This topic describes the fields of website access, attack, and protection logs.

Log field Description
__topic__ The topic of the log. The value is fixed as waf_access_log.
account_action The action that is performed on the client request after an account security rule is triggered. The value is fixed as block, which indicates that the request is blocked. For more information, see Description of the action field.
account_rule_id The ID of the account security rule that is triggered.
account_test The protection mode that is used for the client request after an account security rule is triggered. Valid values:
  • true: indicates the observation mode. In this mode, logs are recorded. However, protection actions, such as block, are not performed.
  • false: indicates the prevention mode. In this mode, WAF performs protection actions, such as block, on the request that matches the protection rule.
acl_action The action that is performed on the client request after a rule created for the blacklist or custom protection policy (ACL) feature is triggered. Valid values: block, captcha_strict, captcha, js, captcha_strict_pass, captcha_pass, and js_pass. For more information, see Description of the action field.
acl_rule_id The ID of the rule that is triggered. The rule is created for the blacklist or custom protection policy (ACL) feature.
acl_rule_type The type of the rule that is triggered. The rule is created for the blacklist or custom protection policy (ACL) feature. Valid values:
  • custom: indicates a rule that is created for the custom protection policy (ACL) feature.
  • blacklist: indicates a rule that is created for the blacklist feature.
acl_test The protection mode that is used for the client request after a rule created for the blacklist or custom protection policy (ACL) feature is triggered. Valid values:
  • true: indicates the observation mode. In this mode, logs are recorded. However, protection actions, such as block, are not performed.
  • false: indicates the prevention mode. In this mode, WAF performs protection actions, such as block, on the request that matches the protection rule.
algorithm_rule_id The ID of the rule that is triggered. The rule is created for the typical bot behavior identification feature.
antiscan_action The action that is performed on the client request after a rule created for the scan protection feature is triggered. The value is fixed as block, which indicates that the request is blocked. For more information, see Description of the action field.
antiscan_rule_id The ID of the rule that is triggered. The rule is created for the scan protection feature.
antiscan_rule_type The type of the rule that is triggered. The rule is created for the scan protection feature. Valid values:
  • highfreq: indicates a rule that blocks IP addresses from which web attacks are frequently initiated.
  • dirscan: indicates a rule that defends against path traversals.
  • scantools: indicates a rule that blocks the IP addresses of scanning tools.
  • collaborative: indicates a collaborative defense rule.
antiscan_test The protection mode that is used for the client request after a rule created for the scan protection feature is triggered. Valid values:
  • true: indicates the observation mode. In this mode, logs are recorded. However, protection actions, such as block, are not performed.
  • false: indicates the prevention mode. In this mode, WAF performs protection actions, such as block, on the request that matches the protection rule.
block_action The WAF protection feature that is triggered to block the request.
Notice This field is no longer valid due to WAF upgrades. The final_plugin field replaces this field. If the block_action field is used in your services, replace the field with final_plugin at the earliest opportunity.
  • tmd: indicates the HTTP flood protection feature.
  • waf: indicates the web attack protection feature.
  • acl: indicates the custom protection policy feature.
  • deeplearning: indicates the Deep Learning Engine.
  • antiscan: indicates the scan protection feature.
  • antifraud: indicates the data risk control feature.
  • antibot: indicates the bot management feature.
body_bytes_sent The number of bytes in the body of the client request.
bypass_matched_ids The ID of the rule that is triggered to allow the client request. The rule can be a whitelist rule or a custom protection rule that allows the request.

