wallarm · egoverdovskaya-wallarm · Nov 4, 2025 · Nov 5, 2025 · Nov 5, 2025
diff --git a/docs/latest/admin-en/configure-logging.md b/docs/latest/admin-en/configure-logging.md
@@ -47,6 +47,8 @@ You may use the following filter node variables when defining the NGINX logging
 | `wallarm_attack_stamp_list` (NGINX node 5.2.1 or later) | String | Lists internal Wallarm IDs for each attack sign detected in a request. Multiple sign IDs are concatenated using `|`. If the same attack sign is detected at multiple parsing stages, the IDs may repeat. For example, a SQLi attack like `union+select+1` could return `7|7`, showing multiple detections.<br>Note that this log data may differ from the simplified, user‑friendly view presented in the Wallarm Console UI. |
 |`wallarm_block_reason` (NGINX node 6.4.0 or later)|String|Blocking reason (if applicable). Reasons are presented in text format: <ul><li>`not blocked` - the request was not blocked (e.g., it was sent from an [allowlisted IP][acl]).</li><li>`antibot` - the request was blocked by the [API Abuse Prevention module][antibot].</li><li>`attack mask=<MASK>` - an attack was detected. `MASK` is the attack type in bit string format (e.g.`mask=0000000000000020` indicates a ptrav attack). All attack types are listed in the `wallarm_attack_type` section above. </li><li>`overlimit` - a [resource overlimit][resource-overlimit] attack was detected in the mask.</li><li>`acl blacklist SRC TYPE` - the request was blocked [due to denylisted request sources][acl]. The variable parts can have the following values: <ul>`SRC`:<ul><li>`ip`</li><li>`country`</li><li>`proxy`</li><li>`datacenter`</li><li>`tor`</li></ul></li><li>`TYPE`: <ul><li>`blocked_source`</li><li>`brute`</li><li>`dirbust`</li><li>`bola`</li><li>`bot`</li><li>`api_abuse`</li><li>`vectors`</li><li>`account_takeover`</li><li>`security_crawlers`</li><li>`scraping`</li><li>`resource_consumption`</li><li>`session_anomaly`</li><li>`enum`</li><li>`rate_limit`</li><li>`query_anomaly`</li><li>`ai_prompt_injection`</li><li>`ai_prompt_retrieval`</li></ul></li></ul>|
 | `wallarm_mode` (NGINX node 6.6.0 or later) | string | Returns the final [filtration mode](configure-wallarm-mode.md) applied to a malicious request, taking into account both local settings and those from the Wallarm Cloud (e.g., rules and mitigation controls) with their prioritization. |
+| `wallarm_fingerprint_ja4` (NGINX node 6.7.0 or later) | string | Returns the JA4 fingerprint (e.g., `t13d1516h2_8daaf6152771_d8a2da3f94cd`, which summarizes key TLS `ClientHello` parameters. Available when [JA4 fingerprinting](../admin-en/configure-parameters-en.md#wallarm_fingerprint) is enabled. |
+| `wallarm_fingerprint_ja4_raw` (NGINX node 6.7.0 or later) | string | Returns the raw TLS `ClientHello` metadata used to generate the JA4 fingerprint. This includes full, unprocessed details of the TLS handshake (e.g., `t13d1516h2_002f,0035,009c,009d,1301,1302,1303,c013,c014,c02b,c02c,c02f,c030,cca8,cca9_0005,000a,000b,000d,0012,0017,001b,0023,002b,002d,0033,44cd,fe0d,ff01_0403,0804,0401,0503,0805,0501,0806,0601`). Available when [JA4 fingerprinting](../admin-en/configure-parameters-en.md#wallarm_fingerprint) is enabled. |
 
 ### Configuration Example