Simple Log Service:Log fields

Initial

Field

a

• Protected objects: account

• Custom rules: acl_action | acl_rule_id | acl_rule_type | acl_test

• Scan protection: antiscan_action | antiscan_rule_id | antiscan_rule_type | antiscan_test

• Bot management: appsdk_umid

b

• Size of the response body in bytes: body_bytes_sent

  Important

  The body_bytes_sent field is not supported for protected objects that are Function Compute (FC) services.

• IDs of matched rules that allowed the request: bypass_matched_ids

c

• HTTP flood protection: cc_action | cc_rule_id | cc_rule_type | cc_test

• The content type of the request: content_type

• Protocol violation attacks: compliance_hit | compliance_action | compliance_rule_id | compliance_rule_type | compliance_test

• Bot management: client_id

d

• Data leakage prevention: dlp_action | dlp_rule_id | dlp_test

• The destination port of the request: dst_port

  Important

  The dst_port field is not supported for protected objects that are Microservices Engine (MSE), Application Load Balancer (ALB), or Function Compute (FC) services.

f

Final protection action on a request: final_action | final_plugin | final_rule_id | final_rule_type

h

• Request headers: host | http_cookie | http_referer | http_user_agent | http_x_forwarded_for

• HTTPS requests: https

• Traffic fingerprints for bot management: http2_fingerprint

j

• Traffic fingerprints for bot management: ja3_fingerprint | ja4_fingerprint

m

• The matched protected object: matched_host

• Major event protection: major_protection_action | major_protection_rule_id | major_protection_rule_type | major_protection_test

n

Matched non-terminating rules: non_terminating_rules

p

Indicates the Proxy Protocol usage status in bitmap format: pp_state

q

The query string of the request: querystring

r

• The real client IP: real_client_ip

• region ID of the instance: region

• Client responses: response_set_cookie | response_header | response_info

  Important

  The response_set_cookie, response_header, and response_info fields are not supported for protected objects that are Application Load Balancer (ALB), Microservices Engine (MSE), or Function Compute (FC) services.

• The IP address and port that directly connect to WAF (Deprecated. We recommend that you use the src_ip and src_port fields instead.): remote_addr | remote_port

• Client requests: request_body |request_headers_all|request_header| request_length | request_method | request_path | request_time_msec | request_traceid | request_traceid_origin | remote_region_id|remote_country_id|request_uri

  Important

  The request_header field is not supported for protected objects that are Microservices Engine (MSE) or Function Compute (FC) services.

s

• The WAF port that receives the request: server_port

  Important

  The server_port field is not supported for protected objects that are Microservices Engine (MSE), Application Load Balancer (ALB), or Function Compute (FC) services.

• The protocol used between the client and WAF: server_protocol

  Important

  The server_protocol field is not supported for protected objects that are Function Compute (FC) services.

• The cipher suite or TLS protocol used: ssl_cipher | ssl_protocol

• The HTTP status code: status

• Bot management: scene_action | scene_id | scene_rule_id | scene_rule_type | scene_test | wxbb_info_tbl

• Semantic analysis attacks: sema_hit | sema_action | sema_rule_id | sema_rule_type | sema_test

• The time when the client initiated the request: start_time

• The IP address and port that directly connect to WAF: src_ip|src_port

t

• Time the log entry was recorded: time

• Matched terminating rules: terminating_rules

u

• Origin server responses: upstream_addr | upstream_response_time | upstream_status

  Important

  The upstream_addr field is not supported for protected objects that are Function Compute (FC) services.

• Alibaba Cloud account ID: user_id

w

• Core protection rules: waf_action | waf_rule_id | waf_rule_type | waf_test

• Attacks matched by core protection rules: waf_hit

• Bot management: websdk_umid

Parameter

Description

Example

bypass_matched_ids

The ID of a WAF rule that allows a request, including whitelist rules and custom rules with the Allow action.

If a request matches multiple allow rules, this field records all their IDs, separated by commas (,).

283531

content_type

The content type of the request.

application/x-www-form-urlencoded

dst_port

The destination port of the request.

443

final_action

The final action WAF takes on a request. Valid values:

• block: Blocks the request.

• captcha_strict: Issues a strict slider CAPTCHA.

• captcha: Issues a standard slider CAPTCHA.

• sigchl: Issues a dynamic token challenge.

• js: Issues a JavaScript challenge.

  Important

  If a challenge action (JavaScript, token, or slider CAPTCHA) is triggered, WAF returns an HTTP 200 status code.

Valid actions are listed in Description of *_action fields.

Omitted if the request does not trigger any protection module, for example, when it matches an allow rule or the client passes a challenge.

If a request triggers multiple protection modules, this field records only the action with the highest priority. The actions are prioritized in the following descending order: block > captcha_strict > captcha > js.

block

final_plugin

The protection module corresponding to the final_action. Valid values:

• waf: The core web protection rules module.

