This topic describes the fields of website access, attack, and protection logs.
| Log field | Description |
|---|---|
| __topic__ | The topic of the log. The value is fixed as waf_access_log. |
| acl_action | The action that is triggered in a custom protection rule. Valid values include pass,
drop, and captcha.
If the field is empty or the value is a hyphen (-), the pass action is triggered. |
| block_action | The type of the WAF protection feature that is triggered. Valid values:
|
| body_bytes_sent | The number of bytes in the body of the request that is sent by the client. |
| cc_action | The action that is triggered in an HTTP flood protection rule. Valid values include none, challenge, pass, close, captcha, wait, login, and n. |
| cc_blocks | Indicates whether the request is blocked by the HTTP flood protection feature.
|
| content_type | The content type of the request. |
| host | The origin server. |
| http_cookie | A cookie header. This field includes the information of the client. |
| http_referer | The Referer header. This field includes the information of the source URL. If no source URLs are obtained, a hyphen (-) is displayed. |
| http_user_agent | The User-Agent header. This field includes information such as a client browser or an operating system. |
| http_x_forwarded_for | The X-Forwarded-For (XFF) header. This field identifies the actual IP address of the client that is connected to the web server by using an HTTP proxy or a load balancing device. |
| https | Indicates whether the request is an HTTPS request. Valid values:
|
| matched_host | The domain name of the origin server that is matched by WAF for the request. A wildcard domain name may be matched. If no domain names are matched, a hyphen (-) is displayed. |
| querystring | The query string in the request. |
| real_client_ip | The actual IP address of the client. If no actual IP address are obtained, a hyphen (-) is displayed. |
| region | The region where the WAF instance resides. |
| remote_addr | The IP address of the client that sends the request. |
| remote_port | The port number of the client that sends the request. |
| request_length | The length of the request. Unit: bytes. |
| request_method | The request method. |
| request_path | The relative path of the request. The path excludes the query string. |
| request_time_msec | The time that is taken by WAF to process the request. Unit: milliseconds. |
| request_traceid | The unique identifier that is recorded by WAF for the request. |
| server_protocol | The protocol and version that is used by the origin server to respond to the request. |
| status | The HTTP status code that is returned by WAF to the client. |
| time | The time at which the request is sent. |
| ua_browser | The name of the browser that sends the request. |
| ua_browser_family | The family of the browser that sends the request. |
| ua_browser_type | The type of the browser that sends the request. |
| ua_browser_version | The version of the browser that sends the request. |
| ua_device_type | The device type of the client. |
| ua_os | The information about the operating system that runs on the client. |
| ua_os_family | The family of the operating system that runs on the client. |
| upstream_addr | The back-to-origin addresses used by WAF. Each address is in the IP:Port format. Multiple addresses are separated by commas (,). |
| upstream_response_time | The time that is taken by the origin server to respond to the request. The request is forwarded by WAF. Unit: seconds. If a hyphen (-) is returned, the response times out. |
| upstream_status | The status code that is returned by the origin server to WAF. If a hyphen (-) is returned, the request is not responded. For example, the request is blocked by WAF, or the response from the origin server times out. |
| user_id | The ID of the Alibaba Cloud account. |
| waf_action | The action that is triggered in a web intrusion prevention rule.
|
| bypass_matched_ids | The ID of the rule that is matched by WAF to allow the request. The rule can be a
whitelist rule or a custom protection rule.
If a request matches multiple rules that allow the request, this field records the IDs of all the rules. Multiple IDs are separated by commas (,). |
| final_plugin | The WAF protection feature that performs the final action on the request. This action
is recorded by the final_action field.
If a request does not trigger a protection feature, this field is not recorded. For example, if a request matches the rule that allows the request or a request is allowed after the client passes CAPTCHA verification or JavaScript validation, this field is not recorded. If a request triggers multiple protection features at the same time, this field is recorded, and the field includes only the protection feature that performs the final action. |
| final_action | The final action that WAF performs on the request.
If a request does not trigger a protection feature, this field is not recorded. For example, if a request matches the rule that allows the request or a request is allowed after the client passes CAPTCHA verification or JavaScript validation, this field is not recorded. If a request triggers multiple protection features at the same time, this field is recorded, and the field includes only the final action. The following actions are listed in descending order of priority: block, strict CAPTCHA verification, common CAPTCHA verification, and JavaScript validation. |
| final_rule_id | The ID of the protection rule that WAF applies to the request. This rule specifies the final action that is recorded by the final_action field. |
| final_rule_type | The subtype of the rule that is indicated by the final_rule_id field. For example, final_plugin:waf supports final_rule_type:sqli and final_rule_type:xss. |
| waf_rule_id | The ID of the web intrusion prevention rule that WAF matches for the request. |
| waf_rule_type | The subtype of the rule that is indicated by the final_rule_id field.
For example, |
| acl_rule_type | The subtype of the custom protection rule that WAF matches for the request. Valid
values:
|
| cc_rule_id | The ID of the HTTP flood protection rule that WAF matches for the request. |
| cc_rule_type | The subtype of the matched HTTP flood protection rule. Valid values:
|
| ssl_cipher | The SSL cipher suite. |
| ssl_protocol | The version of the SSL protocol. |