This topic describes the fields of access logs in Web Application Firewall (WAF).
|__topic__||The topic of a log entry. Valid value: waf_access_log.|
|owner_id||The ID of an Alibaba Cloud account.|
|acl_action||The action that is performed by WAF. This is the action that is triggered in response to a request based on an HTTP ACL policy, for example, pass, drop, or captcha.
If the value is null or a hyphen (-), this field also indicates the pass action.
|acl_blocks||Indicates whether a request is blocked by an HTTP ACL policy.
|antibot||The type of an Anti-Bot Service protection policy that is matched. Valid values:
|antibot_action||The action that is performed based on an Anti-Bot Service protection policy. Valid values:
|block_action||The type of a WAF protection feature that is matched. Valid values:
|body_bytes_sent||The size of an HTTP message body that is sent to a client. Unit: bytes.|
|cc_action||The action that is performed based on an HTTP flood protection policy. The action can be none, challenge, pass, close, captcha, wait, login, or n.|
|cc_blocks||Indicates whether the request is blocked by the HTTP flood protection feature.
|cc_phase||The HTTP flood protection policy that is triggered. The policy can be seccookie, server_ip_blacklist, static_whitelist, server_header_blacklist, server_cookie_blacklist, server_args_blacklist, or qps_overmax.|
|content_type||The content type of an access request.|
|host||The origin server.|
|http_cookie||The Cookie HTTP header. This field includes the information of a client.|
|http_referer||The Referer HTTP header. This field includes the information of the source URL. If no information of the source URL is logged, a hyphen (-) is displayed.|
|http_user_agent||The User-Agent HTTP header. This field includes information such as a client browser and an operating system.|
|http_x_forwarded_for||The X-Forwarded-For (XFF) HTTP header. This field identifies the original IP address of a client that connects to a web server by using an HTTP proxy or load balancing device.|
|https||Indicates whether the request is an HTTPS request. Valid values:
|matched_host||The matched origin server. This can be a wildcard domain name. If no origin server is matched, a hyphen (-) is displayed.|
|querystring||The query string in a request URL.|
|real_client_ip||The real IP address of a client. If no real IP address is obtained, a hyphen (-) is displayed.|
|region||The region where a WAF instance resides.|
|remote_addr||The IP address of a client that sends a request.|
|remote_port||The port number of a client.|
|request_length||The size of a request message. Unit: bytes.|
|request_method||The method of an HTTP access request.|
|request_path||The relative path of a request. The query string is not included.|
|request_time_msec||The duration in which a request is processed. Unit: milliseconds.|
|request_traceid||The unique ID of a request that is traced by WAF.|
|server_protocol||The type and version number of a response protocol that is used by an origin server.|
|status||The HTTP status code that is returned by WAF to a client.|
|time||The time when a request is sent.|
|ua_browser||The information of a browser that sends a request.|
|ua_browser_family||The family of a browser that sends a request.|
|ua_browser_type||The type of a browser that sends a request.|
|ua_browser_version||The version of a browser that sends a request.|
|ua_device_type||The type of a client.|
|ua_os||The operating system of a client.|
|ua_os_family||The family of the operating system that runs on a client.|
|upstream_addr||The list of back-to-origin IP addresses used by WAF. Each IP address is in the IP:Port format.
Multiple IP addresses are separated by commas (,).
|upstream_ip||The IP address of an origin server that responds to a request. For example, if the origin server is an Elastic Compute Service (ECS) instance, the value of this field is the IP address of the ECS instance.|
|upstream_response_time||The duration in which an origin server processes a WAF request. Unit: seconds.
If a hyphen (-) is returned, this field indicates that the response times out.
|upstream_status||The status code that an origin server returns to WAF.
If a hyphen (-) is returned, the request is blocked by WAF or the response from the origin server times out.
|user_id||The ID of an Alibaba Cloud account.|
|waf_action||The action that is performed based on a web attack protection policy.
|web_attack_type||The type of a web attack, for example, xss, code_exec, webshell, sqli, lfilei, rfilei, or other.|
|waf_rule_id||The ID of a WAF rule that is matched.|
|ssl_cipher||The SSL cipher suite.|
|ssl_protocol||The version of the SSL protocol.|