• acl: The access control module, which includes IP blacklists, custom rules (access control), threat intelligence, and region blocking.

• cc: The HTTP flood protection module, which includes rules for HTTP flood protection and custom protection rules (for rate limiting).

• antiscan: The scan protection module.

• dlp: The data leakage prevention module.

• scene: The scenario-specific configuration module, which includes app protection.

• sema: The semantic protection module.

• gdrl: The burst traffic rate limiting module.

• major_protection: The major event protection module.

• compliance: The protocol compliance module.

Omitted if the request does not trigger any protection module, for example, when it matches an allow rule or the client passes a challenge.

If a request triggers multiple protection modules, this field records only the module that corresponds to the final_action.

waf

final_rule_id

The ID of the protection rule that corresponds to the final_action.

115341

final_rule_type

The subtype of the rule identified by final_rule_id.

For example, a rule with final_plugin:waf can have a more specific subtype, such as final_rule_type:sqli or final_rule_type:xss.

xss/webShell

host

The Host header value, typically the requested domain name or IP address.

api.example.com

http_cookie

The Cookie header value in the request.

k1=v1;k2=v2

http_referer

The Referer header value, indicating the source URL of the request.

Displays a hyphen (-) if no source URL exists.

http://example.com

http_user_agent

The User-Agent header value, identifying the client browser, OS, and other client information.

Dalvik/2.1.0 (Linux; U; Android 10; Android SDK built for x86 Build/QSR1.200715.002)

http_x_forwarded_for

The X-Forwarded-For (XFF) header value, identifying the original client IP address behind a proxy or load balancer.

47.100.XX.XX

https

Indicates whether the request is an HTTPS request.

• If the value is on, the request is an HTTPS request.

• If the field is empty, the request is an HTTP request.

on

matched_host

The protected object, such as a cloud service instance or a domain name, that the client request matched.

*.aliyundoc.com

request_uri

The request path and parameters.

/news/search.php?id=1

real_client_ip

The real client IP address determined by WAF after analyzing the request. You can use this IP address directly in your services.

Displays a hyphen (-) if WAF cannot determine the real IP, for example, due to proxy usage or incorrect IP-related headers.

192.0.XX.XX

region

The region ID of the WAF instance. Valid values:

• cn: the Chinese mainland.

• int: a region outside the Chinese mainland.

cn

src_port

The port of the client or proxy connecting directly to WAF.

If the client directly connects to WAF, this field indicates the client port. If another Layer 7 proxy, such as a CDN, is deployed in front of WAF, this field indicates the port of the proxy.

80

src_ip

The IP address of the client or proxy connecting directly to WAF.

If the client directly connects to WAF, this field indicates the client IP address. If another Layer 7 proxy, such as a CDN, is deployed in front of WAF, this field indicates the IP address of the proxy.

198.51.XX.XX

start_time

A Unix timestamp (in seconds) indicating when the client initiated the request.

1696534058

request_length

The size of the request (in bytes), including the request line, headers, and body.

111111

request_method

The request method.

GET

request_time_msec

The time (in milliseconds) that WAF takes to process the request.

44

request_traceid

The unique ID that WAF generates for the request.

7837b11715410386943437009ea1f0

request_traceid_origin 

The original ID of the request.

7ce319151*****18890e

remote_region_id

The ID of the geographic region to which the IP address belongs.

410000

server_protocol

The protocol used between the client and WAF.

HTTP/1.1

ssl_cipher

The cipher suite used by the client request.

ECDHE-RSA-AES128-GCM-SHA256

ssl_protocol

The SSL/TLS protocol and version used by the client request.

TLSv1.2

status

The HTTP status code that WAF returns to the client. For example, 200 indicates that the request was successful.

200

time

The time when the client initiated the request. The time is in UTC and is formatted according to the ISO 8601 standard in the yyyy-MM-ddTHH:mm:ss+08:00 format.

2018-05-02T16:03:59+08:00

upstream_addr

The IP address and port of the origin server. The format is IP:Port. Multiple records are separated by commas (,).

198.51.XX.XX:443

upstream_response_time

The time (in seconds) the origin server takes to respond to a back-to-origin request from WAF.

0.044

upstream_status

The HTTP status code returned by the origin server for a back-to-origin request from WAF. For example, 200 indicates that the request was successful.

200

user_id

The Alibaba Cloud account ID to which the WAF instance belongs.

17045741********

Parameter

Description

Example

account

The extracted account information. To use this field, you must first configure protected objects and protected object groups.

user1

acl_action

The protection action taken when a request matches an IP address blacklist or an access control rule. Valid values:

• block: Blocks the request.

• captcha_strict: Issues a strict slider CAPTCHA challenge.

