This topic describes the log fields supported by Web Application Firewall (WAF).

Table for field retrieval

The following table describes the log fields supported by WAF. You can retrieve the fields that you want to view by using the names of the fields.

First letter Field
a acl_action | acl_rule_type
b block_action (to be removed) | body_bytes_sent | bypass_matched_ids
c cc_action | cc_rule_type | content_type
f final_action | final_plugin | final_rule_id | final_rule_type
h host | http_cookie | http_referer | http_user_agent | http_x_forwarded_for | https
m matched_host
q querystring
r real_client_ip | region | remote_addr | remote_port | request_length | request_method | request_path | request_time_msec | request_traceid
s server_port | server_protocol | ssl_cipher | ssl_protocol | status
t time
u ua_browser | ua_browser_family | ua_browser_type | ua_browser_version | ua_device_type | ua_os | ua_os_family | upstream_addr | upstream_response_time | upstream_status| user_id
w waf_action | waf_rule_id

Protection log fields

Protection log fields are generated by WAF when client requests match the rules specified in WAF protection features. You can use the protection log fields to analyze attacks against your business. The rules can be used to allow or block requests.

The following table describes all the values of the plugin field.

Value of the plugin field Description
waf Web Security > Protection Rules Engine in the Web Intrusion Prevention section
deeplearning Web Security > Big Data Deep Learning Engine in the Web Intrusion Prevention section
dlp Web Security > Data Leakage Prevention in the Data Security section
account Web Security > Account Security in the Data Security section
normalized Web Security > Positive Security Model in the Advanced protection section
acl Blacklists and Custom Protection Policy (ACL) on the Access Control/Throttling tab
cc HTTP Flood Protection and Custom Protection Policy (HTTP Flood Protection) on the Access Control/Throttling tab
antiscan Scan Protection on the Access Control/Throttling tab
scene Scenario-specific Configuration on the Bot Management tab
antifraud Bot Management > Data Risk Control in the Fine-grained Configuration section
intelligence Bot Management > Bot Threat Intelligence in the Fine-grained Configuration section
algorithm Bot Management > Typical Bot Behavior Identification in the Fine-grained Configuration section
wxbb Bot Management > App Protection in the Fine-grained Configuration section

The following table describes the values of the _action field, such as final_action and waf_action)

Value of the action field Description
bypass Allow, which indicates that WAF allows and forwards client requests to origin servers.
block Block, which indicates that WAF blocks client requests and returns HTTP error 405 to clients.
captcha_strict Strict CAPTCHA verification, which indicates that WAF returns CAPTCHA verification pages to clients. If a client passes strict CAPTCHA verification, WAF allows the request. Otherwise, WAF blocks the request. A client needs to pass strict CAPTCHA verification each time the client sends a request.
captcha Common CAPTCHA verification, which indicates that WAF returns CAPTCHA verification pages to clients. If a client passes common CAPTCHA verification, WAF allows client requests in a specific time range. In this time range, the client does not need to perform common CAPTCHA verification. By default, the time range is 30 minutes. If a client fails to pass common CAPTCHA verification, WAF blocks client requests.
js JavaScript verification, which indicates that WAF returns JavaScript code to clients. The JavaScript code can be automatically executed by browsers. If a client passes JavaScript verification, WAF allows client requests in a specific time range. In this time range, the client does not need to perform JavaScript verification. By default, the time range is 30 minutes. If a client fails to pass JavaScript verification, WAF blocks client requests.

Field Description Example value
block_action
Notice This field is no longer maintained, and its output information is inaccurate. This field will be removed. If this field is used, we recommend that you replace it with the new field final_plugin at your earliest opportunity.
The WAF protection feature whose Block action is triggered. Valid values:
  • tmd: HTTP flood protection
  • waf: web intrusion prevention
  • acl: ACL-based access control
  • geo: region blacklists
  • antifraud: data risk control
  • antibot: bot management
waf
bypass_matched_ids The ID of the matched rule that allows requests. The rule can be a whitelist rule or a custom protection rule that allows requests.

If a request matches multiple rules that allow requests at the same time, this field records the IDs of all the rules. Multiple IDs are separated by commas (,).

283531
final_action The action that WAF performs on client requests. For more information about the values of this field, see Description of the action field.

If a request does not trigger a protection feature, the field is not recorded. For example, if a request matches the rule that allows requests or a client passes CAPTCHA verification or JavaScript verification, the field is not recorded.

If a request triggers multiple protection features at the same time, only the action that is performed is recorded. The following sequence shows the priorities of the actions from high to low: block, strict CAPTCHA verification, common CAPTCHA verification, and JavaScript verification.

block
final_plugin The protection feature that performs the action (final_action) on client requests. For more information about the values of this field, see Description of the plugin field.

If a request does not trigger a protection feature, the field is not recorded. For example, if a request matches the rule that allows requests or a client passes CAPTCHA verification or JavaScript verification, the field is not recorded.

If a request triggers multiple protection features at the same time, only the protection feature that performs the action (final_action) is recorded.

waf
final_rule_id The ID of the protection rule that applies to client requests. The protection rule is the rule that defines the action specified in the final_action field. 115341
final_rule_type The subtype of the rule that is defined in final_rule_id.

For example, final_plugin:waf supports final_rule_type:sqli and final_rule_type:xss.

xss/webshell
acl_action The action that is defined in the protection rule that applies to client requests. The protection rule can be a rule that is created for Blacklists or Custom Protection Policy (ACL).

