WAF keeps detailed log entries for your domains, including access requests and attack logs. Each log entry contains dozens of fields. You can perform query and analysis based on specific fields.

Field Description Example
__topic__ The topic of the log entry. The value of this field is waf_access_log, which cannot be changed. waf_access_log
acl_action The action generated by the WAF HTTP ACL policy to the request, such as pass, drop, and captcha.
Note If the value is null or -, it indicates that the action is pass.
pass
acl_blocks Indicates whether the request is blocked by the HTTP ACL policy.
  • If the value is 1, the request is blocked.
  • If the value is not 1, the request is passed.
 1
antibot The type of the Anti-Bot Service protection strategy that applies, which includes:
  • ratelimit: Frequency control
  • sdk: APP protection
  • intelligence: Algorithmic model
  • acl: HTTP ACL policy
  • blacklist: Blacklist
 ratelimit
antibot_action The action performed by the Anti-Bot Service protection strategy, which includes:
  • challenge: Verifying using an embedded JavaScript script
  • drop: Blocking
  • report: Logging the access event
  • captcha: Verifying using a slider captcha
 challenge
block_action The type of the WAF protection that is activated, which includes:
  • tmd: Protection against HTTP flood attacks
  • waf: Protection against Web application attacks
  • acl: HTTP ACL policy
  • geo: Blocking regions
  • antifraud: Risk control for data
  • antibot: Blocking Web crawlers
 tmd
body_bytes_sent The size of the body in the access request, which is measured in Bytes. 2
cc_action Protection strategies against HTTP flood attacks, such as none, challenge, pass, close, captcha, wait, login, and n. close
cc_blocks Indicates whether the request is blocked by the CC protection.
  • If the value is 1, the request is blocked.
  • If the value is not 1, the request is passed.
 1
cc_phase The CC protection strategy that is activated, which can be seccookie, server_ip_blacklist, static_whitelist, server_header_blacklist, server_cookie_blacklist, server_args_blacklist, or qps_overmax. server_ip_blacklist
content_type The content type of the access request. application/x-www-form-urlencoded
host The source website. api.aliyun.com
http_cookie The client-side cookie, which is included in the request header. k1=v1;k2=v2
http_referer The URL information of the request source, which is included in the request header. - indicates no URL information. http://xyz.com
http_user_agent The User Agent field in the request header, which contains information such as the client browser and the operating system. Dalvik/2.1.0 (Linux; U; Android 7.0; EDI-AL10 Build/HUAWEIEDISON-AL10)
http_x_forwarded_for The X-Forwarded-For (XFF) information in the request header, which identifies the original IP address of the client that connects to the Web server using a HTTP proxy or load balancing. -
https Indicates whether the request is an HTTPS request.
  • true: the request is an HTTPS request.
  • false: the request is an HTTP request.
 true
matched_host The matched domain name (extensive domain name) that is protected by WAF. If no domain has been matched, the value is -. *.aliyun.com
querystring The query string in the request. title=tm_content%3Darticle&pid=123
real_client_ip The real IP address of the client. If the system cannot get the real IP address, the value is -. 1.2.3.4
region The information of the region where the WAF instance is located. cn
remote_addr The IP address of the client that sends the access request. 1.2.3.4
remote_port The port of the client that sends the access request. 3242
request_length The size of the request, measured in Bytes. 123
request_method The HTTP request method used in the access request. GET
request_path The relative path of the request. The query string is not included. /news/search.php
request_time_msec The request time, which is measured in microseconds. 44
request_traceid The unique ID of the access request that is recorded by WAF. 7837b********************ea1f0
server_protocol The response protocol and the version number of the origin server. HTTP/1.1
status The status of the HTTP response to the client returned by WAF. 200
time The time when the access request occurs. 2018-05-02T16:03:59+08:00
ua_browser The information of the browser that sends the request. ie9
ua_browser_family The family of the browser that the sent the request. internet explorer
ua_browser_type The type of the browser that the sent the request. web_browser
ua_browser_version The version of the browser that sends the request. 9.0
ua_device_type The type of the client device that sends the request. computer
ua_os The operating system used by the client that sends the request. windows_7
ua_os_family The family of the operating system used by the client. windows
upstream_addr A list of origin addresses, separated by commas. The format of an address is IP:Port. 1.2.3.4:443
upstream_ip The origin IP address that corresponds to the access request. For example, if the origin server is an ECS instance, the value of this field is the IP address of the ECS instance. 1.2.3.4
upstream_response_time The time that the origin site takes to respond to the WAF request, which is measured in seconds. "-" indicates the timeout of the request. 0.044
upstream_status The response status that WAF receives from the origin server. "-" indicates that no response is received. The reason can be the response timeout, or the request being blocked by WAF. 200
user_id Alibaba Cloud account ID. 12345678
waf_action The action from the Web attack protection policy.
  • If the value is block, the attack is blocked.
  • If the value is bypass or other values, the attack is ignored.
 block
web_attack_type The Web attack type such as xss, code_exec, webshell, sqli, lfilei, rfilei, and other. xss
waf_rule_id The ID of the WAF rule that is matched. 100