If multiple rules are triggered at the same time to allow the request, this field records the IDs of all the rules. Multiple IDs are separated by commas (,).

cc_action The action that is performed on the client request after a rule created for the HTTP flood protection or custom protection policy (HTTP Flood Protection) feature is triggered. Valid values: block, captcha, js, captcha_pass, and js_pass. For more information, see Description of the action field.
cc_blocks Indicates whether the client request is blocked by the HTTP flood protection feature. Valid values:
  • 1: The request is blocked.
  • A different value: The request is allowed.
cc_rule_id The ID of the rule that is triggered. The rule is created for the HTTP flood protection or custom protection policy (HTTP Flood Protection) feature.
cc_rule_type The type of the rule that is triggered. The rule is created for the HTTP flood protection or custom protection policy (HTTP Flood Protection) feature. Valid values:
  • custom: indicates a custom protection rule (HTTP Flood Protection).
  • system: indicates an HTTP flood protection rule.
cc_test The protection mode that is used for the client request after a rule created for the HTTP flood protection or custom protection policy (HTTP Flood Protection) feature is triggered. Valid values:
  • true: indicates the observation mode. In this mode, logs are recorded. However, protection actions, such as block, are not performed.
  • false: indicates the prevention mode. In this mode, WAF performs protection actions, such as block, on the request that matches the protection rule.
content_type The type of the requested content.
deeplearning_action The action that is performed on the client request after a rule created for the Deep Learning Engine is triggered. The value is fixed as block, which indicates that the request is blocked. For more information, see Description of the action field.
deeplearning_rule_id The ID of the rule that is triggered. The rule is created for the Deep Learning Engine.
deeplearning_rule_type The type of the rule that is triggered. The rule is created for the Deep Learning Engine. Valid values:
  • xss: indicates a rule that defends against cross-site scripting (XSS) attacks.
  • code_exec: indicates a rule that defends against specific attacks. The attacks exploit code execution vulnerabilities.
  • webshell: indicates a rule that defends against webshell uploads.
  • sqli: indicates a rule that defends against SQL injection.
  • lfilei: indicates a rule that defends against local file inclusion.
  • rfilei: indicates a rule that defends against remote file inclusion.
  • crlf: indicates a rule that defends against carriage return line feed (CRLF) injection.
  • other: indicates other protection rules.
deeplearning_test The protection mode that is used for the client request after a rule created for the Deep Learning Engine is triggered. Valid values:
  • true: indicates the observation mode. In this mode, logs are recorded. However, protection actions, such as block, are not performed.
  • false: indicates the prevention mode. In this mode, WAF performs protection actions, such as block, on the request that matches the protection rule.
dlp_rule_id The ID of the rule that is triggered. The rule is created for the data leakage prevention feature.
dlp_test The protection mode that is used for the client request after a rule created for the data leakage prevention feature is triggered. Valid values:
  • true: indicates the observation mode. In this mode, logs are recorded. However, protection actions, such as block, are not performed.
  • false: indicates the prevention mode. In this mode, WAF performs protection actions, such as block, on the request that matches the protection rule.
final_rule_type The subtype of the rule that is applied to the client request. The rule is indicated by final_rule_id.

For example, final_plugin:waf supports final_rule_type:sqli and final_rule_type:xss.

final_rule_id The ID of the rule that is applied to the client request. The rule defines the action recorded in the final_action field.
final_action The action that WAF performs on the client request. Valid values: block, captcha_strict, captcha, and js. For more information, see Description of the action field.

If a request does not trigger a protection feature, the field is not recorded. For example, if a request matches a rule that allows the request or a client passes slider CAPTCHA verification or JavaScript verification, the field is not recorded.

If a request triggers multiple protection features at the same time, the field is recorded, and the field includes only the action that is performed. The following actions are listed in descending order of priority: block (block), captcha_strict (strict slider CAPTCHA verification), captcha (common slider CAPTCHA verification), and js (JavaScript verification).

final_plugin The protection feature that performs the action specified by final_action on the client request. Valid values:
  • waf: indicates the Protection Rules Engine.
  • deeplearning: indicates the Deep Learning Engine.
  • dlp: indicates the data leakage prevention feature.
  • account: indicates the account security feature.
  • normalized: indicates the positive security model feature.
  • acl: indicates the blacklist or custom protection policy (ACL) feature.
  • cc: indicates the HTTP flood protection or custom protection policy (HTTP Flood Protection) feature.
  • antiscan: indicates the scan protection feature.
  • scene: indicates the scenario-specific configuration feature.
  • antifraud: indicates the data risk control feature.
  • intelligence: indicates the bot threat intelligence feature.
  • algorithm: indicates the typical bot behavior identification feature.
  • wxbb: indicates the app protection feature.

