This topic describes the fields of traffic logs that are recorded for the Internet and virtual private cloud (VPC) firewalls in Cloud Firewall.

Fields of Internet firewall logs

Log field Description
__topic__ The topic of a log. The value is fixed as cloudfirewall_access_log.
owner_id The ID of an Alibaba Cloud account.
log_type The type of log. The value is fixed as internet_log.
app_name The type of application. Valid values include HTTPS, NTP, SIP, SMB, NFS, and DNS. If the type is unknown, the value Unknown is displayed.
direction The direction of traffic. Valid values:
  • in: inbound traffic
  • out: outbound traffic
domain The domain name of a destination server.
dst_ip The IP address of a destination server.
dst_port The destination port.
end_time The time at which a session ends. The value is a UNIX timestamp. Unit: seconds.
in_bps The rate of inbound traffic. Unit: bit/s.
in_packet_bytes The total size of inbound packets. Unit: bytes.
in_packet_count The total number of inbound packets.
in_pps The rate of inbound packets. Unit: packets per second (pps).
ip_protocol The type of IP protocol. TCP and UDP are supported.
out_bps The rate of outbound traffic. Unit: bit/s.
out_packet_bytes The total size of outbound packets. Unit: bytes.
out_packet_count The total number of outbound packets.
out_pps The rate of outbound packets. Unit: pps.
region_id The ID of the region from which access traffic originates.
rule_result The result of how an access control policy processes access traffic. Valid values:
  • pass: Access traffic is allowed to pass Cloud Firewall.
  • alert: An alert is triggered when access traffic passes Cloud Firewall.
  • drop: Access traffic is blocked.
src_ip The IP address of a source server.
src_port The source port. A host sends data from this port.
start_time The time at which a session starts. The value is a UNIX timestamp. Unit: seconds.
start_time_min The time at which a session starts. The value is a UNIX timestamp. The value is rounded up to the next minute. Unit: seconds.
tcp_seq The sequence number of a TCP segment.
total_bps The total rate of inbound and outbound traffic. Unit: bit/s.
total_packet_bytes The total size of inbound and outbound packets. Unit: bytes.
total_packet_count The total number of inbound and outbound packets.
total_pps The total rate of inbound and outbound packets. Unit: pps.
src_private_ip The private IP address of a source server.
vul_level The risk level of a vulnerability. Valid values:
  • 1: low
  • 2: medium
  • 3: high
url The URL that is accessed.
acl_rule_id The ID of an access control list (ACL) policy that is matched.
ips_rule_id The ID of an intrusion prevention system (IPS) policy that is matched.
ips_ai_rule_id The ID of an intelligent policy that is matched.
ips_rule_name The Chinese name of an IPS policy that is matched.
ips_rule_name_en The English name of an IPS policy that is matched.
attack_type_name The Chinese name of an attack type.
attack_type_name_en The English name of an attack type.
proxy_acl_rule_id The ID of an ACL policy that is matched by forward proxies.

Fields of VPC firewall logs

Log field Description
__topic__ The topic of a log. The value is fixed as cloudfirewall_vpc_log.
log_type The type of log. The value is fixed as vpc_firewall_log.
aliuid The ID of an Alibaba Cloud account.
app_name The type of application. Valid values include HTTPS, NTP, SIP, SMB, NFS, and DNS. If the type is unknown, the value Unknown is displayed.
domain The domain name of a destination server.
dst_ip The IP address of a destination server.
dst_port The destination port.
dst_region The ID of the region for which access traffic is destined.
dst_network_instance_id The ID of the instance for which access traffic is destined. The instance may be a VPC, virtual border router (VBR), or Cloud Connect Network (CCN).
end_time The time at which a session ends. The value is a UNIX timestamp. Unit: seconds.
firewall_id The ID of a VPC firewall.
  • If Cloud Enterprise Network (CEN) is used, the ID of the CEN instance is displayed. Example: cen-6srj4tvjjovhbc.
  • If Express Connect is used, the ID of the firewall instance is displayed. Example: vfw-123.
in_bps The rate of inbound traffic. Unit: bit/s.
in_packet_bytes The total size of inbound packets. Unit: bytes.
in_packet_count The total number of inbound packets.
in_pps The rate of inbound packets. Unit: pps.
ip_protocol The type of IP protocol. TCP and UDP are supported.
out_bps The rate of outbound traffic. Unit: bit/s.
out_packet_bytes The total size of outbound packets. Unit: bytes.
out_packet_count The total number of outbound packets.
out_pps The rate of outbound packets. Unit: pps.
rule_result The result of how an access control policy processes access traffic. Valid values:
  • pass: Access traffic is allowed to pass Cloud Firewall.
  • alert: An alert is triggered when access traffic passes Cloud Firewall.
  • drop: Access traffic is blocked.
src_ip The IP address of a source server.
src_port The source port.
src_region The ID of the region from which access traffic originates.
src_network_instance_id The ID of the instance from which access traffic originates. The instance may be a VPC, VBR, or CCN.
start_time The time at which a session starts. The value is a UNIX timestamp. Unit: seconds.
start_time_min The time at which a session starts. The value is a UNIX timestamp. The value is rounded up to the next minute. Unit: seconds.
tcp_seq The sequence number of a TCP segment.
total_bps The total rate of inbound and outbound traffic. Unit: bit/s.
total_packet_bytes The total size of inbound and outbound packets. Unit: bytes.
total_packet_count The total number of inbound and outbound packets.
total_pps The total rate of inbound and outbound packets. Unit: pps.
vul_level The risk level of a vulnerability. Valid values:
  • 1: low
  • 2: medium
  • 3: high
ips_rule_name The Chinese name of an IPS policy that is matched.
ips_rule_name_en The English name of an IPS policy that is matched.
attack_type_name The Chinese name of an attack type.
attack_type_name_en The English name of an attack type.