Attacks are not uploaded to the Wallarm Cloud¶
If you suspect that attacks from the traffic are not uploaded to the Wallarm Cloud and, as a result, do not appear in the Wallarm Console UI, use this article to debug the issue.
To debug the problem, sequentially perform the following steps:
-
Generate some malicious traffic to perform further debugging.
-
Check the filtering node operation mode.
-
Capture logs and share them with the Wallarm support team.
1. Generate some malicious traffic¶
To perform further debugging of the Wallarm modules:
-
Send the following malicious traffic:
for i in `seq 100`; do curl "http://<FILTERING_NODE_IP>/?wallarm_test_xxxx=union+select+$i"; sleep 1; doneReplace
<FILTERING_NODE_IP>with a filtering node IP you want to check. If required, add theHost:header to the command. -
Wait up to 2 minutes for the attacks to appear in Wallarm Console → Attacks. If all 100 requests appear, the filtering node operates OK.
-
Connect to the server with the installed filtering node and get node metrics:
Further, we will refer to the
wallarm-statusoutput.
2. Check the filtering node operation mode¶
Check the filtering node operation mode as follows:
-
Make sure that the filtering node mode is different from
off. The node does not process incoming traffic in theoffmode.The
offmode is a common reason for thewallarm-statusmetrics not to increase. -
If the node is NGINX-based, restart NGINX to be sure that settings have been applied:
-
Generate malicious traffic once again to be sure that attacks are still not uploaded to the Cloud.
3. Capture logs and share them with the Wallarm support team¶
If the steps above do not help to resolve the issue, please capture the node logs and share them with the Wallarm support team as follows:
-
Connect to the server with the installed Wallarm node.
-
Get the
wallarm-statusoutput as follows:Copy an output.
-
Run the Wallarm diagnostic script:
Get the generated file with logs.
-
Send all collected data to the Wallarm support team for further investigation.