This topic describes the log fields supported by Web Application Firewall (WAF).
Table for field retrieval
The following table describes the log fields supported by WAF. You can retrieve the fields that you want to view by using the names of the fields.
| First letter | Field |
|---|---|
| a | acl_action | acl_rule_type |
| b | block_action (to be removed) | body_bytes_sent | bypass_matched_ids |
| c | cc_action | cc_rule_type | content_type |
| f | final_action | final_plugin | final_rule_id | final_rule_type |
| h | host | http_cookie | http_referer | http_user_agent | http_x_forwarded_for | https |
| m | matched_host |
| q | querystring |
| r | real_client_ip | region | remote_addr | remote_port | request_length | request_method | request_path | request_time_msec | request_traceid |
| s | server_port | server_protocol | ssl_cipher | ssl_protocol | status |
| t | time |
| u | ua_browser | ua_browser_family | ua_browser_type | ua_browser_version | ua_device_type | ua_os | ua_os_family | upstream_addr | upstream_response_time | upstream_status| user_id |
| w | waf_action | waf_rule_id |
Protection log fields
Protection log fields are generated by WAF when client requests match the rules specified in WAF protection features. You can use the protection log fields to analyze attacks against your business. The rules can be used to allow or block requests.
The following table describes all the values of the plugin field.
| Value of the plugin field | Description |
|---|---|
| waf | Web Security > Protection Rules Engine in the Web Intrusion Prevention section |
| deeplearning | Web Security > Big Data Deep Learning Engine in the Web Intrusion Prevention section |
| dlp | Web Security > Data Leakage Prevention in the Data Security section |
| account | Web Security > Account Security in the Data Security section |
| normalized | Web Security > Positive Security Model in the Advanced protection section |
| acl | Blacklists and Custom Protection Policy (ACL) on the Access Control/Throttling tab |
| cc | HTTP Flood Protection and Custom Protection Policy (HTTP Flood Protection) on the Access Control/Throttling tab |
| antiscan | Scan Protection on the Access Control/Throttling tab |
| scene | Scenario-specific Configuration on the Bot Management tab |
| antifraud | Bot Management > Data Risk Control in the Fine-grained Configuration section |
| intelligence | Bot Management > Bot Threat Intelligence in the Fine-grained Configuration section |
| algorithm | Bot Management > Typical Bot Behavior Identification in the Fine-grained Configuration section |
| wxbb | Bot Management > App Protection in the Fine-grained Configuration section |
The following table describes the values of the _action field, such as final_action and waf_action)
| Value of the action field | Description |
|---|---|
| bypass | Allow, which indicates that WAF allows and forwards client requests to origin servers. |
| block | Block, which indicates that WAF blocks client requests and returns HTTP error 405 to clients. |
| captcha_strict | Strict CAPTCHA verification, which indicates that WAF returns CAPTCHA verification pages to clients. If a client passes strict CAPTCHA verification, WAF allows the request. Otherwise, WAF blocks the request. A client needs to pass strict CAPTCHA verification each time the client sends a request. |
| captcha | Common CAPTCHA verification, which indicates that WAF returns CAPTCHA verification pages to clients. If a client passes common CAPTCHA verification, WAF allows client requests in a specific time range. In this time range, the client does not need to perform common CAPTCHA verification. By default, the time range is 30 minutes. If a client fails to pass common CAPTCHA verification, WAF blocks client requests. |
| js | JavaScript verification, which indicates that WAF returns JavaScript code to clients. The JavaScript code can be automatically executed by browsers. If a client passes JavaScript verification, WAF allows client requests in a specific time range. In this time range, the client does not need to perform JavaScript verification. By default, the time range is 30 minutes. If a client fails to pass JavaScript verification, WAF blocks client requests. |
| Field | Description | Example value |
|---|---|---|
| block_action |
Notice This field is no longer maintained, and its output information is inaccurate. This field will be removed. If this field is used, we recommend that you replace it with the new field
final_plugin at your earliest opportunity.
|
waf |
| bypass_matched_ids | The ID of the matched rule that allows requests. The rule can be a whitelist rule or a custom protection rule that allows requests. If a request matches multiple rules that allow requests at the same time, this field records the IDs of all the rules. Multiple IDs are separated by commas (,). |
283531 |
| final_action | The action that WAF performs on client requests. For more information about the values of this field, see Description of the action field. If a request does not trigger a protection feature, the field is not recorded. For example, if a request matches the rule that allows requests or a client passes CAPTCHA verification or JavaScript verification, the field is not recorded. If a request triggers multiple protection features at the same time, only the action that is performed is recorded. The following sequence shows the priorities of the actions from high to low: block, strict CAPTCHA verification, common CAPTCHA verification, and JavaScript verification. |
block |
| final_plugin | The protection feature that performs the action (final_action) on client requests. For more information about the values of this field, see Description of the plugin field. If a request does not trigger a protection feature, the field is not recorded. For example, if a request matches the rule that allows requests or a client passes CAPTCHA verification or JavaScript verification, the field is not recorded. If a request triggers multiple protection features at the same time, only the protection feature that performs the action (final_action) is recorded. |
waf |
| final_rule_id | The ID of the protection rule that applies to client requests. The protection rule is the rule that defines the action specified in the final_action field. | 115341 |
| final_rule_type | The subtype of the rule that is defined in final_rule_id. For example, |
xss/webshell |
| acl_action | The action that is defined in the protection rule that applies to client requests. The protection rule can be a rule that is created for Blacklists or Custom Protection Policy (ACL). For more information about the values of this field, see Description of the action field. |
pass |
| acl_rule_type | The type of the protection rule that applies to client requests. The protection rule can be a rule that is created for Blacklists or Custom Protection Policy (ACL). Valid values:
|
custom |
| cc_action | The action that is defined in the protection rule that applies to client requests. The protection rule can be a rule that is created for HTTP Flood Protection or Custom Protection Policy (HTTP Flood Protection). For more information about the values of this field, see Description of the action field. |
block |
| cc_rule_type | The type of the protection rule that applies to client requests. The protection rule can be a rule that is created for HTTP Flood Protection or Custom Protection Policy (HTTP Flood Protection). Valid values:
|
custom |
| waf_action | The action that is defined in the matched rule that is created for Protection Rules Engine. For more information about the values of this field, see Description of the action field. |
block |
| waf_rule_id | The ID of the matched rule that is created for Protection Rules Engine. | 113406 |
Non-protection log fields
Non-protection log fields include request logic fields that WAF obtains from client requests and supplemental fields that are generated after WAF analyzes the requests. The request logic fields include common request header fields. The supplemental fields record request behavior and also record the actual IP addresses of clients and status codes from origin servers.
