All Products
Search

This Product

    Cloud Firewall:Log field descriptions

    Document Center

    Cloud Firewall:Log field descriptions

    Last Updated:Aug 12, 2025

    Cloud Firewall automatically collects and stores logs for inbound and outbound traffic in real time. You can specify log fields to quickly find the log content that you need, which simplifies log analysis and troubleshooting. This topic describes the log fields for Cloud Firewall and lists the fields that support indexes.

    Firewall log fields

    Internet firewall

    NAT firewalls

    VPC firewalls

    Log field descriptions

    Field

    Description

    Example

    __time__

    The time when the log data is written to a Logstore.

    1703483369

    __topic__

    The topic of the log. The value is fixed as cloudfirewall_access_log, which indicates a traffic log of Cloud Firewall.

    cloudfirewall_access_log

    acl_rule_id

    The ID of the access control policy that the traffic hits.

    If the value is 00000000-0000-0000-0000-000000000000, no access control policy is hit.

    073a1475-6e11-43e2-8b28-98cee9c6****

    aliuid

    The Alibaba Cloud account ID.

    1233333333****

    app_dpi_state

    The status of deep packet inspection (DPI). Valid values:

    • success: The application is successfully identified.

    • policy_discard: The traffic is blocked by a policy.

    • tcp_not_establish: The TCP connection failed to be established.

    • analysing: The application is being analyzed.

    • no_payload: The payload is not yet received.

    • unknown_loose: The application cannot be identified in loose mode.

    • unknown_strict: The application failed to be identified in strict mode.

    • none: The traffic is stateless.

    success

    app_name

    The application type of the traffic. Valid values include HTTPS, NTP, SIP, SMB, NFS, DNS, and Unknown (the protocol is of an unknown type).

    HTTPS

    attack_type_name

    The Chinese name of the attack type that is included in the traffic.

    Mining behavior

    attack_type_name_en

    The English name of the attack type that is included in the traffic.

    Mining Behavior

    country_id

    The country or region. The value is a two-letter code that complies with the ISO 3166-1 standard.

    Note

    The code YY indicates an unknown country or region.

    • If the value of direction is in, this field indicates the country or region from which the traffic originates.

    • If the value of direction is out, this field indicates the country or region to which the traffic is destined.

    CN

    city_id

    The unique identifier for the city. The value is the six-digit administrative region code for a Chinese city at or above the county level. For example, the code for Beijing is 110000.

    110000

    cloud_instance_id

    The ID of the protected asset instance.

    ngw-bp1d5bx2orlw1p2wn****

    direction

    The direction of the traffic. Valid values:

    • in: Inbound traffic to your assets from the Internet or other ECS instances.

    • out: Outbound traffic from your assets to the Internet or other ECS instances.

    Note

    VPC firewalls do not have the concept of inbound and outbound traffic. The default value of the direction field is out.

    in

    domain

    The destination domain name of the traffic.

    Note

    • This field is displayed only if the traffic contains domain name information.

    • If the value of app_name is DNS, domain indicates the domain name for which a DNS request is initiated.

    www.aliyundoc.com

    dst_ip

    The destination IP address of the traffic.

    39.108.XX.XX

    dst_network_instance_id

    The destination network instance of the traffic.

    vpc-bp18ina819injc9zs****

    dst_port

    The destination port of the traffic.

    443

    dst_region

    The destination region of the traffic.

    cn-beijing

    end_time

    The time when the session ends. This value is a UNIX timestamp. Unit: seconds.

    1702367350

    firewall_id

    The ID of the VPC firewall instance.

    cen-m9y9u2hgc0t9im****

    in_bps

    The rate of inbound traffic. Unit: bit/s.

    42

    in_packet_bytes

    The size of inbound traffic. Unit: bytes.

    58

    in_packet_count

    The number of packets in inbound traffic.

    1

    in_pps

    The average transmission rate of inbound packets. Unit: packets per second.

    Note

    If the transmission rate is less than 1 packet/second, this field displays 0 and does not show decimal places.

    1

    ip_protocol

    The IP protocol type. Valid values:

    • tcp

    • udp

    • icmp

    tcp

    ips_ai_rule_id

    The ID of the access control policy that is based on Artificial Intelligence Recommendation and is hit by the traffic.

    If the value is 00000000-0000-0000-0000-000000000000, no access control policy that is based on Artificial Intelligence Recommendation is matched or hit.

    00000000-0000-0000-0000-000000000000

    ips_rule_id

    The ID of the intrusion prevention rule that the traffic hits.

