This topic describes the log fields supported by Web Application Firewall (WAF).

Table for field retrieval

The following table describes the exclusive fields that are supported by WAF. You can use the names of fields to retrieve the fields that you want to view.

First letter of a field name Field
a account_action | account_rule_id | account_test | acl_action | acl_rule_id | acl_rule_type | acl_test | algorithm_action | algorithm_rule_id | algorithm_test | antifraud_action | antifraud_test | antiscan_action | antiscan_rule_id | antiscan_rule_type | antiscan_test
b block_action | body_bytes_sent | bypass_matched_ids
c cc_action | cc_rule_id | cc_rule_type | cc_test | content_type
d deeplearning_action | deeplearning_rule_id | deeplearning_rule_type | deeplearning_test | dlp_action | dlp_rule_id | dlp_test
f final_action | final_plugin | final_rule_id | final_rule_type
h host | http_cookie | http_referer | http_user_agent | http_x_forwarded_for | https
i intelligence_action | intelligence_rule_id | intelligence_test
m matched_host
n normalized_action | normalized_rule_id | normalized_rule_type | normalized_test
q querystring
r real_client_ip | region | remote_addr | remote_port | request_body | request_length | request_method | request_path | request_time_msec | request_traceid
s scene_action | scene_id | scene_rule_id | scene_rule_type | scene_test | server_port | server_protocol | ssl_cipher | ssl_protocol | status
t time
u ua_browser | ua_browser_family | ua_browser_type | ua_browser_version | ua_device_type | ua_os | ua_os_family | upstream_addr | upstream_response_time | upstream_status| user_id
w waf_action | waf_rule_id | waf_rule_type | waf_test | wxbb_action | wxbb_invalid_wua | wxbb_rule_id | wxbb_test

Protection log fields

Protection log fields are generated by WAF when client requests match the rules specified in WAF protection features. You can use the protection log fields to analyze attacks on your business. The rules can be used to allow or block requests.

The following table describes all actions that are supported by WAF.

Value of the action field Description
block Block, which indicates that WAF blocks the client request and returns HTTP error 405 to the client.
captcha_strict Strict slider CAPTCHA verification, which indicates that WAF returns pages used for slider CAPTCHA verification to the client. If a client passes strict slider CAPTCHA verification, WAF allows the request from the client. Otherwise, WAF blocks the request. A client must pass strict slider CAPTCHA verification each time the client sends a request.
captcha Common slider CAPTCHA verification, which indicates that WAF returns pages used for slider CAPTCHA verification to the client. If a client passes common slider CAPTCHA verification, WAF allows requests from the client in a specific time range. In this time range, the client can bypass the verification. By default, the time range is 30 minutes. If the client fails common slider CAPTCHA verification, WAF blocks requests from the client.
js JavaScript verification, which indicates that WAF returns JavaScript code to the client. The JavaScript code can be automatically executed by the browsers that the client uses. If a client passes JavaScript verification, WAF allows requests from the client in a specific time range. In this time range, the client can bypass the verification. By default, the time range is 30 minutes. If the client fails JavaScript verification, WAF blocks requests from the client.
pass Allow, which indicates that WAF allows and forwards client requests to origin servers.
captcha_strict_pass Indicates that the client passes strict slider CAPTCHA verification and WAF allows the request from the client.
captcha_pass Indicates that the client passes common slider CAPTCHA verification and WAF allows the requests from the client.
js_pass Indicates that the client passes JavaScript verification and WAF allows the requests from the client.
mask Indicates that WAF masks the sensitive data that is returned from origin servers and returns the result to the client. Only the data leak prevention feature supports this action.
continue Allow. The specific meaning of the continue action varies based on the protection features. For more information, see the descriptions of the normalized_action and wxbb_action fields.

Field Description Sample value
account_action The action that is performed on the request after an account security rule is triggered. The value is fixed as block, which indicates that WAF blocks the client request.

