Cloud Firewall logs both inbound and outbound traffic. Each log entry contains numerous fields. You can use these fields to search and analyze logs.

Log field Description Example
__time__ The time the access request was initiated. 2018-02-27 11:58:15
__topic__ The topic of the log entry. The value is fixed to cloudfirewall_access_log, which indicates that the log entry records traffic controlled by Cloud Firewall. cloudfirewall_access_log
log_type The type of the log entry. The value is fixed to internet_log, which indicates Internet traffic logs. internet_log
aliuid The UID of the Alibaba Cloud account. 12333333333333
app_name The application of the traffic.

Valid values: HTTPS, NTP, SIP, SMB, NFS, DNS, and Unknown.

HTTPS
direction The direction of the traffic. Valid values:
  • in: inbound traffic to your ECS instances from other ECS instances in the internal network or hosts on the Internet.
  • out: outbound traffic from your ECS instances to other ECS instances in the internal network or hosts on the Internet.
in
domain The domain name of the traffic. www.aliyun.com
dst_ip The destination IP address of the traffic. 1.1.1.1
dst_port The destination port of the traffic. 443
end_time The time the session ended.

Unit: seconds (UNIX timestamp).

1555399260
in_bps The traffic rate of inbound traffic.

Unit: bit/s.

11428
in_packet_bytes The total number of bytes in inbound traffic. 2857
in_packet_count The total number of packets in inbound traffic. 18
in_pps The packet rate of inbound traffic.

Unit: packet/s.

9
ip_protocol The IP protocol of the traffic. Valid values:
  • TCP
  • UDP
TCP
out_bps The traffic rate of outbound traffic.

Unit: bit/s.

27488
out_packet_bytes The number of bytes in outbound traffic. 6872
out_packet_count The number of packets in outbound traffic. 15
out_pps The packet rate of outbound traffic.

Unit: packet/s.

7
region_id The region of the traffic. cn-beijing
rule_result The processing result of the traffic that matches the access control policy. Valid values:
  • pass: The traffic is allowed to pass Cloud Firewall.
  • alert: The traffic is allowed to pass Cloud Firewall, but an alert is generated.
  • drop: The traffic is denied when it tries to pass Cloud Firewall.
pass23
src_ip The source IP address of the traffic. 1.1.1.1
src_port The source port of the traffic. 47915
start_time The time a session started. Unit: seconds (UNIX timestamp). 1555399258
start_time_min The time a session started, which is an integer. Unit: minutes (UNIX timestamp). 1555406460
tcp_seq The TCP serial number. 3883676672
total_bps The total traffic rate of inbound and outbound traffic.

Unit: bit/s.

38916
total_packet_bytes The total number of bytes in inbound and outbound traffic.

Unit: bytes.

9729
total_packet_count The total number of packets in inbound and outbound traffic. 33
total_pps The total packet rate of inbound and outbound traffic.

Unit: packet/s.

16
vul_level The risk level of the vulnerability. Valid values:
  • 1: low
  • 2: moderate
  • 3: high
1
url The URL of the Internet website that your ECS instances access. http://www.test.com/index.html