All Products
Search
Document Center

Simple Log Service:Log fields

Last Updated:Apr 29, 2024

This topic describes the fields of website access, attack, and protection logs in Web Application Firewall (WAF).

Log field

Description

__topic__

The topic of the log. The value is fixed as waf_access_log.

account_action

The action that is performed on the client request after an account security rule is triggered. The value is fixed as block, which indicates that the request is blocked. For more information, see Description of the action field.

account_rule_id

The ID of the account security rule that is triggered.

account_test

The protection mode that is used for the client request after an account security rule is triggered. Valid values:

  • true: indicates the observation mode. In this mode, logs are recorded. However, protection actions, such as block, are not performed.

  • false: indicates the prevention mode. In this mode, WAF performs protection actions, such as block, on the request that matches the protection rule.

acl_action

The action that is performed on the client request after a rule created for the blacklist or custom protection policy (ACL) feature is triggered. Valid values: block, captcha_strict, captcha, js, captcha_strict_pass, captcha_pass, and js_pass. For more information, see Description of the action field.

acl_rule_id

The ID of the rule that is triggered. The rule is created for the blacklist or ACL feature.

acl_rule_type

The type of the rule that is triggered. The rule is created for the blacklist or ACL feature. Valid values:

  • custom: indicates a rule that is created for the ACL feature.

  • blacklist: indicates a rule that is created for the blacklist feature.

acl_test

The protection mode that is used for the client request after a rule created for the blacklist or ACL feature is triggered. Valid values:

  • true: indicates the observation mode. In this mode, logs are recorded. However, protection actions, such as block, are not performed.

  • false: indicates the prevention mode. In this mode, WAF performs protection actions, such as block, on the request that matches the protection rule.

algorithm_rule_id

The ID of the rule that is triggered. The rule is created for the typical bot behavior identification feature.

antiscan_action

The action that is performed on the client request after a rule created for the scan protection feature is triggered. The value is fixed as block, which indicates that the request is blocked. For more information, see Description of the action field.

antiscan_rule_id

The ID of the rule that is triggered. The rule is created for the scan protection feature.

antiscan_rule_type

The type of the rule that is triggered. The rule is created for the scan protection feature. Valid values:

  • highfreq: indicates a rule that blocks IP addresses from which web attacks are frequently initiated.

  • dirscan: indicates a rule that defends against path traversals.

  • scantools: indicates a rule that blocks the IP addresses of scanning tools.

  • collaborative: indicates a collaborative defense rule.

antiscan_test

The protection mode that is used for the client request after a rule created for the scan protection feature is triggered. Valid values:

  • true: indicates the observation mode. In this mode, logs are recorded. However, protection actions, such as block, are not performed.

  • false: indicates the prevention mode. In this mode, WAF performs protection actions, such as block, on the request that matches the protection rule.

block_action

The WAF protection feature that is triggered to block the request. Valid values:

Important

This field is no longer valid due to WAF upgrades. The final_plugin field replaces this field. If the block_action field is used in your services, replace the field with final_plugin at the earliest opportunity.

  • tmd: indicates the HTTP flood protection feature.

  • waf: indicates the web attack protection feature.

  • acl: indicates the custom protection policy feature.

  • deeplearning: indicates the Deep Learning Engine.

  • antiscan: indicates the scan protection feature.

  • antifraud: indicates the data risk control feature.

  • antibot: indicates the bot management feature.

body_bytes_sent

The number of bytes in the body of the client request

bypass_matched_ids

The ID of the rule that is triggered to allow the client request. The rule can be a whitelist rule or a custom protection rule that allows the request.

If multiple rules are triggered at the same time to allow the request, this field records the IDs of all the rules. Multiple IDs are separated by commas (,).

cc_action

The action that is performed on the client request after a rule created for the HTTP flood protection or custom protection policy (HTTP Flood Protection) feature is triggered. Valid values: block, captcha, js, captcha_pass, and js_pass. For more information, see Description of the action field.

cc_blocks

Indicates whether the client request is blocked by the HTTP flood protection feature. Valid values:

  • 1: The request is blocked.