To configure the preceding protection features, log on to the Web Application Firewall console and choose Protection Settings > Website Protection in the left-side navigation pane. For more information about WAF protection features, see Overview of website protection.

If a request does not trigger a protection feature, the field is not recorded. For example, if a request matches a rule that allows the request or a client passes slider CAPTCHA verification or JavaScript verification, the field is not recorded.

If a request triggers multiple protection features at the same time, the field is recorded, and the field includes only the protection feature that performs the action specified by final_action.

host The Host field of the request header. This field contains the domain name or IP address to access. The value of this field varies based on your service settings.
http_cookie The Cookie field of the request header. This field contains the cookie information about the client.
http_referer The Referer field of the request header. This field contains the source URL information about the request.

If the request does not contain source URL information, the value of this field is a hyphen (-).

http_user_agent The User-Agent field of the request header. This field contains information such as the identifier of the client browser or operating system.
http_x_forwarded_for The X-Forwarded-For (XFF) field of the request header. This field is used to identify the actual IP address of the client that is connected to the web server by using an HTTP proxy or a load balancing device.
https Indicates whether the request is an HTTPS request. Valid values:
  • true: The request is an HTTPS request.
  • false: The request is an HTTP request.
matched_host The domain name of the origin server that is matched by WAF for the request. A wildcard domain name may be matched. If no domain names are matched, the value of this field is a hyphen (-).
normalized_action The action that is performed on the client request after a rule created for the positive security model feature is triggered. Valid values: block and continue. For more information, see Description of the action field.
normalized_rule_id The ID of the rule that is triggered. The rule is created for the positive security model feature.
normalized_rule_type The type of the rule that is triggered. The rule is created for the positive security model feature. Valid values:
  • User-Agent: indicates a User-Agent-based baseline rule. If the User-Agent field of a request header does not conform to the baseline, an attack may occur. This description applies to other rule types.
  • Referer: indicates a Referer-based baseline rule.
  • URL: indicates a URL-based baseline rule.
  • Cookie: indicates a cookie-based baseline rule.
  • Bod: indicates a request body-based baseline rule.
normalized_test The protection mode that is used for the client request after a rule created for the positive security model feature is triggered. Valid values:
  • true: indicates the observation mode. In this mode, logs are recorded. However, protection actions, such as block, are not performed.
  • false: indicates the prevention mode. In this mode, WAF performs protection actions, such as block, on the request that matches the protection rule.
querystring The query string in the client request. The query string refers to the part that follows the question mark (?) in the requested URL.
real_client_ip The actual IP address of the client that initiates the request. WAF identifies the actual IP address based on the analysis of the request.

If WAF cannot identify the actual IP address of the client, the value of this field is a hyphen (-). For example, if a proxy server is used or the IP field in the request header is invalid, WAF cannot identify the actual IP address of the client.

region The ID of the region where the WAF instance resides. Valid values:
  • cn: Chinese mainland
  • int: outside the Chinese mainland
remote_addr The IP address that is used to connect to WAF.

If WAF is directly connected to a client, this field records the actual IP address of the client. If a Layer 7 proxy, such as Content Delivery Network (CDN), is deployed in front of WAF, this field records the IP address of the proxy.

remote_port The port that is used to connect to WAF.

