This topic describes the log fields that are supported by Web Application Firewall (WAF).
Table for field retrieval
The following table describes the log fields that are supported by WAF. You can use the names of fields to retrieve the fields that you want to view.
First letter of a field name | Field |
a |
|
b |
|
c |
|
d |
|
f | Fields related to the final action: final_action | final_plugin | final_rule_id | final_rule_type |
h |
|
i | Fields related to bot threat intelligence: intelligence_action | intelligence_rule_id | intelligence_test |
m | Field used to record the matched domain names that are protected by WAF: matched_host |
n | Fields related to the positive security model: normalized_action | normalized_rule_id | normalized_rule_type | normalized_test |
q | Field used to record the query string: querystring |
r |
|
s |
|
t | Field used to record the time when requests were initiated: time |
u |
|
w |
|
Required fields
Required fields refer to the fields that must be included in WAF logs.
Field | Description | Example |
acl_rule_type | The type of the rule that is triggered. The rule is created for the blacklist or custom protection policy (ACL) feature. Valid values:
| custom |
bypass_matched_ids | The ID of the rule that is triggered to allow requests. The rule can be a whitelist rule or a custom protection rule that allows requests. If multiple rules are triggered at the same time to allow requests, this field records the IDs of the rules. Multiple IDs are separated with commas (,). | 283531 |
cc_rule_type | The type of the rule that is triggered. The rule is created for the HTTP flood protection feature or the custom protection policy (HTTP Flood Protection) feature. Valid values:
| custom |
content_type | The type of the requested content. | application/x-www-form-urlencoded |
final_action | The action that is performed by WAF on the request. Valid values:
For more information about WAF protection actions, see Description of the action field. If a request does not match a protection module, the field is not recorded. For example, if a request matches a rule that allows the request or a client passes slider CAPTCHA verification or JavaScript verification, the field is not recorded. If a request matches multiple protection modules at the same time, the field records only the action that is performed. The following actions are listed in descending order of priority: block (block), strict slider CAPTCHA verification (captcha_strict), common slider CAPTCHA verification (captcha), dynamic token authentication (sigchl), and JavaScript validation (js). | block |
final_plugin | The protection module that performs the action on the request. The final_action field indicates the action that is performed. Valid values:
To configure the preceding protection features, log on to the Web Application Firewall console and choose in the left-side navigation pane. For more information about the protection features of WAF, see Overview. If a request does not match a protection module, the field is not recorded. For example, if a request matches a rule that allows the request or a client passes slider CAPTCHA verification or JavaScript verification, the field is not recorded. If a request matches multiple protection modules at the same time, the field records only the action that is performed. The final_action field indicates the action that is performed. | waf |
final_rule_id | The ID of the rule that is applied to the request. The rule defines the action that is recorded in the final_action field. | 115341 |
final_rule_type | The subtype of the rule that is applied to the request. The final_rule_id field indicates the applied rule. For example, | xss/webshell |
host | The Host header field of the request, which indicates the domain name or IP address to be accessed. | api.example.com |
http_cookie | The cookie header field of the request, which indicates the cookie information about the client. | k1=v1;k2=v2 |
http_referer | The Referer header field of the request, which indicates the source URL information about the request. If the request does not contain the source URL information, the value of the field is displayed as a hyphen | http://example.com |
http_user_agent | The User-Agent header field of the request. This field contains information about the browser and operating system. | Dalvik/2.1.0 (Linux; U; Android 10; Android SDK built for x86 Build/QSR1.200715.002) |
http_x_forwarded_for | The X-Forwarded_For (XFF) field of the request header. This field is used to identify the originating IP address of the client that is connected to the web server by using an HTTP proxy or a load balancing device. | 47.100.XX.XX |
https | Indicates whether the request is an HTTPS request.
