WAF keeps detailed log entries for your domains, including access and attack protection logs. Each log entry contains dozens of fields. You can query and analyze specific fields based on your business requirements.
| Field | Description | Example |
|---|---|---|
| __topic__ | The topic of a log entry. This field is fixed to waf_access_log. | waf_access_log |
| acl_action | The action taken by WAF to respond to the request based on HTTP ACL policies, such
as pass, drop, and captcha.
Note A null value or a hyphen (-) also indicates the pass action.
|
pass |
| acl_blocks | Indicates whether the request is blocked based on the HTTP ACL policies.
|
1 |
| antibot | The type of the Anti-Bot Service protection policy that applies. Valid values:
|
ratelimit |
| antibot_action | The action that is taken based on the Anti-Bot Service protection policy. Valid values:
|
challenge |
| block_action | The type of the WAF protection feature that implements blocking. Valid values:
|
tmd |
| body_bytes_sent | The size of the HTTP message body sent to the client. Unit: bytes. | 2 |
| cc_action | The action taken for protection against HTTP flood attacks. Valid values: none, challenge, pass, close, captcha, wait, and login. | close |
| cc_blocks | Indicates whether the request is blocked by the HTTP flood protection feature.
|
1 |
| cc_phase | The HTTP flood protection policy that is triggered. Valid values: seccookie, server_ip_blacklist, static_whitelist, server_header_blacklist, server_cookie_blacklist, server_args_blacklist, and qps_overmax. | server_ip_blacklist |
| content_type | The content type of the access request. | application/x-www-form-urlencoded |
| host | The origin server. | api.aliyun.com |
| http_cookie | The Cookie HTTP header. This field includes information about the client. | k1=v1;k2=v2 |
| http_referer | The Referer HTTP header. This field includes the source URL information. The value
of this field is displayed as a hyphen (-) when there is no source URL information.
|
http://xyz.com |
| http_user_agent | The User-Agent HTTP header. This field contains information such as the client browser and the operating system. | Dalvik/2.1.0 (Linux; U; Android 7.0; EDI-AL10 Build/HUAWEIEDISON-AL10) |
| http_x_forwarded_for | The X-Forwarded-For (XFF) HTTP header. This field identifies the original IP address of the client that connects to the web server by using an HTTP proxy or load balancing. | - |
| https | Indicates whether the request is an HTTPS request. Valid values:
|
true |
| matched_host | The matched domain name that is protected by WAF. The domain name may be a wildcard
domain name. The value of this field is displayed as a hyphen (-) when there are no matched domain names.
|
*.aliyun.com |
| querystring | The query string in the request URL. | title=tm_content%3Darticle&pid=123 |
| real_client_ip | The real IP address of the client. If the real IP address cannot be obtained, the
value of this field is displayed as a hyphen (-).
|
1.2.3.4 |
| region | The region where the WAF instance resides. | cn |
| remote_addr | The IP address of the client that sends the access request. | 1.2.3.4 |
| remote_port | The port of the client that sends the access request. | 3242 |
| request_length | The size of the access request message. Unit: bytes. | 123 |
| request_method | The HTTP request method. | GET |
| request_path | The relative path of the access request. The query string is not included. | /news/search.php |
| request_time_msec | The request processing duration. Unit: milliseconds. | 44 |
| request_traceid | The unique ID of the access request that is recorded by WAF. | 7837b11715410386943437009ea1f0 |
| server_protocol | The type and version number of the protocol that is used for the responses from the origin server. | HTTP/1.1 |
| status | The HTTP status code returned by WAF to the client. | 200 |
| time | The time when the access request is initiated. | 2018-05-02T16:03:59+08:00 |
| ua_browser | The information of the browser that sends the access request. | ie9 |
| ua_browser_family | The family of the browser. | internet explorer |
| ua_browser_type | The type of the browser. | web_browser |
| ua_browser_version | The version of the browser. | 9.0 |
| ua_device_type | The type of the client device. | computer |
| ua_os | The operating system of the client. | windows_7 |
| ua_os_family | The family of the client operating system. | windows |
| upstream_addr | The list of back-to-origin IP addresses, separated with commas (,). Each IP address
is in the IP:Port format.
|
1.2.3.4:443 |
| upstream_ip | The IP address of the origin server where the requested resource resides. For example, if the origin server is an ECS instance, the value of this field is the IP address of the ECS instance. | 1.2.3.4 |
| upstream_response_time | The duration used by the origin server to respond to the request from WAF. Unit: seconds. If the value of this field is displayed as a hyphen (-), the response times out. | 0.044 |
| upstream_status | The HTTP status code that WAF receives from the origin server. If the value of this field is displayed as a hyphen (-), the request is blocked by WAF or the response from the origin server times out. | 200 |
| user_id | The ID of the Alibaba Cloud account. | 12345678 |
| waf_action | The action that is taken for protection against web attacks. Valid values:
|
block |
| web_attack_type | The type of the web attack. Valid values: xss, code_exec, webshell, sqli, lfilei, rfilei, and other. | xss |
| waf_rule_id | The ID of the matched WAF rule. | 100 |