This topic describes the fields of Web Application Firewall (WAF) access and attack logs.

Log field Description
__topic__ The topic of a log entry. Valid value: waf_access_log.
acl_action The action that is performed by WAF to respond to a request based on an HTTP ACL policy, for example, pass, drop, or captcha.

If the value is null or a hyphen (-), this field also indicates the pass action.
acl_blocks Indicates whether a request is blocked by an HTTP ACL policy.
  • If the value is 1, the request is blocked.
  • If the value is not 1, the request is passed.
antibot The type of an Anti-Bot Service protection policy that is triggered. Valid values:
  • ratelimit: frequency control
  • sdk: app protection
  • algorithm: intelligent algorithm
  • intelligence: bot threat intelligence
  • acl: HTTP ACL policy
  • blacklist: blacklist
antibot_action The action that is performed based on an Anti-Bot Service protection policy. Valid values:
  • challenge: verifies a request by using an embedded JavaScript.
  • drop: blocks bot threats.
  • report: logs access events.
  • captcha: verifies a request by using a slider captcha.
block_action The type of a WAF protection feature that is triggered. Valid values:
  • tmd: protection against HTTP flood attacks
  • waf: protection against Web application attacks
  • acl: HTTP ACL policy
  • geo: region blocking
  • antifraud: data risk control
  • antibot: anti-bot
body_bytes_sent The size of an HTTP message body that is sent to a client. Unit: bytes.
cc_action The action that is performed based on an HTTP flood protection policy. The action can be captcha, challenge, close, login, n, none, pass, or wait.
cc_blocks Indicates whether a request is blocked by the HTTP flood protection feature.
  • If the value is 1, the request is blocked.
  • If the value is not 1, the request is passed.
cc_phase The HTTP flood protection policy that is triggered. The policy can be qps_overmax, seccookie, server_args_blacklist, server_cookie_blacklist, server_header_blacklist, server_ip_blacklist, or static_whitelist.
content_type The content type of an access request.
host The origin server.
http_cookie The HTTP cookie header. This field includes the information of the client.
http_referer The HTTP referer header. This field includes the information of the source URL. If no information of the source URL is logged, a hyphen (-) is displayed.
http_user_agent The User-Agent HTTP header. This field includes information such as a client browser and an operating system.
http_x_forwarded_for The X-Forwarded-For (XFF) HTTP header. This field identifies the real IP address of a client that connects to a web server by using an HTTP proxy or load balancing device.
https Indicates whether a request is an HTTPS request. Valid values:
  • true: The request is an HTTPS request.
  • false: The request is an HTTP request.
matched_host The matched origin server, which can be a wildcard domain name. If no origin server is matched, a hyphen (-) is displayed.
querystring The query string in a request URL.
real_client_ip The real IP address of a client. If no real IP address can be obtained, a hyphen (-) is displayed.
region The region where a WAF instance resides.
remote_addr The IP address of a client that sends an access request.
remote_port The port number of a client that sends an access request.
request_length The size of a request. Unit: bytes.
request_method The method of an HTTP access request.
request_path The relative path of a request. The query string is not included.
request_time_msec The duration in which a request is processed. Unit: milliseconds.
request_traceid The unique ID of a request that is traced by WAF.
server_protocol The type and version number of a response protocol that is used by an origin server.
status The HTTP status code that is returned by WAF to a client.
time The time when a request is sent.
ua_browser The information of a browser that sends a request.
ua_browser_family The family of a browser that sends a request.
ua_browser_type The type of a browser that sends a request.
ua_browser_version The version of a browser that sends a request.
ua_device_type The type of a client.
ua_os The operating system of a client.
ua_os_family The family of the operating system that runs on a client.
upstream_addr The list of back-to-origin IP addresses used by WAF. These IP addresses are separated by commas (,). Each IP address is in the IP:Port format.
upstream_ip The IP address of an origin server that responds to a request. For example, if the origin server is an Elastic Compute Service (ECS) instance, the value of this field is the IP address of the ECS instance.
upstream_response_time The duration in which an origin server processes a WAF request. Unit: seconds. If a hyphen (-) is returned, this field indicates that the response has timed out.
upstream_status The status code that an origin server returns to WAF. If a hyphen (-) is returned, the request is blocked by WAF or the response from the origin server has timed out.
user_id The ID of an Alibaba Cloud account.
waf_action The action that is performed based on a Web attack protection policy.
  • If the value is block, the request is blocked.
  • If the value is not block, the request is passed.
web_attack_type The type of a web attack, for example, code_exec, lfilei, other, rfilei, sqli, webshell, or xss.
waf_rule_id The ID of a WAF rule that is matched.
cc_rule_id The ID of an HTTP flood attack rule that is matched.
ssl_cipher The SSL cipher suite.
ssl_protocol The version of the SSL protocol.