feat: add configure-log-profiles

content/nim/waf-integration/policies-and-logs/log-profiles/compile-log-profile.md

@@ -0,0 +1,140 @@
+---
+nd-content-type: how-to
+nd-docs: DOCS-000
+nd-product: NIMNGR
+title: Compile log profiles
+description: "Compile an F5 WAF for NGINX security log profile into a deployment bundle using the NGINX Instance Manager REST API."
+weight: 300
+toc: true
+nd-keywords: "compile log profile, security log profile, WAF, NGINX Instance Manager, NIM, log profile bundle, tgz, REST API, app protect, compiler version, logprofiles, bundles"
+nd-summary: >
+  Compile an existing F5 WAF for NGINX security log profile into a bundle (.tgz) for a specific WAF compiler version using the NGINX Instance Manager REST API.
+  Compiling a log profile is required before the profile can be deployed to NGINX instances.
+  The compiled bundle includes a hash and size value that you can use to validate bundle integrity at download time.
+nd-audience: operator
+---
+
+## Overview
+
+Use this guide to compile an existing F5 WAF for NGINX security log profile into a bundle using the NGINX Instance Manager REST API. Compiling a log profile produces a compressed archive (.tgz) for a specific WAF compiler version. The bundle must be compiled before the log profile can be deployed to NGINX instances.
+
+The API response includes a hash and size for each bundle. Use these values to validate bundle integrity when downloading using the download a security log profile bundle API.
+
+---
+
+## Before you begin
+
+Before you begin, ensure you have:
+
+- **NGINX Instance Manager access**: An account with sufficient permissions to manage WAF log profiles. See [Manage roles and permissions]({{< ref "/nim/admin-guide/rbac/overview-rbac.md" >}}).
+- **An existing security log profile**: A log profile already created in NGINX Instance Manager. See [Configure log profiles]({{< ref "/nim/waf-integration/policies-and-logs/log-profiles/configure-log-profile.md" >}}).
+- **A REST API client**: A tool such as curl or [Postman](https://www.postman.com/) to send requests to the NGINX Instance Manager REST API.
+- **Authentication credentials**: A valid access token or other credentials for the NGINX Instance Manager REST API. See [API overview]({{< ref "/nim//fundamentals/api-overview.md" >}}) for supported authentication methods.
+
+---
+
+## Access the REST API
+
+The NGINX Instance Manager REST API base URL uses the following format:
+
+```text
+https://<NIM-FQDN>/api/[nim|platform]/<API_VERSION>
+```
+
+Replace `<NIM-FQDN>` with the fully qualified domain name of your NGINX Instance Manager host and `<API_VERSION>` with the target API version. All requests require authentication. For details on authentication methods, see the [API overview]({{< ref "/nim//fundamentals/api-overview.md" >}}).
+
+---
+
+## Compile a security log profile bundle
+
+Send a POST request to the Security Log Profiles API to compile one or more log profiles into bundles.
+
+| Method | Endpoint |
+|--------|----------|
+| POST | `/api/platform/v1/security/logprofiles/bundles` |
+
+### Send the request
+
+1. Prepare a JSON request body that specifies the log profile name and target compiler version for each bundle you want to compile.
+