| on |
matched_host | The domain name that is matched by WAF. The domain name is added to WAF for protection. Note Wildcard domain names can be added to WAF, and WAF may match a wildcard domain name. For example, if the domain name *.aliyun.com is added to WAF and www.aliyun.com is requested, WAF matches the domain name *.aliyun.com. | *.aliyun.com |
querystring | The query string in the request. The query string refers to the part that follows the question mark (?) in the requested URL. | title=tm_content%3Darticle&pid=123 |
real_client_ip | The originating IP address of the client that initiates the request. WAF identifies the actual IP address based on the analysis of the request. If WAF cannot identify the actual IP address of the client, for example, when a proxy server is used or the IP field in the request header is invalid, the value of the field is displayed as a hyphen | 192.0.XX.XX |
remote_addr | The IP address that is used to connect to WAF. If WAF is directly connected to a client, this field records the originating IP address of the client. If a Layer 7 proxy, such as Alibaba Cloud CDN, is deployed in front of WAF, this field records the IP address of the proxy. | 198.51.XX.XX |
remote_port | The port that is used to connect to WAF. If WAF is directly connected to a client, this field records the port of the client. If a Layer 7 proxy, such as CDN, is deployed in front of WAF, this field records the port of the proxy. | 80 |
request_length | The number of bytes in the request. The request includes the request line, request header, and request body. Unit: bytes. | 111111 |
request_method | The request method. | GET |
request_path | The requested relative path. The relative path is the part between the domain name and the question mark (?) in the requested URL. The relative path does not include the query string. | /news/search.php |
request_time_msec | The time required for WAF to process the request. Unit: milliseconds. | 44 |
request_traceid | The unique identifier that is generated by WAF for each request. | 7837b11715410386943437009ea1f0 |
server_protocol | The protocol and version that are used by the origin server to respond to the request that is forwarded by WAF. | HTTP/1.1 |
status | The HTTP status code that is included by WAF in the response to the request that is sent from the client. Example: the HTTP status code 200 indicates that the request is received and accepted. | 200 |
time | The point in time at which the request is initiated. The point in time when the request is sent. The time follows the ISO 8601 standard in the | 2018-05-02T16:03:59+08:00 |
upstream_addr | The IP address and port of the origin server. The format is | 198.51.XX.XX:443 |
upstream_response_time | The total amount of time required for the origin server to respond to a back-to-origin request that is forwarded by WAF and for WAF to forward the response to the client. Unit: seconds. | 0.044 |
upstream_status | The HTTP status code that is sent by the origin server in response to the request from WAF. Example: the HTTP status code 200 indicates that the request is received and accepted. | 200 |
Optional fields
You can include optional fields in WAF logs based on your business requirements. WAF logs record only the optional fields that you enable.
If you enable optional fields, WAF logs occupy more storage space. If you have sufficient log storage capacity, we recommend that you enable more optional fields to analyze logs in a more comprehensive manner. For more information about how to configure optional fields, see Modify log settings.
Field | Description | Example |
account_action | The action that is performed on the request after an account security rule is triggered. This parameter has a fixed value of block. The value indicates that the request is blocked. For more information about WAF protection actions, see Description of the action field. | block |
account_rule_id | The ID of the account security rule that is triggered. | 151235 |
account_test | The protection mode that is used for the request after an account security rule is triggered. Valid values:
| false |
acl_action | The action that is performed on the request after a rule created for the blacklist or custom protection policy (ACL) feature is triggered. Valid values:
For more information about WAF protection actions, see Description of the action field. | block |
acl_rule_id | The ID of the rule that is triggered. The rule is created for the blacklist or custom protection policy (ACL) feature. | 151235 |
acl_test | The protection mode that is used for the request after a rule created for the blacklist or custom protection policy (ACL) feature is triggered. Valid values:
| false |
algorithm_action | The action that is performed on the request after a rule created for the typical bot behavior identification feature is triggered. Valid values:
For more information about WAF protection actions, see Description of the action field. | block |
algorithm_rule_id | The ID of the rule that is triggered. The rule is created for the typical bot behavior identification feature. | 151235 |