| Field | Description | Example value |
|---|---|---|
| content_type | The type of the requested content. | application/x-www-form-urlencoded |
| host | The Host field of the request header, which contains the domain name or IP address to access. The field value is determined by your business settings | api.example.com |
| http_cookie | The cookie field of the request header, which contains the cookie information about the client. | k1=v1;k2=v2 |
| http_referer | The Referer field of the request header, which contains the source URL information about the request. If the request does not contain the source URL information, the value of the field is |
http://example.com |
| http_user_agent | The User-Agent field of the request header. This field contains information about the browser and operating system. | Dalvik/2.1.0 (Linux; U; Android 10; Android SDK built for x86 Build/QSR1.200715.002) |
| http_x_forwarded_for | The X-Forwarded_For (XFF) field of the request header. This field is used to identify the actual IP address of the client that is connected to the web server by using an HTTP proxy or a load balancing device. | None |
| querystring | The query string in the request. The query string refers to the part that follows the question mark (?) in the requested URL. | title=tm_content%3Darticle&pid=123 |
| real_client_ip | The actual IP address of the client that initiates the request. WAF identifies the actual IP address based on the analysis of the request. If WAF cannot obtain the actual IP address of the client, the value of the field is |
1.XX.XX.1 |
| remote_addr | The IP address from which connections are established with WAF. If WAF is directly connected to a client, this field records the actual IP address of the client. If a Layer 7 proxy, such as Content Delivery Network (CDN), is deployed in front of WAF, this field records the IP address of the proxy. |
1.XX.XX.1 |
| remote_port | The port from which connections are established with WAF. If WAF is connected to a client, this field records the port of the client. If a Layer 7 proxy, such as CDN, is deployed in front of WAF, this field records the port of the proxy. |
80 |
| request_length | The number of bytes in the request. The request includes the request line, request header, and request body. Unit: bytes. | 111111 |
| request_method | The request method. | GET |
| request_path | The requested relative path. The relative path refers to the part between the domain name and the question mark (?) in the requested URL. The relative path does not include the query string. | /news/search.php |
| request_time_msec | The time that WAF takes to process a request. Unit: milliseconds. | 44 |
| request_traceid | The unique identifier that is generated by WAF for each request. | 7837b11715410386943437009ea1f0 |
| server_port | The requested destination port. | 443 |
| server_protocol | The protocol and version that the origin server uses to respond to the request forwarded by WAF. | HTTP/1.1 |
| ssl_cipher | The encryption suite that is used in the request. | ECDHE-RSA-AES128-GCM-SHA256 |
| ssl_protocol | The SSL or TLS protocol and version that are used in the request. | TLSv1.2 |
| time | The time at which the request is initiated. The time follows the ISO 8601 standard in the yyyy-MM-ddTHH:mm:ss+08:00 format. The time must be in UTC. |
2018-05-02T16:03:59+08:00 |
| upstream_response_time | The time that the origin server takes to respond to the request forwarded by WAF. Unit: seconds. | 0.044 |
| upstream_status | The HTTP status code that the origin server sends in response to the request from WAF. Example: 200, which indicates that the request was received and accepted. | 200 |
| body_bytes_sent | The number of bytes in the request body. Unit: bytes. | 1111 |
| matched_host | The matched domain name that is added to WAF for protection.
Note Wildcard domains can be added to WAF, and WAF matches a wildcard domain for client requests. For example, if the domain name *.aliyun.com is added to WAF and www.aliyun.com is requested, WAF matches the domain name *.aliyun.com.
|
*.aliyun.com |
| https | Indicates whether the request is an HTTPS request. Valid values:
|
true |
| region | The ID of the region where the WAF instance resides. Valid values:
|
cn |
| status | The HTTP status code that WAF sends in response to the client request. Example: 200, which indicates that the request was received and accepted. | 200 |
| ua_browser | The name of the browser that initiates requests. | ie9 |
| ua_browser_family | The family to which the browser that initiates requests belongs. | internet explorer |
| ua_browser_type | The type of the browser that initiates requests. | web_browser |
| ua_browser_version | The version of the browser that initiates requests. | 9.0 |
| ua_device_type | The type of the device that initiates requests. | computer |
| ua_os | The operating system of the client that initiates requests. | windows_7 |
| ua_os_family | The family to which the operating system of the client that initiates requests belongs. | windows |
| upstream_addr | The IP address and port number of the origin server. The format is IP:Port. Multiple pairs of IP addresses and ports are separated by commas (,). |
1.XX.XX.1:443 |
| user_id | The ID of the Alibaba Cloud account that owns the WAF instance. | 17045741******** |