For more information about WAF protection actions, see Description of the action field.

block
account_rule_id The ID of the account security rule that is triggered. 151235
account_test The protection mode that is used for the request after an account security rule is triggered. Valid values:
  • true: indicates the observation mode. In this mode, logs are recorded. However, protection actions, such as block, are not triggered.
  • false: indicates the prevention mode. In this mode, WAF performs protection actions, such as block, on the request that matches the protection rule.
false
acl_action The action that is performed on the request after a rule created for the blacklist or custom protection policy (ACL) feature is triggered. Valid values:
  • block: indicates that the request is blocked.
  • captcha_strict: indicates that strict slider CAPTCHA verification is performed.
  • captcha: indicates that common slider CAPTCHA verification is performed.
  • js: indicates that JavaScript verification is performed.
  • captcha_strict_pass: indicates that the client passes strict slider CAPTCHA verification and WAF allows the request from the client.
  • captcha_pass: indicates that the client passes common slider CAPTCHA verification and WAF allows the request from the client.
  • js_pass: indicates that the client passes JavaScript verification and WAF allows the request from the client.

For more information about WAF protection actions, see Description of the action field.

block
acl_rule_id The ID of the rule that is triggered. The rule is created for the blacklist or custom protection policy (ACL) feature. 151235
acl_rule_type The type of the rule that is triggered. The rule is created for the blacklist or custom protection policy (ACL) feature. Valid values:
  • custom: indicates a rule that is created for the custom protection policy feature.
  • blacklist: indicates a rule that is created for the blacklist feature.
custom
acl_test The protection mode that is used for the request after a rule created for the blacklist or custom protection policy (ACL) feature is triggered. Valid values:
  • true: indicates the observation mode. In this mode, logs are recorded. However, protection actions, such as block, are not triggered.
  • false: indicates the prevention mode. In this mode, WAF performs protection actions, such as block, on the request that matches the protection rule.
false
algorithm_action The action that is performed on the request after a rule created for the typical bot behavior identification feature is triggered. Valid values:
  • block: indicates that the request is blocked.
  • captcha: indicates that common slider CAPTCHA verification is performed.
  • js: indicates that JavaScript verification is performed.
  • captcha_pass: indicates that the client passes common slider CAPTCHA verification and WAF allows the request from the client.
  • js_pass: indicates that the client passes JavaScript verification and WAF allows the request from the client.

For more information about WAF protection actions, see Description of the action field.

block
algorithm_rule_id The ID of the rule that is triggered. The rule is created for the typical bot behavior identification feature. 151235
algorithm_test The protection mode that is used for the request after a rule created for the typical bot behavior identification feature is triggered. Valid values:
  • true: indicates the observation mode. In this mode, logs are recorded. However, protection actions, such as block, are not triggered.
  • false: indicates the prevention mode. In this mode, WAF performs protection actions, such as block, on the request that matches the protection rule.
false
antifraud_action The action that is performed on the request after a rule created for the data risk control feature is triggered. Valid values:
  • pass: indicates that the request is allowed.
  • block: indicates that the request is blocked.
  • captcha: indicates that common slider CAPTCHA verification is performed.

For more information about WAF protection actions, see Description of the action field.

block
antifraud_test The protection mode that is used for the request after a rule created for the data risk control feature is triggered. Valid values:
  • true: indicates the observation mode. In this mode, logs are recorded. However, protection actions, such as block, are not triggered.
  • false: indicates the prevention mode. In this mode, WAF performs protection actions, such as block, on the request that matches the protection rule.
false
antiscan_action The action that is performed on the request after a rule created for the scan protection feature is triggered. The value is fixed as block, which indicates that WAF blocks the request from the client.

