WAF access log field reference - Simple Log Service - Alibaba Cloud Documentation Center

Describes each field in Web Application Firewall (WAF) access logs.

Field	Description
__topic__	Log topic. Fixed value: waf_access_log.
owner_id	Alibaba Cloud account ID.
account_action	Action when a request matches an account security rule. Only block (request blocked). WAF actions.
account_rule_id	The ID of the account security rule that the request matches.
account_test	Prevention mode for the account security rule that the request matches. Valid values: true: monitor mode. WAF logs the request without blocking. false: prevention mode. WAF blocks or acts on matching requests.
acl_action	Action when a request matches an IP address blacklist or custom ACL rule. Valid values: block, captcha_strict, captcha, js, captcha_strict_pass, captcha_pass, and js_pass. WAF actions.
acl_rule_id	The ID of the IP address blacklist rule or custom mitigation policy (Accurate Access Control) rule that the request matches.
acl_rule_type	The type of the IP address blacklist rule or custom mitigation policy (Accurate Access Control) rule that the request matches. Valid values: custom: A custom mitigation policy rule for access control (ACL). blacklist: an IP address blacklist rule.
acl_test	Prevention mode for the IP address blacklist rule or custom mitigation policy (Accurate Access Control) rule that the request matches. Valid values: true: monitor mode. WAF logs the request without blocking. false: prevention mode. WAF blocks or acts on matching requests.
algorithm_rule_id	The ID of the bot behavior detection rule that the request matches.
antiscan_action	Action when a request matches a scan protection rule. Only block (request blocked). WAF actions.
antiscan_rule_id	The ID of the scan protection rule that the request matches.
antiscan_rule_type	The type of the scan protection rule that the request matches. Valid values: highfreq: a rule that blocks high-frequency web attacks. dirscan: a directory traversal protection rule. scantools: a rule that blocks scanning tools. collaborative: a collaborative protection rule.
antiscan_test	Prevention mode for the scan protection rule that the request matches. Valid values: true: monitor mode. WAF logs the request without blocking. false: prevention mode. WAF blocks or acts on matching requests.
block_action	WAF protection module that blocked the request. Important This field is deprecated due to a WAF feature upgrade. The final_plugin field is used instead. If you use block_action in your services, replace it with final_plugin as soon as possible. tmd: HTTP flood protection. waf: web application attack prevention. acl: Accurate Access Control. deeplearning: Big Data Deep Learning Engine. antiscan: scan protection. antifraud: data risk control. antibot: Blocks web crawler traffic.
body_bytes_sent	Size of the request body in bytes.
bypass_matched_ids	IDs of WAF rules that allow the request to pass, including whitelist rules and custom mitigation policies with the Allow action. If multiple rules match, all rule IDs are recorded, separated by commas (,).
cc_action	Action when a request matches an HTTP flood protection or custom HTTP flood mitigation rule. Valid values: block, captcha, js, captcha_pass, and js_pass. WAF actions.
cc_blocks	Whether HTTP flood protection blocked the request. Valid values: 1: The request is blocked. Other values: The request is allowed.
cc_rule_id	The ID of the HTTP flood protection rule or custom mitigation policy (HTTP flood protection) rule that the request matches.
cc_rule_type	The type of the HTTP flood protection rule or custom mitigation policy (HTTP flood protection) rule that the request matches. Valid values: custom: a custom mitigation policy (HTTP flood protection) rule. System CC security protection rule.
cc_test	Prevention mode for the HTTP flood protection rule or custom mitigation policy (HTTP flood protection) rule that the request matches. Valid values: true: monitor mode. WAF logs the request without blocking. false: prevention mode. WAF blocks or acts on matching requests.
content_type	Content type of the request.
deeplearning_action	Action when a request matches a Big Data Deep Learning Engine rule. Only block (request blocked). WAF actions.
deeplearning_rule_id	The ID of the Big Data Deep Learning Engine rule that the request matches.
deeplearning_rule_type	The type of the Big Data Deep Learning Engine rule that the request matches. Valid values: xss: a cross-site scripting (XSS) protection rule. code_exec: a code execution protection rule. webshell: a webshell protection rule. sqli: an SQL injection protection rule. lfilei: a local file inclusion (LFI) protection rule. rfilei: a remote file inclusion (RFI) protection rule. crlf: a CRLF injection protection rule. other: another type of protection rule.
deeplearning_test	Prevention mode for the Big Data Deep Learning Engine rule that the request matches. Valid values: true: monitor mode. WAF logs the request without blocking. false: prevention mode. WAF blocks or acts on matching requests.
dlp_rule_id	The ID of the data leakage prevention rule that the request matches.
dlp_test	Prevention mode for the data leakage prevention rule that the request matches. Valid values: true: monitor mode. WAF logs the request without blocking. false: prevention mode. WAF blocks or acts on matching requests.
final_rule_type	The subtype of the protection rule (final_rule_id) that WAF finally applies to the client request. For example, the `final_plugin:waf` type includes subdivided rule types such as `final_rule_type:sqli` and `final_rule_type:xss`.
final_rule_id	The ID of the protection rule that WAF finally applies to the client request. This is the ID of the rule that corresponds to the final_action.
final_action	Final action WAF applies to the request. Valid values: block, captcha_strict, captcha, and js. WAF actions. Not recorded if no protection module is triggered, including when a rule allows the request or the client passes a slider or JavaScript (JS) challenge. If multiple protection modules trigger, only the final action is recorded. Priority (descending): Block (block) > Strict slider challenge (captcha_strict) > Normal slider challenge (captcha) > JS challenge (js).
