This topic describes the fields of website access, attack, and protection logs.

Log field Description
__topic__ The topic of the log. The value is fixed as waf_access_log.
acl_action The action that is triggered in a custom protection rule. Valid values include pass, drop, and captcha.

If the field is empty or the value is a hyphen (-), the pass action is triggered.

block_action The type of the WAF protection feature that is triggered. Valid values:
  • tmd: HTTP flood protection
  • waf: web intrusion prevention
  • acl: custom protection policy
  • geo: region blacklist
  • antifraud: data risk control
  • antibot: bot management
body_bytes_sent The number of bytes in the body of the request that is sent by the client.
cc_action The action that is triggered in an HTTP flood protection rule. Valid values include none, challenge, pass, close, captcha, wait, login, and n.
cc_blocks Indicates whether the request is blocked by the HTTP flood protection feature.
  • If the value is 1, the request is blocked.
  • If the value is not 1, the request is allowed.
content_type The content type of the request.
host The origin server.
http_cookie A cookie header. This field includes the information of the client.
http_referer The Referer header. This field includes the information of the source URL. If no source URLs are obtained, a hyphen (-) is displayed.
http_user_agent The User-Agent header. This field includes information such as a client browser or an operating system.
http_x_forwarded_for The X-Forwarded-For (XFF) header. This field identifies the actual IP address of the client that is connected to the web server by using an HTTP proxy or a load balancing device.
https Indicates whether the request is an HTTPS request. Valid values:
  • true: The request is an HTTPS request.
  • false: The request is an HTTP request.
matched_host The domain name of the origin server that is matched by WAF for the request. A wildcard domain name may be matched. If no domain names are matched, a hyphen (-) is displayed.
querystring The query string in the request.
real_client_ip The actual IP address of the client. If no actual IP address are obtained, a hyphen (-) is displayed.
region The region where the WAF instance resides.
remote_addr The IP address of the client that sends the request.
remote_port The port number of the client that sends the request.
request_length The length of the request. Unit: bytes.
request_method The request method.
request_path The relative path of the request. The path excludes the query string.
request_time_msec The time that is taken by WAF to process the request. Unit: milliseconds.
request_traceid The unique identifier that is recorded by WAF for the request.
server_protocol The protocol and version that is used by the origin server to respond to the request.
status The HTTP status code that is returned by WAF to the client.
time The time at which the request is sent.
ua_browser The name of the browser that sends the request.
ua_browser_family The family of the browser that sends the request.
ua_browser_type The type of the browser that sends the request.
ua_browser_version The version of the browser that sends the request.
ua_device_type The device type of the client.
ua_os The information about the operating system that runs on the client.
ua_os_family The family of the operating system that runs on the client.
upstream_addr The back-to-origin addresses used by WAF. Each address is in the IP:Port format. Multiple addresses are separated by commas (,).
upstream_response_time The time that is taken by the origin server to respond to the request. The request is forwarded by WAF. Unit: seconds. If a hyphen (-) is returned, the response times out.
upstream_status The status code that is returned by the origin server to WAF. If a hyphen (-) is returned, the request is not responded. For example, the request is blocked by WAF, or the response from the origin server times out.
user_id The ID of the Alibaba Cloud account.
waf_action The action that is triggered in a web intrusion prevention rule.
  • If the value is block, the request is blocked.
  • If the value is not block, such as bypass, the request is allowed.
bypass_matched_ids The ID of the rule that is matched by WAF to allow the request. The rule can be a whitelist rule or a custom protection rule.

If a request matches multiple rules that allow the request, this field records the IDs of all the rules. Multiple IDs are separated by commas (,).

final_plugin The WAF protection feature that performs the final action on the request. This action is recorded by the final_action field.

If a request does not trigger a protection feature, this field is not recorded. For example, if a request matches the rule that allows the request or a request is allowed after the client passes CAPTCHA verification or JavaScript validation, this field is not recorded.

If a request triggers multiple protection features at the same time, this field is recorded, and the field includes only the protection feature that performs the final action.

final_action The final action that WAF performs on the request.

If a request does not trigger a protection feature, this field is not recorded. For example, if a request matches the rule that allows the request or a request is allowed after the client passes CAPTCHA verification or JavaScript validation, this field is not recorded.

If a request triggers multiple protection features at the same time, this field is recorded, and the field includes only the final action. The following actions are listed in descending order of priority: block, strict CAPTCHA verification, common CAPTCHA verification, and JavaScript validation.

final_rule_id The ID of the protection rule that WAF applies to the request. This rule specifies the final action that is recorded by the final_action field.
final_rule_type The subtype of the rule that is indicated by the final_rule_id field. For example, final_plugin:waf supports final_rule_type:sqli and final_rule_type:xss.
waf_rule_id The ID of the web intrusion prevention rule that WAF matches for the request.
waf_rule_type The subtype of the rule that is indicated by the final_rule_id field.

For example, final_plugin:waf supports final_rule_type:sqli and final_rule_type:xss.

acl_rule_type The subtype of the custom protection rule that WAF matches for the request. Valid values:
  • custom: The rule is created in a custom protection policy.
  • blacklist: The rule is created for the IP address blacklist feature.
cc_rule_id The ID of the HTTP flood protection rule that WAF matches for the request.
cc_rule_type The subtype of the matched HTTP flood protection rule. Valid values:
  • custom: The rule is created in a custom protection policy.
  • system: The rule is created for the HTTP flood protection feature.
ssl_cipher The SSL cipher suite.
ssl_protocol The version of the SSL protocol.