After you enable the full log feature, Web Application Firewall (WAF) logs all access requests to your website. You can search for and locate request logs with a few clicks. This facilitates operations and security management.

Notice The full log feature is available only to existing users who have enabled this feature. For new users, the full log feature is no longer provided. If you want to use the website access logs, we recommend that you enable Log Service for WAF. For more information, see Enable Log Service for WAF.

Background information

The full log feature facilitates the following O&M tasks:
  • Check whether a request is intercepted or allowed by WAF.
  • Check whether request interception is triggered by ACL rules for web attack protection or HTTP flood attack protection, or custom ACL rules.
  • Query the time taken by the origin server to respond to a request and check whether the response times out.
  • Query a request by using a combination of the following conditions: source IP address, URL keyword, Cookie, Referer, User-Agent, X-Forwarded-For (XFF), and HTTP status code.

Usage notes

  • If you enable the full log feature, WAF logs all the web requests that pass through WAF. POST requests are not logged.
  • A subscription WAF instance stores all web access logs from the last month.
    Note If you want to store logs for 180 days and meet the classified protection requirements, we recommend that you enable Log Service for WAF. For more information, see Enable Log Service for WAF.
  • A WAF instance allows you to enable the full log feature for a maximum of 100 domains.

Enable the full log feature

  1. Log on to the Web Application Firewall console.
  2. In the top navigation bar, select the resource group to which the instance belongs and the region, Mainland China or International, in which the instance is deployed.
  3. In the left-side navigation pane, choose Asset Center > Website Access.
  4. Find the target domain and turn on Log search.
    Note Log search is available only to existing users who have enabled the full log feature. Other users can view only Log Service. For more information about Log Service for WAF, see Overview.
    Log search
    After you turn on Log search, WAF logs access requests to your website. Then, you can query the full logs. For more information, see Query full logs.
    If the full log feature is no longer required, you can also turn off Log search on the Website Access page.
    Note After you turn off Log search, WAF does not log access requests to your website. Even if you turn on Log search later, you cannot query access request logs from the period when the switch is turned off.

Query full logs

  1. Log on to the Web Application Firewall console.
  2. In the top navigation bar, select the resource group to which the instance belongs and the region, Mainland China or International, in which the instance is deployed.
  3. In the left-side navigation pane, choose Log Management > Logs.
  4. On the Log Query tab, select the target domain and time range, and click Search.Query full logs
    Note If you purchase a subscription WAF instance, you can query logs from the last month.
    You can also click Advanced Search to specify more filter conditions. For more information about the filter fields supported in Advanced Search, see Advanced search conditions. Advanced Search
  5. View details about the returned logs.
    • In the Service Traffic section, view the access request trends from the specified time range.Service Traffic
    • In the Request Logs section, view the access request records that meet the specified conditions.
      For example, the following figure shows the records of access requests that are intercepted based on ACL rules. For more information about log fields, see Access log fields. Request Logs
  6. Optional:Download the logs.
    You can download the logs to your computer as required.
    1. In the upper-right corner of the Log Query tab, click Log download.
    2. After the download task is created, click the View the Downloaded File tab to download the logs to your computer in the required format.
      Note You can download a maximum of 20 million logs in a single download task. If you want to download more logs, create more tasks.

Advanced search conditions

Field Description
Source IP The source IP address of the client.
URL Key Words The URL of the access requests.
Note You can enter forward slashes (/) in this field. For example, enter /ntis/cashier.
Cookie The Cookie HTTP header. This field provides the source information of the client.
Referer The Referer HTTP header. This field provides the source URL of the client.
User-Agent The User-Agent HTTP header. This field includes the client information, such as the browser and operating system.
X-Forwarded-For The X-Forwarded-For HTTP header.
Server Response Code The status code that the origin server returns to WAF.
It contains a maximum of three digits and supports fuzzy search. For example, if you enter 4* for search, the system returns all status codes that start with 4.
Note
  • Asterisks (*) can be used to match 0 or multiple digits. However, you cannot enter a number that starts with an asterisk (*).
  • You can enter a hyphen (-) to search for access requests that do not have status information.
Status Code Returned by WAF The status code that WAF returns to the client.
It contains a maximum of three digits and supports fuzzy search. For example, if you enter 4* for search, the system returns all status codes that start with 4.
Note
  • Asterisks (*) can be used to match 0 or multiple digits. However, you cannot enter a number that starts with an asterisk (*).
  • You can enter a hyphen (-) to search for access requests that do not have status information.
Request Unique ID The specific access request. If an access request is intercepted, you can enter its ID for search.
Request domain name If you have enabled the full log feature for wildcard domains, you can specify this field to search for first-level subdomains.
Protection policies The protection policies to apply. Valid values: Web Attack Blocking, HTTP Flood Protection Policies, HTTP ACL Policies, Data Risk Control, Block IPs Initiating Frequent Web Attacks, Directory Scan Protection, Scanning Tool Blocking, and Collaborative Defense.

Access log fields

Field Meaning Description
Time Access time The time when the access request was initiated. This field is a UTC time record in the log file.
Domain Access domain The domain that is requested.
Source_IP Source IP address The source IP address of the client.
IP_City Region of the source IP address The region in which the source IP address is located. If the source IP address is located in mainland China, this field can be accurate to the city level.
IP_Country Country of the source IP address The country in which the source IP address is located.
Method Access request method The request method specified in the request line.
URL Access request URL The URL of the requested resource specified in the request line.
Https Access request protocol The protocol of the access request specified in the request line.
Referer Referer HTTP The Referer HTTP header. This field provides the source URL of the client.
User-Agent User-Agent HTTP The User-Agent HTTP header. This field includes the client information, such as the browser and operating system.
X-Forwarded-For X-Forwarded-For HTTP The X-Forwarded-For HTTP header. This field identifies the real IP address of the client that connects to the web server by using an HTTP proxy or load balancing device.
Cookie Cookie HTTP The Cookie HTTP header. This field provides the source information of the client.
Attack_Type Protection status
The result after WAF processes the access request:
  • 0: No attacks are detected.
  • 1: Rules are triggered to protect against web application attacks.
  • 2: Rules are triggered to protect against HTTP flood attacks.
  • 3: Rules are triggered to implement precise access control.
  • 4: Policies are triggered to block requests from specified regions.
  • 5: Policies are triggered to control data risks.
  • 6: Rules are triggered to block IP addresses from which scanning attacks are frequently initiated.
  • 7: Rules are triggered to protect against directory traversal attacks.
  • 8: Policies are triggered to implement collaborative protection.
  • 9: Rules are triggered to block scanning tools.
Status Response status code The status code that WAF returns to the client.
Upstream_Status Response status code of the origin server The status code that the origin server returns to WAF. If the value of this field is a hyphen (-), the request is blocked by WAF or the response from the origin server times out.
Upstream_IP IP address of the origin server The IP address of the origin server for the access request. For example, if the origin server of WAF is an ECS instance, the value of this field is the IP address of the ECS instance.
Upstream_Time Response time of the origin server The time taken by the origin server to respond to a request from WAF. If the value of this field is a hyphen (-), the response times out.