This topic describes the fields of access logs in Web Application Firewall (WAF).

Log field Description
__topic__ The topic of a log entry. Valid value: waf_access_log.
owner_id The ID of an Alibaba Cloud account.
acl_action The action that is performed by WAF. This is the action that is triggered in response to a request based on an HTTP ACL policy, for example, pass, drop, or captcha.

If the value is null or a hyphen (-), this field also indicates the pass action.

acl_blocks Indicates whether a request is blocked by an HTTP ACL policy.
  • If the value is 1, the request is blocked.
  • If the value is not 1, the request is passed.
antibot The type of an Anti-Bot Service protection policy that is matched. Valid values:
  • ratelimit: frequency control
  • sdk: app protection
  • algorithm: intelligent algorithm
  • intelligence: bot threat intelligence
  • acl: HTTP ACL policy
  • blacklist: blacklist
antibot_action The action that is performed based on an Anti-Bot Service protection policy. Valid values:
  • challenge: verifies a request by using an embedded JavaScript.
  • drop: blocks bot threats.
  • report: logs access events.
  • captcha: verifies a request by using a slider captcha.
block_action The type of a WAF protection feature that is matched. Valid values:
  • tmd: protection against HTTP flood attacks
  • waf: protection against Web application attacks
  • acl: HTTP ACL policy
  • geo: region blocking
  • antifraud: data risk control
  • antibot: anti-bot
body_bytes_sent The size of an HTTP message body that is sent to a client. Unit: bytes.
cc_action The action that is performed based on an HTTP flood protection policy. The action can be none, challenge, pass, close, captcha, wait, login, or n.
cc_blocks Indicates whether the request is blocked by the HTTP flood protection feature.
  • If the value is 1, the request is blocked.
  • If the value is not 1, the request is passed.
cc_phase The HTTP flood protection policy that is triggered. The policy can be seccookie, server_ip_blacklist, static_whitelist, server_header_blacklist, server_cookie_blacklist, server_args_blacklist, or qps_overmax.
content_type The content type of an access request.
host The origin server.
http_cookie The Cookie HTTP header. This field includes the information of a client.
http_referer The Referer HTTP header. This field includes the information of the source URL. If no information of the source URL is logged, a hyphen (-) is displayed.
http_user_agent The User-Agent HTTP header. This field includes information such as a client browser and an operating system.
http_x_forwarded_for The X-Forwarded-For (XFF) HTTP header. This field identifies the original IP address of a client that connects to a web server by using an HTTP proxy or load balancing device.
https Indicates whether the request is an HTTPS request. Valid values:
  • true: The request is an HTTPS request.
  • false: The request is an HTTP request.
matched_host The matched origin server. This can be a wildcard domain name. If no origin server is matched, a hyphen (-) is displayed.
querystring The query string in a request URL.
real_client_ip The real IP address of a client. If no real IP address is obtained, a hyphen (-) is displayed.
region The region where a WAF instance resides.
remote_addr The IP address of a client that sends a request.
remote_port The port number of a client.
request_length The size of a request message. Unit: bytes.
request_method The method of an HTTP access request.
request_path The relative path of a request. The query string is not included.
request_time_msec The duration in which a request is processed. Unit: milliseconds.
request_traceid The unique ID of a request that is traced by WAF.
server_protocol The type and version number of a response protocol that is used by an origin server.
status The HTTP status code that is returned by WAF to a client.
time The time when a request is sent.
ua_browser The information of a browser that sends a request.
ua_browser_family The family of a browser that sends a request.
ua_browser_type The type of a browser that sends a request.
ua_browser_version The version of a browser that sends a request.
ua_device_type The type of a client.
ua_os The operating system of a client.
ua_os_family The family of the operating system that runs on a client.
upstream_addr The list of back-to-origin IP addresses used by WAF. Each IP address is in the IP:Port format.

Multiple IP addresses are separated by commas (,).

upstream_ip The IP address of an origin server that responds to a request. For example, if the origin server is an Elastic Compute Service (ECS) instance, the value of this field is the IP address of the ECS instance.
upstream_response_time The duration in which an origin server processes a WAF request. Unit: seconds.

If a hyphen (-) is returned, this field indicates that the response times out.

upstream_status The status code that an origin server returns to WAF.

If a hyphen (-) is returned, the request is blocked by WAF or the response from the origin server times out.

user_id The ID of an Alibaba Cloud account.
waf_action The action that is performed based on a web attack protection policy.
  • If the value is block, the request is blocked.
  • If the value is not block, the request is passed.
web_attack_type The type of a web attack, for example, xss, code_exec, webshell, sqli, lfilei, rfilei, or other.
waf_rule_id The ID of a WAF rule that is matched.
ssl_cipher The SSL cipher suite.
ssl_protocol The version of the SSL protocol.