more information about access rules, see `UpdateAccessRules`.
Sample:
access_rule_key_example
|
|
action
string
|
on success |
The action taken on the request, either `ALLOW`, `DETECT`, or `BLOCK`.
Sample:
action_example
|
|
address_rate_limiting_key
string
|
on success |
The `AddressRateLimiting` key that matched the request. For more information about address rate limiting, see `UpdateWafAddressRateLimiting`.
Sample:
address_rate_limiting_key_example
|
|
captcha_action
string
|
on success |
The CAPTCHA action taken on the request, `ALLOW` or `BLOCK`. For more information about CAPTCHAs, see `UpdateCaptchas`.
Sample:
captcha_action_example
|
|
captcha_expected
string
|
on success |
The CAPTCHA challenge answer that was expected.
Sample:
captcha_expected_example
|
|
captcha_fail_count
string
|
on success |
The number of times the CAPTCHA challenge was failed.
Sample:
captcha_fail_count_example
|
|
captcha_received
string
|
on success |
The CAPTCHA challenge answer that was received.
Sample:
captcha_received_example
|
|
client_address
string
|
on success |
The IPv4 address of the requesting client.
Sample:
client_address_example
|
|
country_code
string
|
on success |
ISO 3166-1 alpha-2 code of the country from which the request originated. For a list of codes, see ISO's website.
Sample:
country_code_example
|
|
country_name
string
|
on success |
The name of the country where the request originated.
Sample:
country_name_example
|
|
device
string
|
on success |
The type of device that the request was made from.
Sample:
device_example
|
|
domain
string
|
on success |
The `Host` header data of the request.
Sample:
domain_example
|
|
fingerprint
string
|
on success |
The hashed signature of the device's fingerprint. For more information, see `DeviceFingerPrintChallenge`.
Sample:
fingerprint_example
|
|
http_headers
dictionary
|
on success |
The map of the request's header names to their respective values.
|
|
http_method
string
|
on success |
The HTTP method of the request.
Sample:
http_method_example
|
|
incident_key
string
|
on success |
The incident key of a request. An incident key is generated for each request processed by the Web Application Firewall and is used to idenitfy blocked requests in applicable logs.
Sample:
incident_key_example
|
|
log_type
string
|
on success |
The type of log of the request. For more about log types, see Logs.
Sample:
log_type_example
|
|
origin_address
string
|
on success |
The address of the origin server where the request was sent.
Sample:
origin_address_example
|
|
origin_response_time
string
|
on success |
The amount of time it took the origin server to respond to the request, in seconds.
Sample:
origin_response_time_example
|
|
protection_rule_detections
dictionary
|
on success |
A map of protection rule keys to detection message details. Detections are requests that matched the criteria of a protection rule but the rule's action was set to `DETECT`.
|
|
referrer
string
|
on success |
The `Referrer` header value of the request.
Sample:
referrer_example
|
|
request_headers
dictionary
|
on success |
A map of header names to values of the request sent to the origin, including any headers appended by the Web Application Firewall.
|
|
request_url
string
|
on success |
The path and query string of the request.
Sample:
request_url_example
|
|
response_code
integer
|
on success |
The status code of the response.
Sample:
56
|
|
response_size
integer
|
on success |
The size in bytes of the response.
Sample:
56
|
|
threat_feed_key
string
|
on success |
The `ThreatFeed` key that matched the request. For more information about threat feeds, see `UpdateThreatFeeds`.
Sample:
threat_feed_key_example
|
|
timestamp
string
|
on success |
The date and time the Web Application Firewall processed the request and logged it.
Sample:
2013-10-20T19:20:30+01:00
|
|
user_agent
string
|
on success |
The value of the request's `User-Agent` header field.
Sample:
user_agent_example
|
Authors¶
Oracle (@oracle)