Query & Filter Traffic Logs via DescribeTrafficLog API - Cloud Firewall - Alibaba Cloud - Cloud Firewall

Queries log traffic information.

Try it now

Try this API in OpenAPI Explorer, no manual signing needed. Successful calls auto-generate SDK code matching your parameters. Download it with built-in credential security for local usage.

Test

RAM authorization

The table below describes the authorization required to call this API. You can define it in a Resource Access Management (RAM) policy. The table's columns are detailed below:

Action: The actions can be used in the Action element of RAM permission policy statements to grant permissions to perform the operation.
API: The API that you can call to perform the action.
Access level: The predefined level of access granted for each API. Valid values: create, list, get, update, and delete.
Resource type: The type of the resource that supports authorization to perform the action. It indicates if the action supports resource-level permission. The specified resource must be compatible with the action. Otherwise, the policy will be ineffective.
- For APIs with resource-level permissions, required resource types are marked with an asterisk (*). Specify the corresponding Alibaba Cloud Resource Name (ARN) in the Resource element of the policy.
- For APIs without resource-level permissions, it is shown as All Resources. Use an asterisk (*) in the Resource element of the policy.
Condition key: The condition keys defined by the service. The key allows for granular control, applying to either actions alone or actions associated with specific resources. In addition to service-specific condition keys, Alibaba Cloud provides a set of common condition keys applicable across all RAM-supported services.
Dependent action: The dependent actions required to run the action. To complete the action, the RAM user or the RAM role must have the permissions to perform all dependent actions.

Action

Access level

Resource type

Condition key

Dependent action

yundun-cloudfirewall:DescribeTrafficLog

get

*All Resource

*

None

Request parameters

Parameter	Type	Required	Description	Example
SourceIp	string	No	The source IP address.	139.217.234.XXX
Lang	string	No	The language of the response. Valid values: zh (default): Chinese en: English Valid values: en : English zh : Chinese	zh
Lang	string	No	The language of the response. Valid values: zh (default): Chinese en: English Valid values: en : English zh : Chinese	zh
StartTime	string	Yes	The start of the query time range, specified as a UNIX timestamp in seconds. You can query logs from the last 7 days. For best performance, limit each query to a 24-hour time range.	1730946241
EndTime	string	Yes	The end of the query time range, specified as a UNIX timestamp in seconds.	1742926322
AppId	string	No	The application ID.	7
CurrentPage	string	No	The page number.	1
PageSize	string	No	The number of entries per page. The maximum value is 20.	10
RuleId	string	No	The rule ID.	8b115ae3-da64-4b80-81c1-1cd2dd42****
SourceCode	string	Yes	The code for tracing the traffic source.	yundun
DstIP	string	No	The destination IP address.	182.92.206.XXX
SrcIP	string	No	The source IP address.	10.68.60.XXX
SrcPrivateIP	string	No	The private source IP address.	10.100.134.XX
Direction	string	No	The traffic direction. Valid values: in : inbound out : outbound	out
AssetRegion	string	No	The region ID of the asset.	cn-hangzhou
RuleResult	string	No	The rule action. Valid values: Valid values: 0 : allow 1 : alert 2 : drop	0
IpProtocol	string	No	The protocol type.	icmp
SrcPort	string	No	The source port.	8082
DstPort	string	No	The destination port.	9876
AttackType	string	No	The attack type. Valid values: Valid values: 1 : abnormal connection 2 : command execution 3 : brute-force attack 4 : scan 5 : other	1
RuleSource	string	No	The rule source. Valid values: Valid values: 1 : basic protection 2 : virtual patching 3 : basic ACL 4 : threat intelligence	1
VulLevel	string	No	The vulnerability level. Valid values: Valid values: 1 : low 2 : medium 3 : high	1
Isp	string	No	The ISP.	telecom
Location	string	No	The location of the source or destination IP address.	Hangzhou
DomainName	string	No	The domain name.	example.com
FlowType	string	No	The flow log type. Valid values: Valid values: UnidirectionalFlow : unidirectional flow BidirectionalFlow : bidirectional flow	All
FirewallType	string	No	The firewall type. Valid values: Valid values: DnsFirewall : DNS firewall VpcFirewall : VPC firewall InternetFirewall : Internet firewall	VpcFirewall
VpcFirewallId	string	No	The VPC firewall instance ID.	vfw-a42bbb7b887148c9****
SrcVpcId	string	No	The source VPC ID.	vpc-wz9309pkwe06lv****tk4
DstVpcId	string	No	The destination VPC ID.	vpc-wz95m1aq9b0h****vk1yb
SrcVpcRegionNo	string	No	The source VPC region ID.	cn-beijing
DstVpcRegionNo	string	No	The destination VPC region ID.	cn-shenzhen
DomainUrl	string	No	The URL recorded in the flow log.	example.com
IpVersion	string	No	The IP version. Valid values: Valid values: 4 : IPv4 6 : IPv6	4
MemberUid	integer	No	The member account UID.	128599825273****
NatFirewallId	string	No	The NAT firewall ID.	vfw-tr-7a9c8901ed394****
NatGatewayId	string	No	The NAT Gateway ID.	ngw-2zew6yn017hhzbm****
AclPreState	string	No	The ACL pre-matching status.	normal
AclPreRuleId	string	No	The pre-matched ACL rule ID.	00000000-0000-0000-0000-000000000000
AppDpiState	string	No	The deep packet inspection (DPI) status.	success
TlsScopeId	string	No	The TLS inspection scope ID.	tis-98fd64c5****