  • A different value: The request is allowed.

cc_rule_id

The ID of the rule that is triggered. The rule is created for the HTTP flood protection or custom protection policy (HTTP Flood Protection) feature.

cc_rule_type

The type of the rule that is triggered. The rule is created for the HTTP flood protection or custom protection policy (HTTP Flood Protection) feature. Valid values:

  • custom: indicates a custom protection rule (HTTP Flood Protection).

  • system: indicates an HTTP flood protection rule.

cc_test

The protection mode that is used for the client request after a rule created for the HTTP flood protection or custom protection policy (HTTP Flood Protection) feature is triggered. Valid values:

  • true: indicates the observation mode. In this mode, logs are recorded. However, protection actions, such as block, are not performed.

  • false: indicates the prevention mode. In this mode, WAF performs protection actions, such as block, on the request that matches the protection rule.

content_type

The type of the requested content.

deeplearning_action

The action that is performed on the client request after a rule created for the Deep Learning Engine is triggered. The value is fixed as block, which indicates that the request is blocked. For more information, see Description of the action field.

deeplearning_rule_id

The ID of the rule that is triggered. The rule is created for the Deep Learning Engine.

deeplearning_rule_type

The type of the rule that is triggered. The rule is created for the Deep Learning Engine. Valid values:

  • xss: indicates a rule that defends against cross-site scripting (XSS) attacks.

  • code_exec: indicates a rule that defends against specific attacks. The attacks exploit code execution vulnerabilities.

  • webshell: indicates a rule that defends against webshell uploads.

  • sqli: indicates a rule that defends against SQL injection.

  • lfilei: indicates a rule that defends against local file inclusion.

  • rfilei: indicates a rule that defends against remote file inclusion.

  • crlf: indicates a rule that defends against carriage return line feed (CRLF) injection.

  • other: indicates other protection rules.

deeplearning_test

The protection mode that is used for the client request after a rule created for the Deep Learning Engine is triggered. Valid values:

  • true: indicates the observation mode. In this mode, logs are recorded. However, protection actions, such as block, are not performed.

  • false: indicates the prevention mode. In this mode, WAF performs protection actions, such as block, on the request that matches the protection rule.

dlp_rule_id

The ID of the rule that is triggered. The rule is created for the data leakage prevention feature.

dlp_test

The protection mode that is used for the client request after a rule created for the data leakage prevention feature is triggered. Valid values:

  • true: indicates the observation mode. In this mode, logs are recorded. However, protection actions, such as block, are not performed.

  • false: indicates the prevention mode. In this mode, WAF performs protection actions, such as block, on the request that matches the protection rule.

final_rule_type

The subtype of the rule that is applied to the client request. The rule is indicated by final_rule_id.

For example, final_plugin:waf supports final_rule_type:sqli and final_rule_type:xss.

final_rule_id

The ID of the rule that is applied to the client request. The rule defines the action recorded in the final_action field.

final_action

The action that WAF performs on the client request. Valid values: block, captcha_strict, captcha, and js. For more information, see Description of the action field.

If a request does not trigger a protection feature, the field is not recorded. For example, if a request matches a rule that allows the request or a client passes slider CAPTCHA verification or JavaScript verification, the field is not recorded.

If a request triggers multiple protection features at the same time, the field is recorded, and the field includes only the action that is performed. The following actions are listed in descending order of priority: block (block), captcha_strict (strict slider CAPTCHA verification), captcha (common slider CAPTCHA verification), andjs (JavaScript verification).

final_plugin

The protection feature that performs the action specified by final_action on the client request. Valid values:

  • waf: indicates the Protection Rules Engine.

  • deeplearning: indicates the Deep Learning Engine.

  • dlp: indicates the data leakage prevention feature.

  • account: indicates the account security feature.

  • normalized: indicates the positive security model feature.

  • acl: indicates the blacklist or ACL feature.