For more information about WAF protection actions, see Description of the action field.

block
antiscan_rule_id The ID of the rule that is triggered. The rule is created for the scan protection feature. 151235
antiscan_rule_type The type of the rule that is triggered. The rule is created for the scan protection feature. Valid values:
  • highfreq: indicates a rule that blocks IP addresses from which web attacks are frequently initiated.
  • dirscan: indicates a rule that defends against directory traversal attacks.
  • scantools: indicates a rule that blocks the IP addresses of scanning tools.
  • collaborative: indicates a collaborative defense rule.
highfreq
antiscan_test The protection mode that is used for the request after a rule created for the scan protection feature is triggered. Valid values:
  • true: indicates the observation mode. In this mode, logs are recorded. However, protection actions, such as block, are not triggered.
  • false: indicates the prevention mode. In this mode, WAF performs protection actions, such as block, on the request that matches the protection rule.
false
block_action
Notice This field is no longer valid due to WAF upgrades. The field final_plugin replaces this field. If the block_action field is used in your services, replace the field with final_plugin at the earliest opportunity.
The WAF protection feature that is triggered to block the request. Valid values:
  • tmd: indicates HTTP flood protection. The value is equivalent to the cc value of final_plugin.
  • waf: indicates web attack protection. The value is equivalent to the waf value of final_plugin.
  • acl: indicates the custom protection policy feature. The value is equivalent to the acl value of final_plugin.
  • deeplearning: indicates the Deep Learning Engine. The value is equivalent to the deeplearning value of final_plugin.
  • antiscan: indicates scan protection. The value is equivalent to the antiscan value of final_plugin.
  • antifraud: indicates data risk control. The value is equivalent to the antifraud value of final_plugin.
  • antibot: indicates bot management. The value is equivalent to the intelligence, algorithm, wxbb, and scene values of final_plugin.
waf
bypass_matched_ids The ID of the rule that is triggered to allow the request. The rule can be a whitelist rule or a custom protection rule that allows the request.

If multiple rules are triggered at the same time to allow the request, this field records the IDs of all the rules. Multiple IDs are separated by commas (,).

283531
cc_action The action that is performed on the request after a rule is triggered. The rule is created for the HTTP flood protection or custom protection policy (HTTP Flood Protection) feature. Valid values:
  • block: indicates that the request is blocked.
  • captcha: indicates that common slider CAPTCHA verification is performed.
  • js: indicates that JavaScript verification is performed.
  • captcha_pass: indicates that the client passes common slider CAPTCHA verification and WAF allows the request from the client.
  • js_pass: indicates that the client passes JavaScript verification and WAF allows the request from the client.

For more information about WAF protection actions, see Description of the action field.

block
cc_rule_id The ID of the rule that is triggered. The rule is created for the HTTP flood protection or custom protection policy (HTTP Flood Protection) feature. 151234
cc_rule_type The type of the rule that is triggered. The rule is created for the HTTP flood protection or custom protection policy (HTTP Flood Protection) feature. Valid values:
  • custom: indicates a custom protection rule (HTTP Flood Protection).
  • system: indicates an HTTP flood protection rule.
custom
cc_test The protection mode that is used for the request after a rule is triggered. The rule is created for the HTTP flood protection or custom protection policy (HTTP Flood Protection) feature. Valid values:
  • true: indicates the observation mode. In this mode, logs are recorded. However, protection actions, such as block, are not triggered.
  • false: indicates the prevention mode. In this mode, WAF performs protection actions, such as block, on the request that matches the protection rule.
false
deeplearning_action The action that is performed on the request after a rule created for the Deep Learning Engine is triggered. The value is fixed as block, which indicates that WAF blocks the request from the client.