Response elements

Element	Type	Description	Example
	object
RequestId	string	The request ID.	633D92D1-768A-547F-8ADC-2870CF0A99F6
PageInfo	object	The pagination information.
CurrentPage	integer	The current page number.	1
PageSize	integer	The number of entries per page.	10
TotalCount	integer	The total number of entries.	2
DataList	array<object>	The list of traffic logs.
	array<object>
Direction	string	The traffic direction. Valid values: in: inbound out: outbound	in
AttackType	integer	The attack type of the intrusion prevention event. Valid values: 1 : Abnormal connection 2 : Command execution 3 : Brute-force attack 4 : Scan 5 : Other	0
MemberUid	string	The UID of the member account.	14151892****7022
CountryId	string	The country ID.	US
DstPort	integer	The destination port.	80
SrcPrivateIP	string	The private source IP address.	172.16.101.7
IpProtocol	string	The protocol type.	tcp
DomainName	string	The domain name.	aliyun.com
RuleId	string	The ID of the matched rule.	00000000-0000-0000-0000-000000000000
AppName	string	The application name.	HTTP
AttackApp	string	The name of the attacked application.	WebLogic
PacketCount	integer	The number of packets.	23
AppId	integer	The application ID.	6
RuleResult	integer	The action taken on the traffic. Valid values: pass: The traffic is allowed. alert: An alert is generated for the traffic. drop: The traffic is dropped.	pass
Ext	string	Extended data.	None
DstIP	string	The destination IP address.	2.2.2.2
PacketBytes	integer	The total traffic volume in bytes.	355
InBytes	string	The inbound traffic volume in bytes.	125
IspId	string	The ID of the Internet Service Provider (ISP).	50075069
Isp	string	The Internet Service Provider (ISP).	FOP Dmytro Nedilskyi
RegionId	string	The region ID.	cn-hangzhou
SrcPort	integer	The source port.	20206
RuleName	string	The rule name.	test
EndTime	integer	The end time of the session. The value is a UNIX timestamp in seconds.	1751423363
VpcFirewallId	string	The instance ID of the VPC firewall.	vfw-4045ca7***
CityId	string	The city ID.	FI
StartTime	integer	The start time of the session. The value is a UNIX timestamp in seconds.	1751423362
CloseReason	string	The reason why the session was closed.	tcp_fin
OutBytes	string	The outbound traffic volume in bytes.	230
VulLevel	integer	The vulnerability level.	0
RuleSource	string	The source of the matched detection rule. Valid values: 0: None. 1: Basic protection. 2: Virtual patching. 3: Access control. 4: Threat intelligence.	0
OutPackets	string	The number of outbound packets.	11
InPackets	string	The number of inbound packets.	12
SrcIP	string	The source IP address.	1.1.1.1
Location	string	The geographical location of the source or destination IP address.	Hangzhou
DomainUrl	string	The URL in the traffic log.	xxx.com
CloudInstanceId	string	The instance ID of the cloud service.	ngw-*
AclPreState	string	The pre-matching status of the ACL. Valid values: app_unknown: The application is not identified. domain_unknown: The domain name is not identified. normal: Normal.	normal
AclPreRuleId	string	The ID of the pre-matched ACL rule.	2
AclPreRuleName	string	The name of the pre-matched ACL rule.	test
AppDpiState	string	The status of deep packet inspection (DPI). Valid values: none: Initial state. policy_discard: The connection was blocked by an ACL rule or threat intelligence. tcp_not_establish: The TCP connection was not established. no_payload: The connection is established, but no payloads have been analyzed by DPI. analysing: Identifying. unknown_loose: In loose mode, the application was not identified. The identification process continues. unknown_strict: In strict mode, the application was not identified. success: The application was successfully identified.	success
Rules	array<object>	The list of rules.
	object
RuleName	string	The rule name.	sharepoint
RuleId	string	The rule ID.	17
SrcVpc	object	The information about the source VPC.
VpcId	string	The ID of the source VPC instance.	vpc-8vba1c1em97h0ji71****
VpcName	string	The name of the source VPC instance.	yi-vpc
RegionNo	string	The region ID of the source VPC.	cn-beijing
DstVpc	object	The information about the destination VPC.
VpcId	string	The ID of the destination VPC instance.	vpc-8vba1c1em97h0ji71b****
VpcName	string	The name of the destination VPC instance.	yi-vpc
RegionNo	string	The region ID of the destination VPC.	cn-hangzhou
PrivateIp	string	The private IP address.	172.21.234.XXX
PrivatePort	integer	The private port.	80
TlsRuleId	string	The ID of the matched TLS inspection rule.	tir-xxx
TlsRuleName	string	The name of the matched TLS inspection rule.	test
TlsScopeId	string	The ID of the TLS inspection scope.	tls-xxx

