WAF keeps detailed log entries for your domains, including access and attack protection logs. Each log entry contains dozens of fields. You can query and analyze specific fields based on your business requirements.

Field Description Example
__topic__ The topic of a log entry. This field is fixed to waf_access_log. waf_access_log
acl_action The action taken by WAF to respond to the request based on HTTP ACL policies, such as pass, drop, and captcha.
Note A null value or a hyphen (-) also indicates the pass action.
pass
acl_blocks Indicates whether the request is blocked based on the HTTP ACL policies.
  • If the value is 1, the request is blocked.
  • If the value is not 1, the request is allowed.
1
antibot The type of the Anti-Bot Service protection policy that applies. Valid values:
  • ratelimit: frequency control-based protection
  • sdk: enhanced app protection
  • algorithm: algorithm-based protection
  • intelligence: bot intelligence-based protection
  • acl: HTTP ACL policy-based protection
  • blacklist: blacklist-based protection
ratelimit
antibot_action The action that is taken based on the Anti-Bot Service protection policy. Valid values:
  • challenge: verification by using an embedded JavaScript script
  • drop: block
  • report: record
  • captcha: slider captcha-based verification
challenge
block_action The type of the WAF protection feature that implements blocking. Valid values:
  • tmd: protection against HTTP flood attacks
  • waf: protection against web application attacks
  • acl: HTTP ACL policy
  • geo: region blocking
  • antifraud: data risk control
  • antibot: anti-bot
tmd
body_bytes_sent The size of the HTTP message body sent to the client. Unit: bytes. 2
cc_action The action taken for protection against HTTP flood attacks. Valid values: none, challenge, pass, close, captcha, wait, and login. close
cc_blocks Indicates whether the request is blocked by the HTTP flood protection feature.
  • If the value is 1, the request is blocked by the HTTP flood protection feature.
  • If the value is not 1, the request is allowed.
1
cc_phase The HTTP flood protection policy that is triggered. Valid values: seccookie, server_ip_blacklist, static_whitelist, server_header_blacklist, server_cookie_blacklist, server_args_blacklist, and qps_overmax. server_ip_blacklist
content_type The content type of the access request. application/x-www-form-urlencoded
host The origin server. api.aliyun.com
http_cookie The Cookie HTTP header. This field includes information about the client. k1=v1;k2=v2
http_referer The Referer HTTP header. This field includes the source URL information. The value of this field is displayed as a hyphen (-) when there is no source URL information. http://xyz.com
http_user_agent The User-Agent HTTP header. This field contains information such as the client browser and the operating system. Dalvik/2.1.0 (Linux; U; Android 7.0; EDI-AL10 Build/HUAWEIEDISON-AL10)
http_x_forwarded_for The X-Forwarded-For (XFF) HTTP header. This field identifies the original IP address of the client that connects to the web server by using an HTTP proxy or load balancing. -
https Indicates whether the request is an HTTPS request. Valid values:
  • true: The request is an HTTPS request.
  • false: The request is an HTTP request.
true
matched_host The matched domain name that is protected by WAF. The domain name may be a wildcard domain name. The value of this field is displayed as a hyphen (-) when there are no matched domain names. *.aliyun.com
querystring The query string in the request URL. title=tm_content%3Darticle&pid=123
real_client_ip The real IP address of the client. If the real IP address cannot be obtained, the value of this field is displayed as a hyphen (-). 1.2.3.4
region The region where the WAF instance resides. cn
remote_addr The IP address of the client that sends the access request. 1.2.3.4
remote_port The port of the client that sends the access request. 3242
request_length The size of the access request message. Unit: bytes. 123
request_method The HTTP request method. GET
request_path The relative path of the access request. The query string is not included. /news/search.php
request_time_msec The request processing duration. Unit: milliseconds. 44
request_traceid The unique ID of the access request that is recorded by WAF. 7837b11715410386943437009ea1f0
server_protocol The type and version number of the protocol that is used for the responses from the origin server. HTTP/1.1
status The HTTP status code returned by WAF to the client. 200
time The time when the access request is initiated. 2018-05-02T16:03:59+08:00
ua_browser The information of the browser that sends the access request. ie9
ua_browser_family The family of the browser. internet explorer
ua_browser_type The type of the browser. web_browser
ua_browser_version The version of the browser. 9.0
ua_device_type The type of the client device. computer
ua_os The operating system of the client. windows_7
ua_os_family The family of the client operating system. windows
upstream_addr The list of back-to-origin IP addresses, separated with commas (,). Each IP address is in the IP:Port format. 1.2.3.4:443
upstream_ip The IP address of the origin server where the requested resource resides. For example, if the origin server is an ECS instance, the value of this field is the IP address of the ECS instance. 1.2.3.4
upstream_response_time The duration used by the origin server to respond to the request from WAF. Unit: seconds. If the value of this field is displayed as a hyphen (-), the response times out. 0.044
upstream_status The HTTP status code that WAF receives from the origin server. If the value of this field is displayed as a hyphen (-), the request is blocked by WAF or the response from the origin server times out. 200
user_id The ID of the Alibaba Cloud account. 12345678
waf_action The action that is taken for protection against web attacks. Valid values:
  • block: The request is blocked.
  • bypass or other values: The request is allowed.
block
web_attack_type The type of the web attack. Valid values: xss, code_exec, webshell, sqli, lfilei, rfilei, and other. xss
waf_rule_id The ID of the matched WAF rule. 100