How to Configure Local Logging for an On-Prem Next-Gen WAF Agent

Fastly Blog

Fastly Fastly Fastly Fastly Fastly Fastly Fastly Six Common Live Streaming Mistakes (And How to Avoid Them) How Fastly and Skyfire Enable Trusted Agentic Commerce at the Edge Bot Defense is Table Stakes. Machine Traffic Requires a Business Strategy AI Traffic Grew 6.5x Faster Than Human Traffic This Year Python SDK Beta: How the Language of AI Runs Faster and Safer with Fastly Give AI Agents the Markdown They Actually Want Accountability Without Control Is Breaking Security Leadership Fastly Joins the Agentic AI Foundation (AAIF) to Guide Edge AI Interoperability The E-commerce Industry in the AI Era: Has the Agentic Flood Hit? No Margin for Error: What the FIFA World Cup Teaches Us About Performance at the Edge Why iGaming Infrastructure is Breaking and What Comes Next The Publishing Industry in the AI Era: Why Bot Strategy is Now a Business Strategy Bad Performance Kills SaaS/PaaS Growth — Why Your CDN Matters Why your code is safe from Copy Fail on Fastly Compute Myth or Marvel: Claude Mythos and What it Means for Security Introducing Compliance Audit Reports Supporting Google Private AI Compute with Privacy-Preserving Edge Infrastructure Fastly Nearly Half the Web Isn’t Human: Inside Fastly’s Threat Insight Report Media over QUIC: Can Streaming Finally Have Both Scale and Low Latency? Introducing Fastly’s Redesigned Homepage: Your Central Hub for Actionable Insights The False Choice of Indiscriminate Blocking: Why Technical Precision is the New Standard for an Open Internet What is CVE-2026-23869? React Server Components Security Alert Fastly enables first-party tagging for Google Advertisers Shrink Your Bill With Efficient Software Your AI coding agent just got better at Fastly Fastly Ranked as a Leader in the 2026 Forrester Wave™ for Edge Development Platforms Fastly at RSAC 2026: New Advances in AppSec, Bot Management, and Deception Mastering the Edge: What Golf Can Teach Us About Speed, Precision, and Performance Real-Time CDN Monitoring for Live Events with Bronto Imperva Alternatives Fastly + Scalepost: Extending the Fastly platform to manage AI Crawlers Best content delivery networks for bot management Vibe Shift? Senior Developers Ship nearly 2.5x more AI Code than Junior Counterparts Maximizing Compute Performance with Log Explorer & Insights Fastly CDN Expands Scaling Fastly Network: Balancing Requests | Fastly Best Practices for Multi-CDN Implementations | Fastly Compute@Edge: Serverless Insights by Company | Fastly Fastly can teach you about the Wasm future in just 6 talks Fastly's Observability Unleashed: New Updates and Insights Optimizing your multi-CDN infrastructure to improve performance Stay ahead of attackers by pushing your security perimeter to the edge Are APIs the Key to Digital Innovation or a Trojan Horse? Fastly Academy: on-demand learning at your fingertips. | Fastly 30 Years of Web: Building for Tomorrow 4 Ways Legacy WAF Fails to Protect Your Apps Adobe boosts performance and MTTR with Epsagon and Fastly logs | Fastly Beta" A New Serverless Compute Environment Early TLS at Fastly Technical trainings & the future of edge delivery at Altitude 2016: a year in review Innovation Capacity Defined: Tech Stack Values | Fastly Deep Log Visibility Offered by Logentries | Fastly Caching the Uncacheable: CSRF Security Increase Your Hit Ratio With This Simple Tip

Brooks Cunningham, Fastly Enterprise Solution Architects · 2026-05-22 · via Fastly Blog

Do you have a Fastly NGWAF (Next-Gen WAF) Agent deployed on-prem? And do you want to capture and inspect WAF logs locally? Of course you do! Local logging is incredibly helpful for debugging, analyzing traffic, and verifying your security rules before pushing them to production.

Let’s go over how to configure logging for an on-prem agent deployment and walk through a minimal example to see it working in real-time.

Configuring Local Logging for Fastly's Next-Gen WAF

To tell the NGWAF Agent to write request data to a file, you need to configure the waf-data-log setting. (You can read the full official documentation on this here: Fastly Next-Gen WAF Agent Config Docs)

For containerized deployments, we can achieve this easily using environment variables:

SIGSCI_WAF_DATA_LOG: Specifies the file path inside the container where logs will be written.
SIGSCI_WAF_DATA_LOG_ALL: When set to true, tells the agent to log all requests (both benign and malicious). If false or omitted, it usually only logs requests with a signal.

Minimal Docker Example for Local Logging

To make testing easy, we will use a Makefile to start the NGWAF agent with all the necessary configurations in a Docker container.

Prerequisites: This setup assumes you have a functional container environment (like Docker Desktop or Colima) and the Docker CLI installed. You will also need your NGWAF access keys exported as environment variables (NGWAFACCESSKEYID and NGWAFACCESSKEYSECRET).

