WAF keeps detailed log entries for your domains, including access requests and attack logs. Each log entry contains dozens of fields. You can perform query and analysis based on specific fields.
| Field | Description | Example |
|---|---|---|
| __topic__ | The topic of the log entry. The value of this field is waf_access_log, which cannot be changed. | waf_access_log |
| acl_action | The action generated by the WAF HTTP ACL policy to the request, such as pass, drop, and captcha.
Note If the value is null or
-, it indicates that the action is pass.
|
pass |
| acl_blocks | Indicates whether the request is blocked by the HTTP ACL policy.
|
1 |
| antibot | The type of the Anti-Bot Service protection strategy that applies, which includes:
|
ratelimit |
| antibot_action | The action performed by the Anti-Bot Service protection strategy, which includes:
|
challenge |
| block_action | The type of the WAF protection that is activated, which includes:
|
tmd |
| body_bytes_sent | The size of the body in the access request, which is measured in Bytes. | 2 |
| cc_action | Protection strategies against HTTP flood attacks, such as none, challenge, pass, close, captcha, wait, login, and n. | close |
| cc_blocks | Indicates whether the request is blocked by the CC protection.
|
1 |
| cc_phase | The CC protection strategy that is activated, which can be seccookie, server_ip_blacklist, static_whitelist, server_header_blacklist, server_cookie_blacklist, server_args_blacklist, or qps_overmax. | server_ip_blacklist |
| content_type | The content type of the access request. | application/x-www-form-urlencoded |
| host | The source website. | api.aliyun.com |
| http_cookie | The client-side cookie, which is included in the request header. | k1=v1;k2=v2 |
| http_referer | The URL information of the request source, which is included in the request header. - indicates no URL information. |
http://xyz.com |
| http_user_agent | The User Agent field in the request header, which contains information such as the client browser and the operating system. | Dalvik/2.1.0 (Linux; U; Android 7.0; EDI-AL10 Build/HUAWEIEDISON-AL10) |
| http_x_forwarded_for | The X-Forwarded-For (XFF) information in the request header, which identifies the original IP address of the client that connects to the Web server using a HTTP proxy or load balancing. | - |
| https | Indicates whether the request is an HTTPS request.
|
true |
| matched_host | The matched domain name (extensive domain name) that is protected by WAF. If no domain has been matched, the value is -. |
*.aliyun.com |
| querystring | The query string in the request. | title=tm_content%3Darticle&pid=123 |
| real_client_ip | The real IP address of the client. If the system cannot get the real IP address, the value is -. |
1.2.3.4 |
| region | The information of the region where the WAF instance is located. | cn |
| remote_addr | The IP address of the client that sends the access request. | 1.2.3.4 |
| remote_port | The port of the client that sends the access request. | 3242 |
| request_length | The size of the request, measured in Bytes. | 123 |
| request_method | The HTTP request method used in the access request. | GET |
| request_path | The relative path of the request. The query string is not included. | /news/search.php |
| request_time_msec | The request time, which is measured in microseconds. | 44 |
| request_traceid | The unique ID of the access request that is recorded by WAF. | 7837b********************ea1f0 |
| server_protocol | The response protocol and the version number of the origin server. | HTTP/1.1 |
| status | The status of the HTTP response to the client returned by WAF. | 200 |
| time | The time when the access request occurs. | 2018-05-02T16:03:59+08:00 |
| ua_browser | The information of the browser that sends the request. | ie9 |
| ua_browser_family | The family of the browser that the sent the request. | internet explorer |
| ua_browser_type | The type of the browser that the sent the request. | web_browser |
| ua_browser_version | The version of the browser that sends the request. | 9.0 |
| ua_device_type | The type of the client device that sends the request. | computer |
| ua_os | The operating system used by the client that sends the request. | windows_7 |
| ua_os_family | The family of the operating system used by the client. | windows |
| upstream_addr | A list of origin addresses, separated by commas. The format of an address is IP:Port. |
1.2.3.4:443 |
| upstream_ip | The origin IP address that corresponds to the access request. For example, if the origin server is an ECS instance, the value of this field is the IP address of the ECS instance. | 1.2.3.4 |
| upstream_response_time | The time that the origin site takes to respond to the WAF request, which is measured in seconds. "-" indicates the timeout of the request. | 0.044 |
| upstream_status | The response status that WAF receives from the origin server. "-" indicates that no response is received. The reason can be the response timeout, or the request being blocked by WAF. | 200 |
| user_id | Alibaba Cloud account ID. | 12345678 |
| waf_action | The action from the Web attack protection policy.
|
block |
| web_attack_type | The Web attack type such as xss, code_exec, webshell, sqli, lfilei, rfilei, and other. | xss |
| waf_rule_id | The ID of the WAF rule that is matched. | 100 |