Table of Contents | ||||||
---|---|---|---|---|---|---|
|
Overview
Radware's Cloud WAF Service is a web application firewall that provides continuous adaptive web application security protection and full coverage.
Devo collector features
Feature | Details |
---|---|
Allow parallel downloading ( |
|
Running environments |
|
Populated Devo events |
|
Flattening preprocessing |
|
Allowed source events obfuscation |
|
Requires IP whitelisting |
|
Data sources
Data source | Description | API endpoint | Collector service name | Devo table | Available from release |
Get User Activity Log List | Customers can monitor changes in their Cloud WAF applications using the Activity log. Any change in the configuration is logged in the Activity Log, including the time and the user that performed the change. |
|
|
| v1.0.0 |
Get Security Events List | Security events are the events reported by WAF when an attack is detected. This allows user visibility to the protected traffic, refinement of false positives, and detailed explanations of security attacks. |
|
|
| v1.0.0 |
For more information on how the events are parsed, visit our page.
Flattening preprocessing
Data source | Collector service | Optional | Flattening details |
---|---|---|---|
Get User Activity Log List |
| yes | not required |
Get Security Events List |
| yes | not required |
Minimum configuration required for basic pulling
Although this collector supports advanced configuration, the fields required to retrieve data with basic configuration are defined below.
Info |
---|
This minimum configuration refers exclusively to those specific parameters of this integration. There are more required parameters related to the generic behavior of the collector. Check setting sections for details. |
Setting | Details |
---|---|
username | The username for the Radware API. To find out how to get it, see the Vendor Setup guide. |
password | The password for the Radware API. To find out how to get it, see the Vendor Setup guide. |
Info |
---|
See the Accepted authentication methods section to verify what settings are required based on the desired authentication method. |
Accepted authentication methods
Authentication method | username | password | ||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
token |
|
|
Run the collector
Once the data source is configured, you can either send us the required information if you want us to host and manage the collector for you (Cloud collector), or deploy and host the collector in your own machine using a Docker image (On-premise collector).
Rw ui tabs macro | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
We use a piece of software called Collector Server to host and manage all our available collectors. To enable the collector for a customer:
Editing the JSON configuration
Replace the placeholders with your required values following the description table below:
This data collector can be run in any machine that has the Docker service available because it should be executed as a docker container. The following sections explain how to prepare all the required setup for having the data collector running. StructureThe following directory structure should be created for being used when running the collector:
Devo credentialsIn Devo, go to Administration → Credentials → X.509 Certificates, download the Certificate, Private key and Chain CA and save them in
Editing the config.yaml file
Replace the placeholders with your required values following the description table below:
Download the Docker imageThe collector should be deployed as a Docker container. Download the Docker image of the collector as a .tgz file by clicking the link in the following table:
Use the following command to add the Docker image to the system:
The Docker image can be deployed on the following services: DockerExecute the following command on the root directory
Docker ComposeThe following Docker Compose file can be used to execute the Docker container. It must be created in the
To run the container using docker-compose, execute the following command from the
|
Collector services detail
This section is intended to explain how to proceed with specific actions for services.
Expand | |||||||||||||||||||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| |||||||||||||||||||||||||||||||||||||||||||||||||||
Internal process and deduplication methodData is collected by setting a start date and by pagination. To eliminate duplicates, the date of the last event sent to Devo and the ids of events with the same date are stored. Devo categorization and destinationAll events of this service are ingested into the table
Setup outputA successful run has the following output messages for the setup module:
Puller outputA successful initial run has the following output messages for the puller module:
After a successful collector’s execution (that is, no error logs found), you will see the following log message:
Restart the persistenceThis collector uses persistent storage to download events in an orderly fashion and avoid duplicates. In case you want to re-ingest historical data or recreate the persistence, you can restart the persistence of this collector by following these steps:
The collector will detect this change and will restart the persistence using the parameters of the configuration file or the default configuration in case it has not been provided.
TroubleshootingThis collector has different security layers that detect both an invalid configuration and abnormal operation. This table will help you detect and resolve the most common errors.
|
Expand | |||||||||||||||||||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| |||||||||||||||||||||||||||||||||||||||||||||||||||
Internal process and deduplication methodData is collected by setting a start date and by pagination. To eliminate duplicates, the date of the last event sent to Devo and the ids of events with the same date are stored. Devo categorization and destinationAll events of this service are ingested into the table
Setup outputA successful run has the following output messages for the setup module:
Puller outputA successful initial run has the following output messages for the puller module:
After a successful collector’s execution (that is, no error logs found), you will see the following log message:
Restart the persistenceThis collector uses persistent storage to download events in an orderly fashion and avoid duplicates. In case you want to re-ingest historical data or recreate the persistence, you can restart the persistence of this collector by following these steps:
The collector will detect this change and will restart the persistence using the parameters of the configuration file or the default configuration in case it has not been provided.
TroubleshootingThis collector has different security layers that detect both an invalid configuration and abnormal operation. This table will help you detect and resolve the most common errors.
|
Collector operations
This section is intended to explain how to proceed with specific operations of this collector.
Expand | ||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||||||||||||||
InitializationThe initialization module is in charge of setup and running the input (pulling logic) and output (delivering logic) services and validating the given configuration. A successful run has the following output messages for the initializer module:
Events delivery and Devo ingestionThe event delivery module is in charge of receiving the events from the internal queues where all events are injected by the pullers and delivering them using the selected compatible delivery method. A successful run has the following output messages for the initializer module:
Sender servicesThe Integrations Factory Collector SDK has 3 different senders services depending on the event type to delivery (
Sender statisticsEach service displays its own performance statistics that allow checking how many events have been delivered to Devo by type:
|
Expand | ||||
---|---|---|---|---|
| ||||
To check the memory usage of this collector, look for the following log records in the collector which are displayed every 5 minutes by default, always after running the memory-free process.
|
Change log
Release | Released on | Release type | Details | Recommendations | ||||||
---|---|---|---|---|---|---|---|---|---|---|
|
|
|
|