    If the value is 00000000-0000-0000-0000-000000000000, no intrusion prevention rule is matched or hit.

    00000000-0000-0000-0000-000000000000

    ips_rule_name

    The Chinese name of the intrusion prevention rule that the traffic hits.

    Mining behavior on the host

    ips_rule_name_en

    The English name of the intrusion prevention rule that the traffic hits.

    Mining behavior on the host

    log_type

    The log type. Valid values:

    • internet_log: logs of the Internet firewall

    • vpc_firewall_log: logs of VPC firewalls

    • nat_firewall_log: logs of NAT firewalls

    • dns_firewall_log: logs of the DNS firewall

    • ipv6_firewall_log: Traffic protection logs for IPv6 assets

    internet_log

    loose_allow_acl_id

    The ID of the pre-matched access control policy. Valid values:

    • 00000000-0000-0000-0000-000000000000: Indicates that no unidentified and allowed traffic exists.

    • Other values: Indicates that traffic in an unidentified and allowed state exists. The value is the ID of the policy that allows the unidentified traffic.

    00000000-0000-0000-0000-000000000000

    new_conn

    Indicates whether a new connection is established. Valid values:

    • 1: Yes

    • 0: No

    1

    out_bps

    The rate of outbound traffic. Unit: bit/s.

    0

    out_packet_bytes

    The size of outbound traffic. Unit: bytes.

    0

    out_packet_count

    The number of packets in outbound traffic.

    0

    out_pps

    The average transmission rate of outbound packets. Unit: packets per second.

    Note

    If the transmission rate is less than 1 packet/second, this field displays 0 and does not show decimal places.

    0

    region_id

    The region ID. For more information about region IDs, see Supported regions.

    • If the value of direction is in, this field indicates the ID of the region to which the traffic is destined.

    • If the value of direction is out, this field indicates the ID of the region from which the traffic originates.

    cn-beijing

    rule_result

    The action that is performed on the traffic that hits an access control policy. Valid values:

    • pass: Allow

    • alert: Monitor

    • drop: Deny

    The action that is performed on the traffic that triggers an intrusion prevention event. Valid values:

    • alert: Alert

    • drop: Block

    alert

    rule_source

    The source of the policy that the traffic hits. Valid values:

    • basic_acl: Access control

    • dns_acl_rule: Access control policy for the DNS firewall

    • intelligence: Threat intelligence

    • ips_basic_rule: Basic protection

    • virtual_patch: Virtual patching

    • unknown: Unknown

    basic_acl

    src_ip

    The source IP address of the traffic.

    167.94.XX.XX

    src_network_instance_id

    The source network instance of the traffic.

    vpc-bp18ina819injc9zs****

    src_port

    The source port of the traffic. This is the port on the host from which the traffic is sent.

    47915

    src_region

    The source region of the traffic.

    cn-beijing

    src_vpc_id

    The ID of the source VPC.

    vpc-bp18ina819injc9zs****

    start_time

    The time when the session starts. This value is a UNIX timestamp. Unit: seconds.

    1701759171

    start_time_min

    The start time of the session, in minutes. This value is a UNIX timestamp. Unit: seconds.

    1701759120

    tcp_seq

    The TCP sequence number.

    388367****

    total_bps

    The total transmission rate of inbound and outbound traffic. Unit: bit/s.

    42

    total_packet_bytes

    The total size of inbound and outbound traffic. Unit: bytes.

    58

    total_packet_count

    The total number of packets in inbound and outbound traffic.

    1

    total_pps

    The average transmission rate of inbound and outbound packets. Unit: packets per second.

    Note

    If the transmission rate is less than 1 packet/second, this field displays 0 and does not show decimal places.

    0

    url

    The URL of the website on the Internet that the server accesses.

    Note

    This field is displayed only when the value of app_name is HTTP.

    http://aliyundoc.com/index.html

    vul_level

    The risk level of the vulnerability that is hit by malicious traffic. Valid values:

    • 0: No vulnerability exploit traffic is detected.

    • 1: Low-risk vulnerability exploit traffic.

    • 2: Medium-risk vulnerability exploit traffic.

    • 3: High-risk vulnerability exploit traffic.

    1

    References

    • You can enable the log analysis feature of Cloud Firewall. For more information, see Enable the log analysis feature.

    • You can query and analyze collected logs in real time to monitor for traffic exceptions and protect your assets. For more information, see Query and analyze logs.

    • You can export log query and analysis results to your computer or deliver them to Object Storage Service (OSS). For more information, see Export logs.