For more information about WAF protection actions, see Description of the action field.

block
deeplearning_rule_id The ID of the rule that is triggered. The rule is created for the Deep Learning Engine. 151238
deeplearning_rule_type The type of the rule that is triggered. The rule is created for the Deep Learning Engine. Valid values:
  • xss: indicates a rule that defends against XSS attacks.
  • code_exec: indicates a rule that defends against specific attacks. The attacks exploit code execution vulnerabilities.
  • webshell: indicates a rule that defends against webshell uploads.
  • sqli: indicates a rule that defends against SQL injection.
  • lfilei: indicates a rule that defends against local file inclusion.
  • rfilei: indicates a rule that defends against remote file inclusion.
  • crlf: indicates a rule that defends against carriage return line feed (CRLF) injection.
  • other: indicates other protection rules.
xss
deeplearning_test The protection mode that is used for the request after a rule created for the Deep Learning Engine is triggered. Valid values:
  • true: indicates the observation mode. In this mode, logs are recorded. However, protection actions, such as block, are not triggered.
  • false: indicates the prevention mode. In this mode, WAF performs protection actions, such as block, on the request that matches the protection rule.
false
dlp_action The action that is performed on the request after a rule created for the data leakage prevention feature is triggered. Valid values:
  • block: indicates that the request is blocked.
  • mask: indicates that sensitive data is masked.

For more information about WAF protection actions, see Description of the action field.

mask
dlp_rule_id The ID of the rule that is triggered. The rule is created for the data leakage prevention feature. 151245
dlp_test The protection mode that is used for the request after a rule created for the data leakage prevention feature is triggered. Valid values:
  • true: indicates the observation mode. In this mode, logs are recorded. However, protection actions, such as block, are not triggered.
  • false: indicates the prevention mode. In this mode, WAF performs protection actions, such as block, on the request that matches the protection rule.
false
final_action The action that WAF performs on the client request. Valid values:
  • block: indicates that the request is blocked.
  • captcha_strict: indicates that strict slider CAPTCHA verification is performed.
  • captcha: indicates that common slider CAPTCHA verification is performed.
  • js: indicates that JavaScript verification is performed.

For more information about WAF protection actions, see Description of the action field.

If a request does not trigger a protection feature, the field is not recorded. For example, if a request matches a rule that allows the request or a client passes slider CAPTCHA verification or JavaScript verification, the field is not recorded.

If a request triggers multiple protection features at the same time, the field is recorded, and the field includes only the action that is performed. The following actions are listed in descending order of priority: block, strict slider CAPTCHA verification, common slider CAPTCHA verification, and JavaScript verification.

block
final_plugin The protection feature that performs the action specified by final_action on the client request. Valid values:
  • waf: indicates the Protection Rules Engine
  • deeplearning: indicates the Deep Learning Engine
  • dlp: indicates data leakage prevention
  • account: indicates account security
  • normalized: indicates the positive security model feature
  • acl: indicates the blacklist or custom protection policy (ACL) feature
  • cc: indicates the HTTP flood protection and custom protection policy (HTTP Flood Protection) feature
  • antiscan: indicates the scan protection feature
  • scene: indicates the scenario-specific configuration feature
  • antifraud: indicates the data risk control feature
  • bot_intelligence: indicates the bot threat intelligence feature
  • algorithm: indicates the typical bot behavior identification feature
  • wxbb: indicates the app protection feature

To configure the preceding protection features, log on to the Web Application Firewall console and choose Protection Settings > Website Protection in the left-side navigation pane. For more information about WAF protection features, see Overview of website protection.

If a request does not trigger a protection feature, the field is not recorded. For example, if a request matches a rule that allows the request or a client passes slider CAPTCHA verification or JavaScript verification, the field is not recorded.

If a request triggers multiple protection features at the same time, the field is recorded, and the field includes only the protection feature that performs the action specified by final_action.

waf
final_rule_id The ID of the rule that is applied to the client request. The rule defines the action recorded in the final_action field. 115341
final_rule_type The subtype of the rule that is applied to the client request. The rule is indicated by final_rule_id.