algorithm_test | The protection mode that is used for the request after a rule created for the typical bot behavior identification feature is triggered. Valid values:
| false |
antifraud_action | The action that is performed on the request after a rule created for the data risk control feature is triggered. Valid values:
For more information about WAF protection actions, see Description of the action field. | block |
antifraud_test | The protection mode that is used for the request after a rule created for the data risk control feature is triggered. Valid values:
| false |
antiscan_action | The action that is performed on the request after a rule created for the scan protection feature is triggered. This parameter has a fixed value of block. The value indicates that the request is blocked. For more information about WAF protection actions, see Description of the action field. | block |
antiscan_rule_id | The ID of the scan protection rule that is matched. | 151235 |
antiscan_rule_type | The type of the scan protection rule that is matched. Valid values:
| highfreq |
antiscan_test | The protection mode that is used for the request after a scan protection rule is matched. Valid values:
| false |
block_action | Important This field is no longer valid due to WAF upgrades. This field is replaced with the field final_plugin. If the block_action field is used in your services, replace the field with final_plugin at the earliest opportunity. The WAF protection feature that is triggered to block the request. Valid values:
| waf |
body_bytes_sent | The number of bytes in the response body that is returned by the server to the client. The number of bytes of the response header is not counted. Unit: bytes. | 1111 |
cc_action | The action that is performed on the request after a rule created for the HTTP flood protection or custom protection policy (HTTP Flood Protection) feature is triggered. Valid values:
For more information about WAF protection actions, see Description of the action field. | block |
cc_rule_id | The ID of the rule that is triggered. The rule is created for the HTTP flood protection feature or the custom protection policy (HTTP Flood Protection) feature. | 151234 |
cc_test | The protection mode that is used for the request after a rule created for the HTTP flood protection or custom protection policy (HTTP Flood Protection) feature is triggered. Valid values:
| false |
deeplearning_action | The action that is performed on the request after a rule created for the deep learning engine feature is triggered. This parameter has a fixed value of block. The value indicates that the request is blocked. For more information about WAF protection actions, see Description of the action field. | block |
deeplearning_rule_id | The ID of the rule that is triggered. The rule is created for the deep learning engine feature. | 151238 |
deeplearning_rule_type | The type of the rule that is triggered. The rule is created for the deep learning engine feature. Valid values:
| xss |
deeplearning_test | The protection mode that is used for the request after a rule created for the deep learning engine feature is triggered. Valid values:
| false |
dlp_action | The action that is performed on the request after a rule created for the data leakage prevention feature is triggered. Valid values:
For more information about WAF protection actions, see Description of the action field. | mask |
dlp_rule_id | The ID of the rule that is triggered. The rule is created for the data leakage prevention feature. | 151245 |
dlp_test | The protection mode that is used for the request after a rule created for the data leakage prevention feature is triggered. Valid values:
| false |
intelligence_action | The action that is performed on the request after a rule created for the bot threat intelligence feature is triggered. Valid values:
For more information about WAF protection actions, see Description of the action field. | block |
intelligence_rule_id | The ID of the rule that is triggered. The rule is created for the bot threat intelligence feature. | 152234 |
intelligence_test | The protection mode that is used for the request after a rule created for the bot threat intelligence feature is triggered. Valid values:
| false |
normalized_action | The action that is performed on the request after a rule created for the positive security model feature is triggered. Valid values:
For more information about WAF protection actions, see Description of the action field. | block |
normalized_rule_id | The ID of the rule that is triggered. The rule is created for the positive security model feature. | 151266 |
normalized_rule_type | The type of the rule that is triggered. The rule is created for the positive security model feature. Valid values:
| User-Agent |
normalized_test | The protection mode that is used for the request after a rule created for the positive security model feature is triggered. Valid values:
| false |
region | The ID of the region where the WAF instance resides. Valid values:
| cn |
request_body | The request body. | i am the request body, encrypted or not! |
scene_action | The action that is performed on the request after a rule created for scenario-specific configuration is triggered. Valid values:
