Log fields - Data Collection| Alibaba Cloud Documentation Center

Log fields

Edit in GitHub

Last Updated: Sep 14, 2020 Edit in GitHub

This topic describes the fields of Web Application Firewall (WAF) access and attack log entries.


Log field	Description
__topic__	The topic of a log entry. Valid value: waf_access_log.
acl_action	The action that performed by WAF to respond to a request based on an HTTP ACL policy, for example, pass, drop, or captcha. If the value is null or a hyphen (-), this field also indicates the pass action.
acl_blocks	Indicates whether a request is blocked by an HTTP ACL policy. If the value is 1, the request is blocked. If the value is not 1, the request is passed.
antibot	The type of an Anti-Bot Service protection policy that is matched. Valid values: ratelimit: frequency control sdk: app protection algorithm: intelligent algorithm intelligence: bot threat intelligence acl: HTTP ACL policy blacklist: blacklist
antibot_action	The action that is performed based on an Anti-Bot Service protection policy. Valid values: challenge: verify a request by using an embedded JavaScript drop: block report: log access events captcha: verify a request by using a slider captcha
block_action	The type of a WAF protection feature that is matched. Valid values: tmd: protection against HTTP flood attacks waf: protection against Web application attacks acl: HTTP ACL policy geo: region blocking antifraud: data risk control antibot: anti-bot
body_bytes_sent	The size of an HTTP message body that is sent to a client. Unit: bytes.
cc_action	The action that is performed based on an HTTP flood protection policy. The action can be captcha, challenge, close, login, n, none, pass, or wait.
cc_blocks	Indicates whether a request is blocked by the HTTP flood protection feature. If the value is 1, the request is blocked. If the value is not 1, the request is passed.
cc_phase	The HTTP flood protection policy that is matched. The policy can be qps_overmax, seccookie, server_args_blacklist, server_cookie_blacklist, server_header_blacklist, server_ip_blacklist, or static_whitelist.
content_type	The content type of an access request.
host	The origin server.
http_cookie	The HTTP cookie header. This field includes client information.
http_referer	The HTTP referer header. This field includes source URL information. If no source URL information is logged, a hyphen (-) is displayed.
http_user_agent	The User-Agent HTTP header. This field includes information such as a client browser and an operating system.
http_x_forwarded_for	The X-Forwarded-For (XFF) HTTP header. This field identifies the real IP address of a client that connects to a web server by using an HTTP proxy or load balancing device.
https	Indicates whether a request is an HTTPS request. Valid values: true: The request is an HTTPS request. false: The request is an HTTP request.
matched_host	The matched origin server, which can be a wildcard domain name. If no origin server is matched, a hyphen (-) is displayed.
querystring	The query string in a request URL.
real_client_ip	The real IP address of a client. If no real IP address can be obtained, a hyphen (-) is displayed.
region	The region where a WAF instance resides.
remote_addr	The IP address of a client that sends an access request.
remote_port	The port number of a client that sends an access request.
request_length	The size of a request. Unit: bytes.
request_method	The method of an HTTP access request.
request_path	The relative path of a request. The query string is not included.
request_time_msec	The duration in which a request is processed. Unit: milliseconds.
request_traceid	The unique ID of a request that is traced by WAF.
server_protocol	The type and version number of a response protocol that is used by an origin server.
status	The HTTP status code that is returned by WAF to a client.
time	The time when a request is sent.
ua_browser	The information of a browser that sends a request.
ua_browser_family	The family of a browser that sends a request.
ua_browser_type	The type of a browser that sends a request.
ua_browser_version	The version of a browser that sends a request.
ua_device_type	The type of a client.
ua_os	The operating system of a client.
ua_os_family	The family of the operating system that runs on a client.
upstream_addr	The list of back-to-origin IP addresses used by WAF. These IP addresses are separated by commas (,). Each IP address is in the IP:Port format.
upstream_ip	The IP address of an origin server that responds to a request. For example, if the origin server is an Elastic Compute Service (ECS) instance, the value of this field is the IP address of the ECS instance.
upstream_response_time	The duration in which an origin server processes a WAF request. Unit: seconds. If a hyphen (-) is returned, this field indicates that the response times out.
upstream_status	The status code that an origin server returns to WAF. If a hyphen (-) is returned, the request is blocked by WAF or the response from the origin server times out.
user_id	The ID of an Alibaba Cloud account.
waf_action	The action that is performed based on a Web attack protection policy. If the value is block, the request is blocked. If the value is not block, the request is passed.
web_attack_type	The type of a web attack, for example, code_exec, lfilei, other, rfilei, sqli, webshell, or xss.
waf_rule_id	The ID of a WAF rule that is matched.
cc_rule_id	The ID of an HTTP flood attack rule that is matched.