For more information about the values of this field, see Description of the action field.

pass
acl_rule_type The type of the protection rule that applies to client requests. The protection rule can be a rule that is created for Blacklists or Custom Protection Policy (ACL). Valid values:
  • custom: Custom Protection Policy (ACL)
  • blacklist: Blacklists
custom
cc_action The action that is defined in the protection rule that applies to client requests. The protection rule can be a rule that is created for HTTP Flood Protection or Custom Protection Policy (HTTP Flood Protection).

For more information about the values of this field, see Description of the action field.

block
cc_rule_type The type of the protection rule that applies to client requests. The protection rule can be a rule that is created for HTTP Flood Protection or Custom Protection Policy (HTTP Flood Protection). Valid values:
  • custom: Custom Protection Policy (HTTP Flood Protection)
  • system: HTTP Flood Protection
custom
waf_action The action that is defined in the matched rule that is created for Protection Rules Engine.

For more information about the values of this field, see Description of the action field.

block
waf_rule_id The ID of the matched rule that is created for Protection Rules Engine. 113406

Non-protection log fields

Non-protection log fields include request logic fields that WAF obtains from client requests and supplemental fields that are generated after WAF analyzes the requests. The request logic fields include common request header fields. The supplemental fields record request behavior and also record the actual IP addresses of clients and status codes from origin servers.

Field Description Example value
content_type The type of the requested content. application/x-www-form-urlencoded
host The Host field of the request header, which contains the domain name or IP address to access. The field value is determined by your business settings api.example.com
http_referer The Referer field of the request header, which contains the source URL information about the request.

If the request does not contain the source URL information, the value of the field is -.

http://example.com
http_user_agent The User-Agent field of the request header. This field contains information about the browser and operating system. Dalvik/2.1.0 (Linux; U; Android 10; Android SDK built for x86 Build/QSR1.200715.002)
http_x_forwarded_for The X-Forwarded_For (XFF) field of the request header. This field is used to identify the actual IP address of the client that is connected to the web server by using an HTTP proxy or a load balancing device. None
querystring The query string in the request. The query string refers to the part that follows the question mark (?) in the requested URL. title=tm_content%3Darticle&pid=123
real_client_ip The actual IP address of the client that initiates the request. WAF identifies the actual IP address based on the analysis of the request.

If WAF cannot obtain the actual IP address of the client, the value of the field is -.

1.XX.XX.1
remote_addr The IP address from which connections are established with WAF.

If WAF is directly connected to a client, this field records the actual IP address of the client. If a Layer 7 proxy, such as Content Delivery Network (CDN), is deployed in front of WAF, this field records the IP address of the proxy.

1.XX.XX.1
remote_port The port from which connections are established with WAF.

If WAF is connected to a client, this field records the port of the client. If a Layer 7 proxy, such as CDN, is deployed in front of WAF, this field records the port of the proxy.

80
request_length The number of bytes in the request. The request includes the request line, request header, and request body. Unit: bytes. 111111
request_method The request method. GET
request_path The requested relative path. The relative path refers to the part between the domain name and the question mark (?) in the requested URL. The relative path does not include the query string. /news/search.php
request_time_msec The time that WAF takes to process a request. Unit: milliseconds. 44
request_traceid The unique identifier that is generated by WAF for each request. 7837b11715410386943437009ea1f0
server_port The requested destination port. 443
server_protocol The protocol and version that the origin server uses to respond to the request forwarded by WAF. HTTP/1.1
ssl_cipher The encryption suite that is used in the request. ECDHE-RSA-AES128-GCM-SHA256
ssl_protocol The SSL or TLS protocol and version that are used in the request. TLSv1.2
time The time at which the request is initiated. The time follows the ISO 8601 standard in the yyyy-MM-ddTHH:mm:ss+08:00 format. The time must be in UTC. 2018-05-02T16:03:59+08:00
upstream_response_time The time that the origin server takes to respond to the request forwarded by WAF. Unit: seconds. 0.044
upstream_status The HTTP status code that the origin server sends in response to the request from WAF. Example: 200, which indicates that the request was received and accepted. 200
body_bytes_sent The number of bytes in the request body. Unit: bytes. 1111
matched_host The matched domain name that is added to WAF for protection.
Note Wildcard domains can be added to WAF, and WAF matches a wildcard domain for client requests. For example, if the domain name *.aliyun.com is added to WAF and www.aliyun.com is requested, WAF matches the domain name *.aliyun.com.
*.aliyun.com
https Indicates whether the request is an HTTPS request. Valid values:
  • true: The request is an HTTPS request.
  • false: The request is an HTTP request.
true
region The ID of the region where the WAF instance resides. Valid values:
  • cn: mainland China
  • int: outside mainland China
cn
status The HTTP status code that WAF sends in response to the client request. Example: 200, which indicates that the request was received and accepted. 200
ua_browser The name of the browser that initiates requests. ie9
ua_browser_family The family to which the browser that initiates requests belongs. internet explorer
ua_browser_type The type of the browser that initiates requests. web_browser
ua_browser_version The version of the browser that initiates requests. 9.0
ua_device_type The type of the device that initiates requests. computer
ua_os The operating system of the client that initiates requests. windows_7
ua_os_family The family to which the operating system of the client that initiates requests belongs. windows
upstream_addr The IP address and port number of the origin server. The format is IP:Port. Multiple pairs of IP addresses and ports are separated by commas (,). 1.XX.XX.1:443
user_id The ID of the Alibaba Cloud account that owns the WAF instance. 17045741********