For example, final_plugin:waf supports final_rule_type:sqli and final_rule_type:xss.

xss/webshell
intelligence_action The action that is performed on the request after a rule created for the bot threat intelligence feature is triggered. Valid values:
  • block: indicates that the request is blocked.
  • captcha_strict: indicates that strict slider CAPTCHA verification is performed.
  • captcha: indicates that common slider CAPTCHA verification is performed.
  • js: indicates that JavaScript verification is performed.
  • captcha_strict_pass: indicates that the client passes strict slider CAPTCHA verification and WAF allows the request from the client.
  • captcha_pass: indicates that the client passes common slider CAPTCHA verification and WAF allows the request from the client.
  • js_pass: indicates that the client passes JavaScript verification and WAF allows the request from the client.

For more information about WAF protection actions, see Description of the action field.

block
intelligence_rule_id The ID of the rule that is triggered. The rule is created for the bot threat intelligence feature. 152234
intelligence_test The protection mode that is used for the request after a rule created for the bot threat intelligence feature is triggered. Valid values:
  • true: indicates the observation mode. In this mode, logs are recorded. However, protection actions, such as block, are not triggered.
  • false: indicates the prevention mode. In this mode, WAF performs protection actions, such as block, on the request that matches the protection rule.
false
normalized_action The action that is performed on the request after a rule created for the positive security model feature is triggered. Valid values:
  • block: indicates that the request is blocked.
  • continue: indicates that the request is allowed.

For more information about WAF protection actions, see Description of the action field.

block
normalized_rule_id The ID of the rule that is triggered. The rule is created for the positive security model feature. 151266
normalized_rule_type The type of the rule that is triggered. The rule is created for the positive security model feature. Valid values:
  • User-Agent: indicates a User-Agent-based baseline rule. If the User-Agent field of a request header does not conform to the baseline, an attack may occur. This description applies to other rule types.
  • Referer: indicates a Referer-based baseline rule.
  • URL: indicates a URL-based baseline rule.
  • Cookie: indicates a cookie-based baseline rule.
  • Body: indicates a request body-based baseline rule.
User-Agent
normalized_test The protection mode that is used for the request after a rule created for the positive security model feature is triggered. Valid values:
  • true: indicates the observation mode. In this mode, logs are recorded. However, protection actions, such as block, are not triggered.
  • false: indicates the prevention mode. In this mode, WAF performs protection actions, such as block, on the request that matches the protection rule.
false
scene_action The action that is performed on the request after a rule created for scenario-specific configuration is triggered. Valid values:
  • block: indicates that the request is blocked.
  • captcha: indicates that common slider CAPTCHA verification is performed.
  • js: indicates that JavaScript verification is performed.
  • captcha_pass: indicates that the client passes common slider CAPTCHA verification and WAF allows the request from the client.
  • js_pass: indicates that the client passes JavaScript verification and WAF allows the request from the client.

For more information about WAF protection actions, see Description of the action field.

block
scene_id The protection mode that is used for the request after a rule created for scenario-specific configuration is triggered. 151235
scene_rule_id The ID of the rule that is triggered. The rule is created for scenario-specific configuration. 153678
scene_rule_type The type of the rule that is triggered. The rule is created for scenario-specific configuration. Valid values:
  • bot_aialgo: indicates an intelligent protection rule.
  • js: indicates a rule that blocks script-based bots.
  • intelligence: indicates a rule that blocks attacks based on bot threat intelligence or data center blacklists.
  • sdk: indicates a rule that checks for abnormal signatures of SDK-integrated apps and abnormal device behaviors.
  • cc: indicates an IP address-based throttling rule or a custom session-based throttling rule.
bot_aialgo
scene_test The protection mode that is used for the request after a rule created for scenario-specific configuration is triggered. Valid values:
  • true: indicates the observation mode. In this mode, logs are recorded. However, protection actions, such as block, are not triggered.
  • false: indicates the prevention mode. In this mode, WAF performs protection actions, such as block, on the request that matches the protection rule.
false
waf_action The action that is performed on the request after a rule created for the Protection Rules Engine is triggered. The value is fixed as block, which indicates that WAF blocks the request from the client.