Create a file named Makefile and paste the following:

DOCKERNAME?=localfastlyngwaf

runexeclogs:
	@docker run -d --publish 8888:8888 --publish 9999:9999 --name $(DOCKERNAME) --env SIGSCI_ACCESSKEYID=${NGWAFACCESSKEYID} --env SIGSCI_SECRETACCESSKEY=${NGWAFACCESSKEYSECRET} --env SIGSCI_WAF_DATA_LOG="/sigsci/waf_data_log.log" --env SIGSCI_WAF_DATA_LOG_ALL=true --env SIGSCI_REVPROXY_LISTENER="app1:{listener=http://0.0.0.0:8888,upstreams=https://http-me.edgecompute.app:443/,pass-host-header=false}; app2:{listener=http://0.0.0.0:9999, upstreams=https://http.edgecompute.app/,pass-host-header=false}" --add-host=host.docker.internal:host-gateway signalsciences/sigsci-agent
	@bash -c '\
		trap "echo '\''Cleaning up...'\''; kill 0" SIGINT SIGTERM EXIT; \
		nc -lk 5555 & \
		sleep 2; \
		docker exec -i $(DOCKERNAME) /bin/sh -c "tail -F /sigsci/waf_data_log.log | nc host.docker.internal 5555" & \
		wait \
	'

clean:
	-docker kill $(DOCKERNAME)
	-docker rm $(DOCKERNAME)

rerunexeclogs:
	make clean
	make runexeclogs

What is happening in this Makefile?

The Docker Run Command: We spin up the signalsciences/sigsci-agent container. We pass in our auth keys, enable the WAF data log via environment variables, and configure a reverse proxy (SIGSCI_REVPROXY_LISTENER) to listen on ports 8888 and 9999.
The Bash Script (Log Tailing): Because the logs are written inside the container, the bash script sets up a clever pipeline. It starts a local netcat listener (nc -lk 5555) on your host machine. Then, it runs tail -F inside the container to grab the logs as they are written and pipes them over the network back to your host machine. This means you see the logs in your terminal instantly!

Testing the Deployment

Step 1: Start the NGWAF agent and with log tailing by running the following command in your terminal:

Step 2: Open a new terminal window. We are going to simulate an attack by sending an HTTP request containing a classic Directory Traversal payload (../../../etc/passwd).

curl "http://0.0.0.0:8888/anything/why_do_pirates_like_urls?because_of_the_args=../../../etc/passwd"

Analyzing the Log Output

If everything is configured correctly, look back at the terminal where you ran the make command. You should see a new JSON log line appear. It will look similar to this:

{
  "Version": "1",
  "Timestamp": "2026-04-15T21:24:50Z",
  "Method": "GET",
  "Path": "/anything/why_do_pirate_like_urls",
  "Protocol": "HTTP/1.1",
  "RemoteAddr": "172.17.0.1",
  "RequestIDStr": "69e002226563ecc3deaaa7b4",
  "RequestHeaders": [
    {
      "Name": "Host",
      "Value": "0.0.0.0:8888"
    },
    {
      "Name": "User-Agent",
      "Value": "curl/8.19.0"
    },
    {
      "Name": "Accept",
      "Value": "*/*"
    }
  ],
  "ResponseCode": 200,
  "ResponseHeaders": [
    {
      "Name": "X-Served-By",
      "Value": "cache-dfw-kdal2120020-DFW"
    },
    {
      "Name": "Date",
      "Value": "Wed, 15 Apr 2026 21:24:49 GMT"
    },
    {
      "Name": "Vary",
      "Value": "accept-encoding"
    },
    {
      "Name": "Accept-Ranges",
      "Value": "none"
    },
    {
      "Name": "Content-Type",
      "Value": "application/json"
    },
    {
      "Name": "Access-Control-Allow-Origin",
      "Value": "*"
    }
  ],
  "ResponseMillis": 30,
  "ResponseSize": 616,
  "Scheme": "http",
  "ServerHostname": "6827bddcb511",
  "ServerName": "0.0.0.0:8888",
  "Signals": [
    {
      "Type": "TRAVERSAL",
      "Location": "QUERYSTRING",
      "Name": "because_of_the_args",
      "Value": "because_of_the_args=../../../etc/passwd",
      "Detector": "DIR1V5",
      "Redaction": "none"
    },
    {
      "Type": "SUSPECTED-BAD-BOT",
      "Location": "REQUEST",
      "Name": "",
      "Value": "👾; Malicious Probe",
      "Detector": "BOTS",
      "Redaction": "none"
    },
    {
      "Type": "corp.system-attack",
      "Location": "",
      "Name": "",
      "Value": "",
      "Detector": "660ff11f66dd7b84d6e5895f",
      "Redaction": "none",
      "Attrs": {
        "overrideExcludeFromAlerting": "true"
      }
    }
  ],
  "TLSCipher": "",
  "TLSProtocol": "",
  "URI": "/anything/why_do_pirate_like_urls",
  "UserAgent": "curl/8.19.0",
  "WAFResponse": 200
}

Final Thoughts on Fastly NGWAF Local Logging

By enabling local logging for your Fastly NGWAF agent, you gain real-time visibility into requests, detected threats, and rule behavior before changes reach production. Whether you're troubleshooting false positives or validating attack detection, local logs are an invaluable tool for improving security confidence and operational insight.

Ready to take your NGWAF deployment further? Start experimenting with custom rules, signal tuning, and automated log analysis to build a more resilient application security workflow.

此内容由惯性聚合(RSS阅读器)自动聚合整理，仅供阅读参考。原文来自 — 版权归原作者所有。

推荐订阅源

Fastly Blog

Configuring Local Logging for Fastly's Next-Gen WAF

Minimal Docker Example for Local Logging

What is happening in this Makefile?

Testing the Deployment

Analyzing the Log Output

Final Thoughts on Fastly NGWAF Local Logging