+    You can compile multiple log profiles in a single request by adding entries to the `bundles` array.
+
+    ```json
+    {
+        "bundles": [
+            {
+                "logProfileName": "log_profile_01",
+                "compilerVersion": "5.607.0"
+            },
+            {
+                "logProfileName": "log_profile_02",
+                "compilerVersion": "5.575.0"
+            }
+        ]
+    }
+    ```
+
+    Replace `log_profile_01` and `log_profile_02` with the names of your log profiles, and replace the `compilerVersion` values with the WAF compiler versions you want to target.
+
+2. Send the POST request using curl or your preferred API client.
+
+    ```sh
+    curl -X POST https://<NIM_FQDN>/api/platform/v1/security/logprofiles/bundles \
+        -H "Authorization: Bearer <ACCESS_TOKEN>" \
+        -d @default-log-example-bundles.json
+    ```
+
+    Replace `<NIM_FQDN>` with your NGINX Instance Manager hostname and `<ACCESS_TOKEN>` with your authentication token.
+
+3. Review the JSON response to confirm that compilation has started or completed for each log profile.
+
+    ```json
+    {
+        "items": [
+            {
+                "compilationStatus": {
+                    "status": "compiling"
+                },
+                "metadata": {
+                    "compilerVersion": "5.607.0",
+                    "created": "2026-04-08T03:42:33.902171669Z",
+                    "hash": "",
+                    "logProfileName": "log_profile_01",
+                    "logProfileUid": "d974876d-0c70-4bae-b396-692023968cd2",
+                    "modified": "2026-04-08T03:42:33.902171669Z",
+                    "size": 0,
+                    "uid": "0fea39c3-5512-4a4d-83c9-32e95435fd0d"
+                }
+            },
+            {
+                "compilationStatus": {
+                    "status": "compiled"
+                },
+                "metadata": {
+                    "compilerVersion": "5.575.0",
+                    "created": "2026-04-08T03:42:30.424Z",
+                    "hash": "7b669d6b9907162ca45cc1f62e866a8c8aaee875743ab0f68c99e0afcbb1e050",
+                    "logProfileName": "log_profile_02",
+                    "logProfileUid": "858d0ee3-da6a-4b38-a151-51db36ff163d",
+                    "modified": "2026-04-08T03:42:32.379Z",
+                    "size": 1647,
+                    "uid": "63db6f0e-f82c-405c-8b88-dbadeea68190"
+                }
+            }
+        ]
+    }
+    ```
+
+    A `status` of `compiling` means the bundle is still being processed. A `status` of `compiled` means the bundle is ready. For bundles with a `compiled` status, the response includes a `hash` and `size` that you can use to validate integrity when downloading the bundle.
+
+---
+
+## References
+
+For more information, see:
+
+- [Configure log profiles]({{< ref "/nim/waf-integration/policies-and-logs/log-profiles/configure-log-profile.md" >}})
+- [Review log profiles]({{< ref "/nim/waf-integration/policies-and-logs/log-profiles/review-log-profile.md" >}})
+- [Deploy log profiles]({{< ref "/nim/waf-integration/policies-and-logs/log-profiles/deploy-log-profile.md" >}})
+- [API overview]({{< ref "/nim//fundamentals/api-overview.md" >}})
+- [Security Logs]({{< ref "/waf/logging/security-logs.md" >}})