final_plugin	Protection module corresponding to the final action (final_action) applied to the request. Valid values: waf: Protection Rules Engine. deeplearning: Big Data Deep Learning Engine. dlp: data leakage prevention. account: account security. normalized: proactive protection. ACL: IP address blacklists and custom mitigation policies for access control. cc: HTTP flood protection and custom mitigation policies (HTTP flood protection). antiscan: scan protection. scene: scenario-specific configuration. antifraud: data risk control. intelligence: bot threat intelligence. algorithm: bot behavior detection. wxbb: app protection. Not recorded if no protection module is triggered, including when a rule allows the request or the client passes a slider or JS challenge. If multiple protection modules trigger, only the module for the final action (final_action) is recorded.
host	Host header value, indicating the accessed domain name. Can also be an IP address depending on your configuration.
http_cookie	Cookie header from the client request.
http_referer	Referer header, indicating the source URL of the request. Displays a hyphen (-) if no source URL exists.
http_user_agent	User-Agent header, identifying the client browser and OS.
http_x_forwarded_for	X-Forwarded-For (XFF) header, identifying the originating client IP behind a proxy or load balancer.
https	Whether the request uses HTTPS. Valid values: true: an HTTPS request. false: an HTTP request.
matched_host	Domain name added to WAF that matched the request. Can be a wildcard domain. Displays a hyphen (-) if no domain configuration matches. default: traffic generated after enabling transparent proxy mode, matching WAF default protection rules.
normalized_action	Action when a request matches a proactive protection rule. Valid values: block and continue. WAF actions.
normalized_rule_id	The ID of the proactive protection rule that the request matches.
normalized_rule_type	The type of the proactive protection rule that the request matches. Valid values: User-Agent: a User-Agent baseline rule. This rule is hit if the User-Agent field in the request header is not within the baseline range. The meanings of other rule types are similar. Referer: a Referer baseline rule. URL: a URL baseline rule. Cookie: a Cookie baseline rule. Body: a Body baseline rule.
normalized_test	Prevention mode for the proactive protection rule that the request matches. Valid values: true: monitor mode. WAF logs the request without blocking. false: prevention mode. WAF blocks or acts on matching requests.
querystring	Query string from the request URL (the part after ?).
real_client_ip	Originating client IP address, determined by WAF from the request. Use this IP directly in your services. Displays a hyphen (-) if WAF cannot determine the originating IP, such as when the client uses a proxy or the request header IP field is incorrect.
region	Region ID of the WAF instance. Valid values: cn: the Chinese mainland. int: a region outside the Chinese mainland.
remote_addr	IP address used to connect to WAF. If WAF connects directly to the client, this is the client IP. If a Layer 7 proxy (such as CDN) is deployed before WAF, this is the proxy IP.
remote_port	Port used to connect to WAF. If WAF connects directly to the client, this is the client port. If a Layer 7 proxy (such as CDN) is deployed before WAF, this is the proxy port.
request_length	Total request size in bytes, including the request line, headers, and body.
request_method	Request method used by the client.
request_path	Relative request path (after the domain, before the query string).
request_time_msec	Time WAF takes to process the request, in milliseconds.
request_traceid	Unique identifier WAF generates for the request.
scene_action	Action when a request matches a scenario-specific configuration rule. Valid values: block, captcha, js, captcha_pass, and js_pass. WAF actions.
scene_id	The scenario ID that corresponds to the scenario-specific configuration rule that the request matches.
scene_rule_id	The ID of the scenario-specific configuration rule that the request matches.
scene_rule_type	The type of the scenario-specific configuration rule that the request matches. Valid values: bot_aialgo: an intelligent protection rule. js: a simple script filtering rule. intelligence: a rule that matches bot threat intelligence or blocks IP addresses in the IDC blacklist. sdk: a rule for abnormal signatures or device features of an app that has an SDK integrated. cc: an IP address-based rate limiting rule or a custom session-based rate limiting rule.
scene_test	Prevention mode for the scenario-specific configuration rule that the request matches. Valid values: true: monitor mode. WAF logs the request without blocking. false: prevention mode. WAF blocks or acts on matching requests.
server_port	Destination port of the request.
server_protocol	Protocol and version of the origin server response to WAF.
status	HTTP status code WAF returns to the client.
ssl_cipher	Cipher suite used by the client request.
ssl_protocol	SSL/TLS protocol and version used by the client.
time	Time when the request was initiated.
ua_browser	Browser name.
ua_browser_family	Browser family.
ua_browser_type	Browser type.
ua_browser_version	Browser version.
ua_device_type	Client device type.
ua_os	Client operating system.
ua_os_family	Client OS family.
upstream_addr	Origin addresses WAF uses, in IP:Port format. Multiple addresses are comma-separated.
upstream_response_time	Time for the origin server to respond to WAF, in seconds. A hyphen (-) indicates a timeout.
upstream_status	Response status the origin server returns to WAF. A hyphen (-) indicates no response, for example, when WAF blocked the request.
user_id	Alibaba Cloud account ID that owns the WAF instance.
waf_action	Action when a request matches a Protection Rules Engine rule. Only block (request blocked). WAF actions.
waf_test	Prevention mode for the Protection Rules Engine rule that the request matches. Valid values: true: monitor mode. WAF logs the request without blocking. false: prevention mode. WAF blocks or acts on matching requests.
waf_rule_id	The ID of the Protection Rules Engine rule that the request matches.
waf_rule_type	The type of the Protection Rules Engine rule that the request matches. Valid values: xss: a cross-site scripting (XSS) protection rule. code_exec: a code execution protection rule. webshell: a webshell protection rule. sqli: an SQL injection protection rule. lfilei: a local file inclusion (LFI) protection rule. rfilei: a remote file inclusion (RFI) protection rule. crlf: a CRLF injection protection rule. other: another type of protection rule.