After you enable the full log feature, Web Application Firewall (WAF) logs all access requests to your website. You can search for and locate request logs with a few clicks. This facilitates operations and security management.
Notice The full log feature is available only to existing users who have enabled this feature.
For new users, the full log feature is no longer provided. If you want to use the
website access logs, we recommend that you enable Log Service for WAF. For more information,
see Enable Log Service for WAF.
Background information
The full log feature facilitates the following O&M tasks:
- Check whether a request is intercepted or allowed by WAF.
- Check whether request interception is triggered by ACL rules for web attack protection or HTTP flood attack protection, or custom ACL rules.
- Query the time taken by the origin server to respond to a request and check whether the response times out.
- Query a request by using a combination of the following conditions: source IP address, URL keyword, Cookie, Referer, User-Agent, X-Forwarded-For (XFF), and HTTP status code.
Usage notes
- If you enable the full log feature, WAF logs all the web requests that pass through WAF. POST requests are not logged.
- A subscription WAF instance stores all web access logs from the last month.
Note If you want to store logs for 180 days and meet the classified protection requirements, we recommend that you enable Log Service for WAF. For more information, see Enable Log Service for WAF.
- A WAF instance allows you to enable the full log feature for a maximum of 100 domains.
Enable the full log feature
Query full logs
Advanced search conditions
Field | Description |
---|---|
Source IP | The source IP address of the client. |
URL Key Words | The URL of the access requests.
Note You can enter forward slashes (/) in this field. For example, enter
/ntis/cashier .
|
Cookie | The Cookie HTTP header. This field provides the source information of the client. |
Referer | The Referer HTTP header. This field provides the source URL of the client. |
User-Agent | The User-Agent HTTP header. This field includes the client information, such as the browser and operating system. |
X-Forwarded-For | The X-Forwarded-For HTTP header. |
Server Response Code | The status code that the origin server returns to WAF.
It contains a maximum of three digits and supports fuzzy search. For example, if you
enter
4* for search, the system returns all status codes that start with 4.
Note
|
Status Code Returned by WAF | The status code that WAF returns to the client.
It contains a maximum of three digits and supports fuzzy search. For example, if you
enter
4* for search, the system returns all status codes that start with 4.
Note
|
Request Unique ID | The specific access request. If an access request is intercepted, you can enter its ID for search. |
Request domain name | If you have enabled the full log feature for wildcard domains, you can specify this field to search for first-level subdomains. |
Protection policies | The protection policies to apply. Valid values: Web Attack Blocking, HTTP Flood Protection Policies, HTTP ACL Policies, Data Risk Control, Block IPs Initiating Frequent Web Attacks, Directory Scan Protection, Scanning Tool Blocking, and Collaborative Defense. |
Access log fields
Field | Meaning | Description |
---|---|---|
Time | Access time | The time when the access request was initiated. This field is a UTC time record in the log file. |
Domain | Access domain | The domain that is requested. |
Source_IP | Source IP address | The source IP address of the client. |
IP_City | Region of the source IP address | The region in which the source IP address is located. If the source IP address is located in mainland China, this field can be accurate to the city level. |
IP_Country | Country of the source IP address | The country in which the source IP address is located. |
Method | Access request method | The request method specified in the request line. |
URL | Access request URL | The URL of the requested resource specified in the request line. |
Https | Access request protocol | The protocol of the access request specified in the request line. |
Referer | Referer HTTP | The Referer HTTP header. This field provides the source URL of the client. |
User-Agent | User-Agent HTTP | The User-Agent HTTP header. This field includes the client information, such as the browser and operating system. |
X-Forwarded-For | X-Forwarded-For HTTP | The X-Forwarded-For HTTP header. This field identifies the real IP address of the client that connects to the web server by using an HTTP proxy or load balancing device. |
Cookie | Cookie HTTP | The Cookie HTTP header. This field provides the source information of the client. |
Attack_Type | Protection status |
The result after WAF processes the access request:
|
Status | Response status code | The status code that WAF returns to the client. |
Upstream_Status | Response status code of the origin server | The status code that the origin server returns to WAF. If the value of this field
is a hyphen (- ), the request is blocked by WAF or the response from the origin server times out.
|
Upstream_IP | IP address of the origin server | The IP address of the origin server for the access request. For example, if the origin server of WAF is an ECS instance, the value of this field is the IP address of the ECS instance. |
Upstream_Time | Response time of the origin server | The time taken by the origin server to respond to a request from WAF. If the value
of this field is a hyphen (- ), the response times out.
|