  • cc: indicates the HTTP flood protection or custom protection policy (HTTP Flood Protection) feature.

  • antiscan: indicates the scan protection feature.

  • scene: indicates the scenario-specific configuration feature.

  • antifraud: indicates the data risk control feature.

  • intelligence: indicates the bot threat intelligence feature.

  • algorithm: indicates the typical bot behavior identification feature.

  • wxbb: indicates the app protection feature.

If a request does not trigger a protection feature, the field is not recorded. For example, if a request matches a rule that allows the request or a client passes slider CAPTCHA verification or JavaScript verification, the field is not recorded.

If a request triggers multiple protection features at the same time, the field is recorded, and the field includes only the protection feature that performs the action specified by final_action.

host

The Host field of the request header. This field contains the domain name or IP address to access. The value of this field varies based on your service settings.

http_cookie

The Cookie field of the request header. This field contains the cookie information about the client.

http_referer

The Referer field of the request header. This field contains the source URL information about the request.

If the request does not contain source URL information, the value of this field is a hyphen (-).

http_user_agent

The User-Agent field of the request header. This field contains information such as the identifier of the client browser or operating system.

http_x_forwarded_for

The X-Forwarded-For (XFF) field of the request header. This field is used to identify the actual IP address of the client that is connected to the web server by using an HTTP proxy or a load balancing device.

https

Indicates whether the request is an HTTPS request. Valid values:

  • true: The request is an HTTPS request.

  • false: The request is an HTTP request.

matched_host

The domain name of the origin server that is matched by WAF for the request. A wildcard domain name may be matched.

  • If no domain names are matched, the value of this field is a hyphen (-).

  • If the value is default, the traffic generated after the domain name is added to WAF in transparent proxy mode hits the default protection policies that are provided by WAF.

normalized_action

The action that is performed on the client request after a rule created for the positive security model feature is triggered. Valid values: block and continue. For more information, see Description of the action field.

normalized_rule_id

The ID of the rule that is triggered. The rule is created for the positive security model feature.

normalized_rule_type

The type of the rule that is triggered. The rule is created for the positive security model feature. Valid values:

  • User-Agent: indicates a User-Agent-based baseline rule. If the User-Agent field of a request header does not conform to the baseline, an attack may occur. This description applies to other rule types.

  • Referer: indicates a Referer-based baseline rule.

  • URL: indicates a URL-based baseline rule.

  • Cookie: indicates a cookie-based baseline rule.

  • Bod: indicates a request body-based baseline rule.

normalized_test

The protection mode that is used for the client request after a rule created for the positive security model feature is triggered. Valid values:

  • true: indicates the observation mode. In this mode, logs are recorded. However, protection actions, such as block, are not performed.

  • false: indicates the prevention mode. In this mode, WAF performs protection actions, such as block, on the request that matches the protection rule.

querystring

The query string in the client request. The query string refers to the part that follows the question mark (?) in the requested URL.

real_client_ip

The actual IP address of the client that initiates the request. WAF identifies the actual IP address based on the analysis of the request.

If WAF cannot identify the actual IP address of the client, the value of this field is a hyphen (-). For example, if a proxy server is used or the IP field in the request header is invalid, WAF cannot identify the actual IP address of the client.

region

The ID of the region where the WAF instance resides. Valid values:

  • cn: Chinese mainland

  • int: outside the Chinese mainland

remote_addr

The IP address that is used to connect to WAF.

If WAF is directly connected to a client, this field records the actual IP address of the client. If a Layer 7 proxy, such as Alibaba Cloud CDN (CDN), is deployed in front of WAF, this field records the IP address of the proxy.

remote_port

The port that is used to connect to WAF.