For more information about WAF protection actions, see WAF protection actions.

block
waf_rule_id The ID of the rule that is triggered. The rule is created for the Protection Rules Engine. 113406
waf_rule_type The type of the rule that is triggered. The rule is created for the Protection Rules Engine. Valid values:
  • xss: indicates a rule that defends against XSS attacks.
  • code_exec: indicates a rule that defends against specific attacks. The attacks exploit code execution vulnerabilities.
  • webshell: indicates a rule that defends against webshell uploads.
  • sqli: indicates a rule that defends against SQL injection.
  • lfilei: indicates a rule that defends against local file inclusion.
  • rfilei: indicates a rule that defends against remote file inclusion.
  • crlf: indicates a rule that defends against CRLF injection.
  • other: indicates other protection rules.
xss
waf_test The protection mode that is used for the request after a rule created for Protection Rules Engine is triggered. Valid values:
  • true: indicates the observation mode. In this mode, logs are recorded. However, protection actions, such as block, are not triggered.
  • false: indicates the prevention mode. In this mode, WAF performs protection actions, such as block, on the request that matches the protection rule.
false
wxbb_action The action that is performed on the request after a rule created for the app protection feature is triggered. Valid values:
  • block: indicates that the request is blocked because the signature fails verification.
  • captcha: indicates that common slider CAPTCHA verification is performed.
  • js: indicates that JavaScript verification is performed.
  • continue: indicates that the request is allowed because the signature passes verification.

For more information about WAF protection actions, see Description of the action field.

block
wxbb_invalid_wua The reason why the client request is considered abnormal based on the rule created for the app protection feature. Valid values:
  • wxbb_simulator: indicates that a simulator is used.
  • wxbb_proxy: indicates that a proxy is used.
  • wxbb_root: indicates that a rooted device is used.
  • wxbb_hook: indicates that hooking is used.
  • wxbb_antireplay: indicates that replay attacks by using the signature string wToken are detecterd.
  • wxbb_virtual: indicates that multiboxing is configured for Anti-Bot SDK-integrated apps.
  • wxbb_debugged: indicates that the device is in debug mode.
  • wxbb_invalid_sign: indicates that signature verification fails.
    The following information describes common causes:
    • A request does not carry a signature.
    • The parameter passed when a signature is added is different from the parameter received by WAF. For example, the parameter a=1&b=2 is passed, but the parameter received by WAF is b=2&a=1. The content of the passed parameter is not encoded, but the content received by WAF is Base64-encoded.
wxbb_invalid_sign
wxbb_rule_id The ID of the rule that is triggered. The rule is created for the app protection feature. 156789
wxbb_test The protection mode that is used for the request after a rule created for the app protection feature is triggered. Valid values:
  • true: indicates the observation mode. In this mode, logs are recorded. However, protection actions, such as block, are not triggered.
  • false: indicates the prevention mode. In this mode, WAF performs protection actions, such as block, on the request that matches the protection rule.
false

Non-protection log fields

Non-protection log fields include request logic fields that WAF obtains from client requests and supplemental fields that are generated after WAF analyzes the requests. The request logic fields include common request header fields. The supplemental fields record request behavior and also record the actual IP addresses of clients and status codes from origin servers.

Field Description Sample value
body_bytes_sent The number of bytes in the request body. Unit: bytes. 1111
content_type The type of the requested content. application/x-www-form-urlencoded
host The Host field of the request header, which contains the domain name or IP address to access. The field value is determined by your business settings api.example.com
http_referer The Referer field of the request header, which contains the source URL information about the request.