For more information about WAF protection actions, see Description of the action field. | block |
scene_id | The scenario ID of the rule that is triggered. The rule is created for scenario-specific configuration. | 151235 |
scene_rule_id | The ID of the rule that is triggered. The rule is created for scenario-specific configuration. | 153678 |
scene_rule_type | The type of the rule that is triggered. The rule is created for scenario-specific configuration. Valid values:
| bot_aialgo |
sigchl_invalid_type | The reason why the request is considered abnormal by dynamic token authentication rules. Valid values:
| sigchl_invalid_sig |
scene_test | The protection mode that is used for the request after a rule created for scenario-specific configuration is triggered. Valid values:
| false |
server_port | The destination port that is requested. | 443 |
ssl_cipher | The cipher suite that is used in the request. | ECDHE-RSA-AES128-GCM-SHA256 |
ssl_protocol | The SSL protocol or TLS protocol and version that are used in the request. | TLSv1.2 |
ua_browser | The name of the browser that initiates the request. Important From December 15, 2021, this field is no longer supported by WAF. This field is not recorded even if you select the field on the Log Settings page. To obtain the information about the User-Agent field of the request, we recommend that you use the required field http_user_agent. | ie9 |
ua_browser_family | The family to which the browser belongs. Important From December 15, 2021, this field is no longer supported by WAF. This field is not recorded even if you select the field on the Log Settings page. To obtain the information about the User-Agent field of the request, we recommend that you use the required field http_user_agent. | internet explorer |
ua_browser_type | The type of the browser that initiates the request. Important From December 15, 2021, this field is no longer supported by WAF. This field is not recorded even if you select the field on the Log Settings page. To obtain the information about the User-Agent field of the request, we recommend that you use the required field http_user_agent. | web_browser |
ua_browser_version | The version of the browser that initiates the request. Important From December 15, 2021, this field is no longer supported by WAF. This field is not recorded even if you select the field on the Log Settings page. To obtain the information about the User-Agent field of the request, we recommend that you use the required field http_user_agent. | 9.0 |
ua_device_type | The device type of the client that initiates the request. Important From December 15, 2021, this field is no longer supported by WAF. This field is not recorded even if you select the field on the Log Settings page. To obtain the information about the User-Agent field of the request, we recommend that you use the required field http_user_agent. | computer |
ua_os | The operating system of the client that initiates the request. Important From December 15, 2021, this field is no longer supported by WAF. This field is not recorded even if you select the field on the Log Settings page. To obtain the information about the User-Agent field of the request, we recommend that you use the required field http_user_agent. | windows_7 |
ua_os_family | The family to which the operating system of the client belongs. Important From December 15, 2021, this field is no longer supported by WAF. This field is not recorded even if you select the field on the Log Settings page. To obtain the information about the User-Agent field of the request, we recommend that you use the required field http_user_agent. | windows |
user_id | The ID of the Alibaba Cloud account to which the WAF instance belongs. | 17045741******** |
waf_action | The action that is performed on the request after a rule created for the protection rules engine feature is triggered. This parameter has a fixed value of block. The value indicates that the request is blocked. For more information about WAF protection actions, see Description of the action field. | block |
waf_rule_id | The ID of the rule that is triggered. The rule is created for the protection rules engine feature. | 113406 |
waf_rule_type | The type of the rule that is triggered. The rule is created for the protection rules engine feature. Valid values:
| xss |
waf_test | The protection mode that is used for the request after a rule created for the protection rules engine feature is triggered. Valid values:
| false |
wxbb_action | The action that is performed on the request after a rule created for the app protection feature is triggered. Valid values:
For more information about WAF protection actions, see Description of the action field. | block |
wxbb_invalid_wua | The reason why requests are considered abnormal based on the rule created for the app protection feature. Valid values:
| wxbb_invalid_sign |
wxbb_rule_id | The ID of the rule that is triggered. The rule is created for the app protection feature. | 156789 |
wxbb_test | The protection mode that is used for the request after a rule created for the app protection feature is triggered. Valid values:
| false |