Descriptions of log fields - Cloud Firewall - Alibaba Cloud Documentation Center

Cloud Firewall automatically collects and stores logs of inbound and outbound traffic in real time. You can specify a log field to query the required log content. This facilitates log analysis and troubleshooting. This topic describes the log fields of Cloud Firewall and the log fields that support indexes.

Cloud Firewall log fields

Log field descriptions

Field	Description	Example
__time__	The time when the log is written to a Logstore.	1703483369
__topic__	The topic of the log. The value is fixed as cloudfirewall_access_log, which indicates a traffic log of Cloud Firewall.	cloudfirewall_access_log
acl_rule_id	The ID of the access control policy that the traffic hits. If the value is 00000000-0000-0000-0000-000000000000, no access control policy is hit.	073a1475-6e11-43e2-8b28-98cee9c6****
aliuid	The ID of the Alibaba Cloud account.	1233333333****
app_dpi_state	The identification status of the application. Valid values: success: The application is successfully identified. policy_discard: The application is blocked by a policy. tcp_not_establish: The TCP connection failed to be established. analysing: The application is being analyzed. no_payload: The payload is not received. unknown_loose: The application is unidentified in Loose mode. unknown_strict: The application is unidentified in Strict mode. none: No identification status is recorded for the application.	success
app_name	The application type of the traffic. Valid values: HTTPS, NTP, SIP, SMB, NFS, DNS, and Unknown.	HTTPS
attack_type_name_en	The name of the attack type included in the traffic.	Mining Behavior
country_id	The country or region. The value uses the two-letter code in ISO 3166-1. If the value of direction is in, the value of this field is the country or region where the traffic is initiated. If the value of direction is out, the value of this field is the country or region where the traffic is destined for.	CN
cloud_instance_id	The ID of the protected asset instance.	ngw-bp1d5bx2orlw1p2wn****
direction	The direction of the traffic. Valid values: in: inbound traffic to your Elastic Compute Service (ECS) instances from other ECS instances in the internal network or from servers on the Internet. out: outbound traffic from your ECS instances to other ECS instances in the internal network or to servers on the Internet. Note Virtual private cloud (VPC) firewalls do not differentiate between inbound traffic and outbound traffic. The value of the direction field is fixed as out for VPC firewalls.	in
domain	The destination domain name of the traffic. Note The value of this field is displayed only when the direction of the traffic is outbound and the traffic contains domain name information.	www.aliyundoc.com
dst_ip	The destination IP address of the traffic.	39.108.XX.XX
dst_port	The destination port of the traffic.	443
end_time	The time when the session ends. This value is a UNIX timestamp. Unit: seconds.	1702367350
in_bps	The rate of inbound traffic. Unit: bit/s.	42
in_packet_bytes	The total number of bytes in inbound traffic. Unit: bytes.	58
in_packet_count	The number of packets in inbound traffic.	1
in_pps	The average data transmission rate of inbound traffic. Unit: packets per second. Note If the data transmission rate is less than 1, the value of this field is displayed as 0 and no decimal places are displayed.	1
ip_protocol	The IP protocol of the traffic. Valid values: tcp udp icmp	tcp
ips_ai_rule_id	The ID of the recommended intelligent access control policy that the traffic hits. If the value is 00000000-0000-0000-0000-000000000000, no recommended intelligent access control policy is matched or hit.	00000000-0000-0000-0000-000000000000
ips_rule_id	The ID of the intrusion prevention policy that the traffic hits. If the value is 00000000-0000-0000-0000-000000000000, no intrusion prevention policy is matched or hit.	00000000-0000-0000-0000-000000000000
ips_rule_name_en	The name of the intrusion prevention policy that the traffic hits.	Mining behavior on the host
log_type	The log type. Valid values: internet_log: logs of the Internet firewall vpc_firewall_log: logs of VPC firewalls nat_firewall_log: logs of NAT firewalls ipv6_firewall_log: traffic protection logs of IPv6 addresses	internet_log
loose_allow_acl_id	The ID of the pre-match access control policy. Valid values: 00000000-0000-0000-0000-000000000000: indicates that no unidentified traffic is allowed. Others: indicates that unidentified traffic is allowed. The value is the ID of the access control policy that allows the unidentified traffic.	00000000-0000-0000-0000-000000000000
new_conn	Indicates whether the connection is a new connection. Valid values: 1: yes 0: no	1
out_bps	The rate of outbound traffic. Unit: bit/s.	0
out_packet_bytes	The total number of bytes in outbound traffic. Unit: bytes.	0
out_packet_count	The number of packets in outbound traffic.	0
out_pps	The average data transmission rate of outbound traffic. Unit: packets per second. Note If the data transmission rate is less than 1, the value of this field is displayed as 0 and no decimal places are displayed.	0
region_id	The region ID. For more information about region IDs, see Supported regions. If the value of direction is in, the value of this field is the source region ID of the traffic. If the value of direction is out, the value of this field is the destination region ID of the traffic.	cn-beijing
rule_result	The action on the traffic that hits an access control policy. Valid values: pass: allow alert: monitor drop: deny The action on the traffic that hits an intrusion prevention policy. Valid values: alert: generates alerts for the traffic. drop: blocks the traffic.	alert
rule_source	The source of the policy that the traffic hits. Valid values: basic_acl: access control intelligence: threat intelligence ips_basic_rule: basic protection virtual_patch: virtual patching unknown	basic_acl
src_ip	The source IP address of the traffic.	167.94.XX.XX
src_port	The source port of the traffic. The source port is the port of the host from which the traffic is sent.	47915
start_time	The time when the session starts. This value is a UNIX timestamp. Unit: seconds.	1701759171
start_time_min	The start time of the session. The value is in minutes. This value is a UNIX timestamp. Unit: seconds.	1701759120
tcp_seq	The TCP serial number.	388367****
total_bps	The total data transmission rate of inbound and outbound traffic. Unit: bit/s.	42
total_packet_bytes	The total packet throughput of inbound and outbound traffic. Unit: bytes.	58
total_packet_count	The total number of packets in inbound and outbound traffic.	1
total_pps	The average data transmission rate of inbound and outbound traffic. Unit: packets per second. Note If the data transmission rate is less than 1, the value of this field is displayed as 0 and no decimal places are displayed.	0
url	The URL of the website that the server accesses. Note The value of this field is displayed only when the value of app_name is HTTP.	http://aliyundoc.com/index.html
vul_level	The risk level of the vulnerability exploited by malicious traffic. Valid values: 0: No vulnerability is exploited. 1: low-risk vulnerabilities. 2: medium-risk vulnerabilities. 3: high-risk vulnerabilities.	1

What to do next

You can enable the log analysis feature of Cloud Firewall. For more information, see Enable log analysis.
You can query and analyze collected logs in real time to monitor traffic exceptions and protect your assets. For more information about how to query logs, see Query and analyze logs.
You can export log query and analysis results to your computer or deliver the results to Object Storage Service (OSS) for storage. For more information, see Export logs.

Cloud Firewall:Log fields

Cloud Firewall log fields

Internet firewall

NAT firewall

VPC firewall

Fields that support indexes

Log field descriptions

What to do next