If the request does not contain the source URL information, the value of the field is displayed as -.

http://example.com
http_user_agent The User-Agent field of the request header. This field contains information about the browser and operating system. Dalvik/2.1.0 (Linux; U; Android 10; Android SDK built for x86 Build/QSR1.200715.002)
http_x_forwarded_for The X-Forwarded_For (XFF) field of the request header. This field is used to identify the actual IP address of the client that is connected to the web server by using an HTTP proxy or a load balancing device. 101.XX.XX.120
https Indicates whether the request is an HTTPS request. Valid values:
  • on: HTTPS request
  • off: HTTP request
on
matched_host The domain name that is matched by WAF. The domain name is added to WAF for protection.
Note Wildcard domains can be added to WAF, and WAF matches a wildcard domain. For example, if the domain name *.aliyun.com is added to WAF and www.aliyun.com is requested, WAF matches the domain name *.aliyun.com.
*.aliyun.com
querystring The query string in the request. The query string refers to the part that follows the question mark (?) in the requested URL. title=tm_content%3Darticle&pid=123
real_client_ip The actual IP address of the client that initiates the request. WAF identifies the actual IP address based on the analysis of the request.

If WAF cannot identify the actual IP address of the client, the value of the field is displayed as -. For example, if a proxy server is used or the IP field in the request header is invalid, WAF cannot identify the actual IP address of the client.

1.XX.XX.1
region The ID of the region where the WAF instance resides. Valid values:
  • cn: mainland China
  • int: outside mainland China
cn
remote_addr The IP address that is used to connect to WAF.

If WAF is directly connected to a client, this field records the actual IP address of the client. If a Layer 7 proxy, such as Content Delivery Network (CDN), is deployed in front of WAF, this field records the IP address of the proxy.

1.XX.XX.1
remote_port The port that is used to connect to WAF.

If WAF is connected to a client, this field records the port of the client. If a Layer 7 proxy, such as CDN, is deployed in front of WAF, this field records the port of the proxy.

80
request_body The request body. i am the request body, encrypted or not!
request_length The number of bytes in the request. The request includes the request line, request header, and request body. Unit: bytes. 111111
request_method The request method. GET
request_path The requested relative path. The relative path refers to the part between the domain name and the question mark (?) in the requested URL. The relative path does not include the query string. /news/search.php
request_time_msec The time that WAF takes to process a request. Unit: milliseconds. 44
request_traceid The unique identifier that is generated by WAF for each request. 7837b11715410386943437009ea1f0
server_port The requested destination port. 443
server_protocol The protocol and version that the origin server uses to respond to the request forwarded by WAF. HTTP/1.1
ssl_cipher The cipher suite that is used in the request. ECDHE-RSA-AES128-GCM-SHA256
ssl_protocol The SSL or TLS protocol and version that are used in the request. TLSv1.2
status The HTTP status code that WAF sends in response to the request from the client. Example: 200, which indicates that the request is received and accepted. 200
time The point in time at which the request is initiated. The time follows the ISO 8601 standard in the yyyy-MM-ddTHH:mm:ss+08:00 format. The time must be in UTC. 2018-05-02T16:03:59+08:00
ua_browser The name of the browser that initiates the request. ie9
ua_browser_family The family to which the browser that initiates the request belongs. internet explorer
ua_browser_type The type of the browser that initiates the request. web_browser
ua_browser_version The version of the browser that initiates the request. 9.0
ua_device_type The device type of the client that initiates the request. computer
ua_os The operating system of the client that initiates the request. windows_7
ua_os_family The family to which the operating system of the client belongs. windows
upstream_addr The IP address and port number of the origin server. The format is IP address:Port. Multiple pairs of IP addresses and ports are separated by commas (,). 1.XX.XX.1:443
upstream_response_time The time that the origin server takes to respond to the request forwarded by WAF. Unit: seconds. 0.044
upstream_status The HTTP status code that the origin server sends in response to the request from WAF. Example: 200, which indicates that the request is received and accepted. 200
user_id The ID of the Alibaba Cloud account to which the WAF instance belongs. 17045741********