Examples

Success response

JSON format

{
  "RequestId": "633D92D1-768A-547F-8ADC-2870CF0A99F6",
  "PageInfo": {
    "CurrentPage": 1,
    "PageSize": 10,
    "TotalCount": 2
  },
  "DataList": [
    {
      "Direction": "in",
      "AttackType": 0,
      "MemberUid": "14151892****7022",
      "CountryId": "US",
      "DstPort": 80,
      "SrcPrivateIP": "172.16.101.7",
      "IpProtocol": "tcp",
      "DomainName": "aliyun.com",
      "RuleId": "00000000-0000-0000-0000-000000000000",
      "AppName": "HTTP",
      "AttackApp": "WebLogic",
      "PacketCount": 23,
      "AppId": 6,
      "RuleResult": 0,
      "Ext": "None",
      "DstIP": "2.2.2.2",
      "PacketBytes": 355,
      "InBytes": "125",
      "IspId": "50075069",
      "Isp": "FOP Dmytro Nedilskyi",
      "RegionId": "cn-hangzhou",
      "SrcPort": 20206,
      "RuleName": "test",
      "EndTime": 1751423363,
      "VpcFirewallId": "vfw-4045ca7***",
      "CityId": "FI",
      "StartTime": 1751423362,
      "CloseReason": "tcp_fin",
      "OutBytes": "230",
      "VulLevel": 0,
      "RuleSource": "0",
      "OutPackets": "11",
      "InPackets": "12",
      "SrcIP": "1.1.1.1",
      "Location": "Hangzhou",
      "DomainUrl": "xxx.com",
      "CloudInstanceId": "ngw-*",
      "AclPreState": "normal",
      "AclPreRuleId": "2",
      "AclPreRuleName": "test",
      "AppDpiState": "success",
      "Rules": [
        {
          "RuleName": "sharepoint",
          "RuleId": "17"
        }
      ],
      "SrcVpc": {
        "VpcId": "vpc-8vba1c1em97h0ji71****",
        "VpcName": "yi-vpc",
        "RegionNo": "cn-beijing"
      },
      "DstVpc": {
        "VpcId": "vpc-8vba1c1em97h0ji71b****",
        "VpcName": "yi-vpc",
        "RegionNo": "cn-hangzhou"
      },
      "PrivateIp": "172.21.234.XXX",
      "PrivatePort": 80,
      "TlsRuleId": "tir-xxx",
      "TlsRuleName": "test",
      "TlsScopeId": "tls-xxx"
    }
  ]
}

Error codes

HTTP status code	Error code	Error message	Description
400	ErrorAliUid	Aliuid invalid.	The aliuid is invalid.
400	ErrorAliUidBlackList	The specified aliUid is invalid.	The specified aliUid is invalid.
400	ErrorSourceCodeError	The source code is invalid.	The source code is invalid.
400	ErrorTrafficSlsFirewallType	The firewall type of traffic log is invalid.	The firewall type of traffic log is invalid.
400	ErrorIpFormat	The IP address is invalid.	The IP address is invalid.
400	ErrorPortError	The port is invalid.	The port is invalid.
400	ErrorIpProtocolError	The protocol is invalid.	The protocol is invalid.
400	ErrorDirectionError	The direction is invalid.	The direction is invalid.
400	ErrorAttackTypeError	The attack type is invalid.	The attack type is invalid.
400	ErrorVulLevelFailed	VulLevel has failed.	VulLevel has failed.
400	ErrorRuleResultError	The rule result is invalid.	The rule result is invalid.
400	ErrorAppIdError	An app ID error occurred.	An app ID error occurred.
400	ErrorFlowType	The flow type is invalid.	The flow type is invalid.
400	ErrorIspError	The ISP name is invalid.	The ISP name is invalid.
400	ErrorLocationError	The location name is invalid.	The location name is invalid.
400	ErrorDomainName	The domain name is invalid.	The domain name is invalid.
400	ErrorTimeError	The time is invalid.	The time is invalid.
400	ErrorPageNo	Either page number or page size is invalid.	Either page number or page size is invalid.
400	ErrorParameters	A parameter error occurred.	A parameter error occurred.
400	ErrorSLSLogStore	Failed to get SLS logstore.	Failed to obtain the Log Service logstore.
400	ErrorDBSelectError	A database select error occurred.	The error message returned because an internal error has occurred in querying the database.

See Error Codes for a complete list.

Release notes

See Release Notes for a complete list.