content/nim/waf-integration/policies-and-logs/log-profiles/configure-log-profile.md

@@ -0,0 +1,170 @@
+---
+nd-content-type: how-to
+nd-docs: DOCS-000
+nd-product: NIMNGR
+title: Configure and deploy log profiles
+description: "Configure F5 WAF for NGINX security log profiles in NGINX Instance Manager, controlling request filtering, log format, size limits, and deployment to NGINX instances."
+weight: 100
+toc: true
+nd-keywords: "log profiles, WAF, NGINX Instance Manager, NIM, security logs, app protect, request logs, traffic logs, Splunk, ArcSight, syslog"
+nd-summary: >
+  Configure log profiles for F5 WAF for NGINX security logs in F5 NGINX Instance Manager.
+  Log profiles define which HTTP requests are captured, how log messages are formatted, where logs are sent, and what security event details are included.
+  Log profiles must be compiled into a bundle before deployment to NGINX instances.
+nd-audience: operator
+---
+
+## Overview
+
+Use this guide to configure log profiles for F5 WAF for NGINX security logs in F5 NGINX Instance Manager. Security logs (also called Request logs or Traffic logs) provide visibility into what F5 WAF for NGINX detects and how F5 WAF for NGINX processes traffic according to your policies. F5 WAF for NGINX uses its own logging mechanism rather than NGINX's default access logging.
+
+With log profiles, you control:
+
+- **Filtering**: Which requests are logged (all requests, requests with violations, or blocked requests only)
+- **Format**: How log messages are structured (default, custom, Splunk, ArcSight, or BIG-IQ formats)
+- **Destination**: Where logs are sent (file or syslog server)
+- **Content**: What information is included in each log message (request details, violations, attack signatures, and more)
+- **Size limits**: Maximum sizes for log messages and request data
+
+For detailed information about security logging capabilities and available log attributes, see [Security Logs]({{< ref "/waf/logging/security-logs.md" >}}) and [Security logs examples]({{< ref "/waf/logging/security-logs.md#examples" >}}).
+
+---
+
+## Before you begin
+
+Before you begin, ensure you have:
+
+- **F5 NGINX Instance Manager access**: An account with sufficient permissions to create and manage WAF log profiles. See [Manage roles and permissions]({{< ref "/nim/admin-guide/rbac/overview-rbac.md" >}}).
+- **F5 WAF for NGINX license**: A valid license with WAF capabilities enabled on your NGINX Instance Manager deployment.
+- **NGINX instances**: One or more NGINX instances registered in NGINX Instance Manager that you intend to deploy the log profile to.
+
+---
+
+## Add a log profile
+
+1. In NGINX Instance Manager, select **WAF** > **Log Profiles**.
+1. Select **Add Log Profile**.
+   The log profile configuration screen opens.
+1. In **General Settings**, enter a name and optional description for the log profile.
+
+Next, configure the filter settings to determine which requests are logged.
+
+### Configure filter settings
+
+The **Request Type** filter determines which requests are logged based on what F5 WAF for NGINX detects:
+
+- **All**: Logs all requests, both legal and illegal.
+- **Illegal**: Logs requests with violations (alerted or blocked).
+- **Blocked**: Logs requests with violations that were blocked.
+
+Select the filter option that matches your monitoring and compliance needs. For production environments, start with **Blocked** to reduce log volume, then expand to **Illegal** or **All** as needed for troubleshooting.
+
+Next, configure the content format and options for how log messages are structured.
+
+### Configure content settings
+
+The content section specifies the format and structure of log messages.
+
+#### Select a format
+
+Select one of the following log formats:
+
+- **Default**: Default format for F5 WAF for NGINX with comma-separated key-value pairs.
+- **GRPC**: Variant of the default format suited for gRPC traffic.
+- **User-defined**: Custom format that you define using a format string with placeholders.
+- **Splunk**: Formatted for Splunk SIEM with F5 plugin.
+- **ArcSight**: Formatted according to ArcSight Common Event Format (CEF) with custom fields adapted for F5.
+- **BIG-IQ**: Formatted for BIG-IQ, the F5 centralized management platform for BIG-IP.
+
+#### Set size limits
+
+Configure size restrictions for log messages:
+
+- **Max request size**: Limit in bytes for the `request` and `request_body_base64` fields. The accepted range is 1–10240 bytes, with a default of 2000 bytes. You can also set this to `any`, which is equivalent to 10240 bytes.
+- **Max message size**: Total size limit in KB for the entire log message. The accepted range is 1k–64k, with a default of 2k. This value must not be smaller than `max_request_size`.
+
+#### (Optional) Create a custom format string
+
+If you select **User-defined** format, create a custom format string using placeholders for log attributes. Each attribute name is delimited by percent signs. For example:
+
+``` text
+Request ID %support_id%: %method% %uri% received on %date_time% from IP %ip_client% had the following violations: %violations%
+```
+
+Available placeholders include attributes such as `%ip_client%`, `%request%`, `%violations%`, `%attack_type%`, and others. See [Available security log attributes]({{< ref "/waf/logging/security-logs.md#available-security-log-attributes" >}}).