If WAF is directly connected to a client, this field records the port of the client. If a Layer 7 proxy, such as CDN, is deployed in front of WAF, this field records the port of the proxy.

request_length

The number of bytes in the client request. The request includes the request line, request headers, and request body. Unit: bytes.

request_method

The request method.

request_path

The requested relative path. The relative path refers to the part between the domain name and the question mark (?) in the requested URL. The relative path does not include the query string.

request_time_msec

The time that is taken by WAF to process the client request. Unit: milliseconds.

request_traceid

The unique identifier that is generated by WAF for the client request.

scene_action

The action that is performed on the client request after a rule created for scenario-specific configuration is triggered. Valid values: block, captcha, js, captcha_pass, and js_pass. For more information, see Description of the action field.

scene_id

The scenario ID of the rule that is triggered. The rule is created for scenario-specific configuration.

scene_rule_id

The ID of the rule that is triggered. The rule is created for scenario-specific configuration.

scene_rule_type

The type of the rule that is triggered. The rule is created for scenario-specific configuration. Valid values:

  • bot_aialgo: indicates an intelligent protection rule.

  • js: indicates a rule that blocks script-based bots.

  • intelligence: indicates a rule that blocks attacks based on bot threat intelligence or data center blacklists.

  • sdk: indicates a rule that checks for abnormal signatures of SDK-integrated apps and abnormal device behaviors.

  • cc: indicates an IP address-based throttling rule or a custom session-based throttling rule.

scene_test

The protection mode that is used for the client request after a rule created for scenario-specific configuration is triggered. Valid values:

  • true: indicates the observation mode. In this mode, logs are recorded. However, protection actions, such as block, are not performed.

  • false: indicates the prevention mode. In this mode, WAF performs protection actions, such as block, on the request that matches the protection rule.

server_port

The requested destination port.

server_protocol

The protocol and version that is used by the origin server to respond to the request forwarded by WAF.

ssl_cipher

The cipher suite that is used in the client request.

ssl_protocol

The SSL or TLS protocol and version that are used in the client request.

status

The HTTP status code that is returned by WAF to the client.

time

The point in time at which the client request is initiated.

ua_browser

The name of the browser that initiates the request.

ua_browser_family

The family to which the browser belongs.

ua_browser_type

The type of the browser that initiates the request.

ua_browser_version

The version of the browser that initiates the request.

ua_device_type

The device type of the client that initiates the request.

ua_os

The operating system of the client that initiates the request.

ua_os_family

The family to which the operating system of the client belongs.

upstream_addr

The back-to-origin addresses used by WAF. Each address is in the IP:Port format.

Multiple addresses are separated by commas (,).

upstream_response_time

The time that is taken by the origin server to respond to the request. The request is forwarded by WAF. Unit: seconds.

If a hyphen (-) is returned, the response timed out.

upstream_status

The status code that is returned by the origin server to WAF.

If a hyphen (-) is returned, the request is not responded. For example, the request is blocked by WAF.

user_id

The ID of the Alibaba Cloud account to which the WAF instance belongs.

waf_action

The action that is performed on the client request after a rule created for the Protection Rules Engine is triggered. The value is fixed as block, which indicates that the request is blocked. For more information, see Description of the action field.

waf_test

The protection mode that is used for the client request after a rule created for the Protection Rules Engine is triggered. Valid values:

  • true: indicates the observation mode. In this mode, logs are recorded. However, protection actions, such as block, are not performed.

  • false: indicates the prevention mode. In this mode, WAF performs protection actions, such as block, on the request that matches the protection rule.

waf_rule_id

The ID of the rule that is triggered. The rule is created for the Protection Rules Engine.

waf_rule_type

The type of the rule that is triggered. The rule is created for the Protection Rules Engine. Valid values:

  • xss: indicates a rule that defends against XSS attacks.

  • code_exec: indicates a rule that defends against specific attacks. The attacks exploit code execution vulnerabilities.

  • webshell: indicates a rule that defends against webshell uploads.

  • sqli: indicates a rule that defends against SQL injection.

  • lfilei: indicates a rule that defends against local file inclusion.

  • rfilei: indicates a rule that defends against remote file inclusion.

  • crlf: indicates a rule that defends against CRLF injection.

  • other: indicates other protection rules.