This topic describes the fields of Web Application Firewall (WAF) access and attack logs.
Log field | Description |
---|---|
__topic__ | The topic of a log entry. Valid value: waf_access_log. |
acl_action | The action that is performed by WAF to respond to a request based on an HTTP ACL policy,
for example, pass, drop, or captcha.
If the value is null or a hyphen (-), this field also indicates the pass action. |
acl_blocks | Indicates whether a request is blocked by an HTTP ACL policy.
|
antibot | The type of an Anti-Bot Service protection policy that is triggered. Valid values:
|
antibot_action | The action that is performed based on an Anti-Bot Service protection policy. Valid
values:
|
block_action | The type of a WAF protection feature that is triggered. Valid values:
|
body_bytes_sent | The size of an HTTP message body that is sent to a client. Unit: bytes. |
cc_action | The action that is performed based on an HTTP flood protection policy. The action can be captcha, challenge, close, login, n, none, pass, or wait. |
cc_blocks | Indicates whether a request is blocked by the HTTP flood protection feature.
|
cc_phase | The HTTP flood protection policy that is triggered. The policy can be qps_overmax, seccookie, server_args_blacklist, server_cookie_blacklist, server_header_blacklist, server_ip_blacklist, or static_whitelist. |
content_type | The content type of an access request. |
host | The origin server. |
http_cookie | The HTTP cookie header. This field includes the information of the client. |
http_referer | The HTTP referer header. This field includes the information of the source URL. If no information of the source URL is logged, a hyphen (-) is displayed. |
http_user_agent | The User-Agent HTTP header. This field includes information such as a client browser and an operating system. |
http_x_forwarded_for | The X-Forwarded-For (XFF) HTTP header. This field identifies the real IP address of a client that connects to a web server by using an HTTP proxy or load balancing device. |
https | Indicates whether a request is an HTTPS request. Valid values:
|
matched_host | The matched origin server, which can be a wildcard domain name. If no origin server is matched, a hyphen (-) is displayed. |
querystring | The query string in a request URL. |
real_client_ip | The real IP address of a client. If no real IP address can be obtained, a hyphen (-) is displayed. |
region | The region where a WAF instance resides. |
remote_addr | The IP address of a client that sends an access request. |
remote_port | The port number of a client that sends an access request. |
request_length | The size of a request. Unit: bytes. |
request_method | The method of an HTTP access request. |
request_path | The relative path of a request. The query string is not included. |
request_time_msec | The duration in which a request is processed. Unit: milliseconds. |
request_traceid | The unique ID of a request that is traced by WAF. |
server_protocol | The type and version number of a response protocol that is used by an origin server. |
status | The HTTP status code that is returned by WAF to a client. |
time | The time when a request is sent. |
ua_browser | The information of a browser that sends a request. |
ua_browser_family | The family of a browser that sends a request. |
ua_browser_type | The type of a browser that sends a request. |
ua_browser_version | The version of a browser that sends a request. |
ua_device_type | The type of a client. |
ua_os | The operating system of a client. |
ua_os_family | The family of the operating system that runs on a client. |
upstream_addr | The list of back-to-origin IP addresses used by WAF. These IP addresses are separated by commas (,). Each IP address is in the IP:Port format. |
upstream_ip | The IP address of an origin server that responds to a request. For example, if the origin server is an Elastic Compute Service (ECS) instance, the value of this field is the IP address of the ECS instance. |
upstream_response_time | The duration in which an origin server processes a WAF request. Unit: seconds. If a hyphen (-) is returned, this field indicates that the response has timed out. |
upstream_status | The status code that an origin server returns to WAF. If a hyphen (-) is returned, the request is blocked by WAF or the response from the origin server has timed out. |
user_id | The ID of an Alibaba Cloud account. |
waf_action | The action that is performed based on a Web attack protection policy.
|
web_attack_type | The type of a web attack, for example, code_exec, lfilei, other, rfilei, sqli, webshell, or xss. |
waf_rule_id | The ID of a WAF rule that is matched. |
cc_rule_id | The ID of an HTTP flood attack rule that is matched. |
ssl_cipher | The SSL cipher suite. |
ssl_protocol | The version of the SSL protocol. |