If WAF is directly connected to a client, this field records the port of the client. If a Layer 7 proxy, such as CDN, is deployed in front of WAF, this field records the port of the proxy.

request_length The number of bytes in the client request. The request includes the request line, request headers, and request body. Unit: bytes.
request_method The request method.
request_path The requested relative path. The relative path refers to the part between the domain name and the question mark (?) in the requested URL. The relative path does not include the query string.
request_time_msec The time that is taken by WAF to process the client request. Unit: milliseconds.
request_traceid The unique identifier that is generated by WAF for the client request.
scene_action The action that is performed on the client request after a rule created for scenario-specific configuration is triggered. Valid values: block, captcha, js, captcha_pass, and js_pass. For more information, see Description of the action field.
scene_id The scenario ID of the rule that is triggered. The rule is created for scenario-specific configuration.
scene_rule_id The ID of the rule that is triggered. The rule is created for scenario-specific configuration.
scene_rule_type The type of the rule that is triggered. The rule is created for scenario-specific configuration. Valid values:
  • bot_aialgo: indicates an intelligent protection rule.
  • js: indicates a rule that blocks script-based bots.
  • intelligence: indicates a rule that blocks attacks based on bot threat intelligence or data center blacklists.
  • sdk: indicates a rule that checks for abnormal signatures of SDK-integrated apps and abnormal device behaviors.
  • cc: indicates an IP address-based throttling rule or a custom session-based throttling rule.
scene_test The protection mode that is used for the client request after a rule created for scenario-specific configuration is triggered. Valid values:
  • true: indicates the observation mode. In this mode, logs are recorded. However, protection actions, such as block, are not performed.
  • false: indicates the prevention mode. In this mode, WAF performs protection actions, such as block, on the request that matches the protection rule.
server_port The requested destination port.
server_protocol The protocol and version that is used by the origin server to respond to the request forwarded by WAF.
ssl_cipher The cipher suite that is used in the client request.
ssl_protocol The SSL or TLS protocol and version that are used in the client request.
status The HTTP status code that is returned by WAF to the client.
time The point in time at which the client request is initiated.
ua_browser The name of the browser that initiates the request.
ua_browser_family The family to which the browser belongs.
ua_browser_type The type of the browser that initiates the request.
ua_browser_version The version of the browser that initiates the request.
ua_device_type The device type of the client that initiates the request.
ua_os The operating system of the client that initiates the request.
ua_os_family The family to which the operating system of the client belongs.
upstream_addr The back-to-origin addresses used by WAF. Each address is in the IP:Port format.

Multiple addresses are separated by commas (,).

upstream_response_time The time that is taken by the origin server to respond to the request. The request is forwarded by WAF. Unit: seconds.

If a hyphen (-) is returned, the response timed out.

upstream_status The status code that is returned by the origin server to WAF.

If a hyphen (-) is returned, the request is not responded. For example, the request is blocked by WAF.

user_id The ID of the Alibaba Cloud account to which the WAF instance belongs.
waf_action The action that is performed on the client request after a rule created for the Protection Rules Engine is triggered. The value is fixed as block, which indicates that the request is blocked. For more information, see Description of the action field.
waf_test The protection mode that is used for the client request after a rule created for the Protection Rules Engine is triggered. Valid values:
  • true: indicates the observation mode. In this mode, logs are recorded. However, protection actions, such as block, are not performed.
  • false: indicates the prevention mode. In this mode, WAF performs protection actions, such as block, on the request that matches the protection rule.
waf_rule_id The ID of the rule that is triggered. The rule is created for the Protection Rules Engine.
waf_rule_type The type of the rule that is triggered. The rule is created for the Protection Rules Engine. Valid values:
  • xss: indicates a rule that defends against XSS attacks.
  • code_exec: indicates a rule that defends against specific attacks. The attacks exploit code execution vulnerabilities.
  • webshell: indicates a rule that defends against webshell uploads.
  • sqli: indicates a rule that defends against SQL injection.
  • lfilei: indicates a rule that defends against local file inclusion.
  • rfilei: indicates a rule that defends against remote file inclusion.
  • crlf: indicates a rule that defends against CRLF injection.
  • other: indicates other protection rules.