+
+#### (Optional) Configure advanced formatting options
+
+Configure additional options for how list values appear in your logs:
+
+- **List delimiter**: Character or string that separates list elements (default: comma).
+- **List prefix**: Character or string that starts a list (default: none).
+- **List suffix**: Character or string that ends a list (default: none).
+- **Escaping characters**: Replace specific characters in log values with alternative characters. Configure the `from` character to be replaced and the `to` result character.
+
+For detailed information about the JSON structure of security log configuration files, see [Security log configuration file]({{< ref "/waf/logging/security-logs.md#security-log-configuration-file" >}}).
+
+---
+
+Finally, select **Add Profile** to save the log profile. Next, you can optionally compile the log profile into a bundle before deploying it to your NGINX instances.
+
+## Compile the log profile
+
+Before deploying a log profile, you can optionally compile the JSON configuration file into a bundle. If you do not compile manually, the deployment process automatically compiles the log profile.
+
+The compiled bundle is in compressed tar format (.tgz) and contains all the necessary configuration to enable security logging on your NGINX instances.
+
+### Manage bundles for different compiler versions
+
+1. Go to **WAF** > **Log Profiles**.
+
+   A list of all log profiles appears.
+
+2. In the **Actions** column for a log profile, select one of the following:
+
+   - **Edit**: Open the log profile configuration editor to reconfigure settings.
+   - **Make a Copy**: Create a new log profile by copying the JSON content.
+   - **Export as JSON**: Download the log profile JSON configuration.
+   - **Manage Bundles**: View and manage compiled bundles for different WAF compiler versions.
+   - **Delete**: Remove the log profile.
+
+3. Select **Manage Bundles** to view all supported WAF compiler versions.
+
+   For each version, you can see whether the log profile is compiled for that version.
+
+4. For a specific compiler version, select one of the following:
+
+   - **Compile**: Compile the log profile into a bundle for that compiler version.
+   - **Download**: Download an existing compiled bundle for that compiler version.
+
+This allows you to maintain compatibility with different versions of F5 WAF for NGINX across your infrastructure.
+
+---
+
+## Deploy the log profile
+
+After saving a log profile, deploy it to your NGINX instances to enable logging of WAF security events. See [Deploy log profiles]({{< ref "/nginx-one-console/waf-integration/log-profiles/deploy-log-profiles.md" >}}) for detailed deployment steps.
+
+The deployment process configures the required NGINX directives (`app_protect_security_log_enable` and `app_protect_security_log`) and ensures the log profile bundle is accessible to your instances. For detailed information about these directives and their configuration options, see [Security log directives]({{< ref "/waf/logging/security-logs.md#directives-in-nginxconf" >}}).
+
+For container-specific setup requirements, see the [Log profiles]({{< ref "/nim/waf-integration/overview.md#log-profiles" >}}) configuration section in the overview.
+
+---
+
+## Review and manage log profiles
+
+From NGINX Instance Manager, you can review the log profiles you have saved. For detailed information about reviewing and managing log profiles, see [Update log profiles]({{< ref "/nim/waf-integration/policies-and-logs/log-profiles/update-log-profile.md" >}}).
+
+---
+
+## References
+
+For more information, see:
+
+- [Deploy log profiles]({{< ref "/nginx-one-console/waf-integration/log-profiles/deploy-log-profiles.md" >}})
+- [Update log profiles]({{< ref "/nim/waf-integration/policies-and-logs/log-profiles/update-log-profile.md" >}})
+- [Security Logs]({{< ref "/waf/logging/security-logs.md" >}})
+- [Security log configuration file]({{< ref "/waf/logging/security-logs.md#security-log-configuration-file" >}})
+- [Available security log attributes]({{< ref "/waf/logging/security-logs.md#available-security-log-attributes" >}})
+- [Security log directives]({{< ref "/waf/logging/security-logs.md#directives-in-nginxconf" >}})
+- [Log profiles overview]({{< ref "/nim/waf-integration/overview.md#log-profiles" >}})

content/nim/waf-integration/policies-and-logs/log-profiles/create-log-profile.md

@@ -1,11 +1,12 @@
 ---
-title: Create a security log profile
+title: Create and deploy profiles using the REST API
 description: Create and upload a new F5 WAF for NGINX security log profile to NGINX Instance Manager using the REST API.
 toc: true
-weight: 100
+weight: 600
 nd-content-type: how-to
 nd-product: NIMNGR
 ---
+
 You can create and upload new F5 WAF for NGINX security log profiles using the NGINX Instance Manager REST API.
 
 A log profile defines how security events are recorded and exported from your NGINX instances.

content/nim/waf-integration/policies-and-logs/log-profiles/delete-log-profile.md

@@ -1,8 +1,8 @@
 ---
-title: Delete a security log profile
+title: Delete security log profiles using the REST API
 description: Remove an existing F5 WAF for NGINX security log profile from NGINX Instance Manager using the REST API.
 toc: true
-weight: 300
+weight: 800
 nd-content-type: how-to
 nd-product: NIMNGR
 ---