• captcha: Issues a slider CAPTCHA challenge.

• js: Issues a JavaScript validation challenge.

• captcha_strict_pass: The request passed the strict slider CAPTCHA.

• captcha_pass: The request passed the slider CAPTCHA.

• js_pass: The request passed the JavaScript validation.

  Important

  If a request triggers a JavaScript validation, token, or slider CAPTCHA challenge, WAF returns an HTTP status code of 200.

Valid actions are listed in Descriptions of *_action fields.

block

acl_rule_id

The ID of the matched rule. The rule can be an IP address blacklist, access control, region blacklist, threat intelligence, basic bot protection, or bot management app protection rule.

151235

acl_rule_type

The type of the matched IP address blacklist or access control rule. Valid values:

• custom: an access control rule.

• blacklist: an IP address blacklist rule.

• scene/basic: a basic bot protection rule.

• region_block: a region blacklist rule.

• scene/appsdk_custom: an app protection rule for bot management.

• threat_intelligence: a threat intelligence rule.

custom

acl_test

The protection mode of the matched IP address blacklist or access control rule. Valid values:

• true: monitoring mode. WAF logs matching requests but does not apply the protection action.

• false: prevention mode. WAF applies the specified protection action to matching requests.

false

antiscan_action

The action taken by a scan protection rule. The only valid value is block.

Valid actions are listed in Descriptions of *_action fields.

block

antiscan_rule_id

The ID of the matched scan protection rule.

151235

antiscan_rule_type

The type of the matched scan protection rule. Valid values:

• highfreq: a high-frequency scan blocking rule.

• dirscan: a directory traversal blocking rule.

• scantools: a scan tool blocking rule.

highfreq

antiscan_test

The protection mode of the matched scan protection rule. Valid values:

• true: monitoring mode. WAF logs matching requests but does not apply the protection action.

• false: prevention mode. WAF applies the specified protection action to matching requests.

false

body_bytes_sent

The size of the response body, in bytes. This size excludes the response header.

1111

cc_action

The action taken by an or throttling rule. Valid values:

• block: Blocks the request.

• captcha: Issues a slider CAPTCHA challenge.

• js: Issues a JavaScript validation challenge.

• captcha_pass: The request passed the slider CAPTCHA.

• js_pass: The request passed the JavaScript validation.

Valid actions are listed in Descriptions of *_action fields.

block

cc_rule_id

The ID of the matched or throttling rule.

151234

cc_rule_type

The type of the matched or throttling rule. Valid values:

• custom: a throttling rule.

• system: an HTTP flood protection rule.

custom

cc_test

The protection mode of the matched or throttling rule. Valid values:

• true: monitoring mode. WAF logs matching requests but does not apply the protection action.

• false: prevention mode. WAF applies the specified protection action to matching requests.

false

request_body

The request body. A maximum of 8 KB of the request body is recorded.

test123curl -ki https://automated-acltest02.***.top/ --resolve automated-acltest02.***.top:443:39.107.XX.XX

request_headers_all

All headers in the request.

{

"Accept": "*/*",

"Accept-Encoding": "gz**, de**te, **r",

"Accept-Language": "zh-Hans-CN;q=1",

"Connection": "keep-***ve",

"Content-Length": "1**6",

"Content-Type": "application/json",

"Cookie": "cookie_key=***; acw_tc=0abc****opqrstuvwxyz0***7890;",

"Host": "1.****.****.1",

...

}

request_header

A custom request header. After selecting this field, you must specify the names of the request headers to record. You can add up to five custom request headers. Separate multiple header names with commas (,).

{"ttt":"abcd"}

server_port

The WAF port that receives the request.

443

waf_action

The action taken by a core protection rule. The only valid value is block.

Valid actions are listed in Descriptions of *_action fields.

block

waf_rule_id

The ID of the matched core protection rule.

113406

waf_rule_type

The type of the matched core protection rule. Valid values:

• sqli: SQL injection

• xss: cross-site scripting

• code_exec: code execution

• crlf: CRLF injection

• lfilei: local file inclusion (LFI)

• rfilei: remote file inclusion (RFI)

• webshell: webshell

• csrf: cross-site request forgery

• other: other protection rules

• cmdi: OS command injection

• expression_injection: expression language injection

• java_deserialization: Java deserialization

• php_deserialization: PHP deserialization

• ssrf: server-side request forgery

• path_traversal: path traversal

• protocol_violation: protocol violation

• arbitrary_file_uploading: arbitrary file uploading

• dot_net_deserialization: .NET deserialization

• scanner_behavior: scanner behavior

• logic_flaw: business logic flaw

• arbitrary_file_reading: arbitrary file reading

• arbitrary_file_download: arbitrary file download

• xxe: external entity injection (XXE)

xss

waf_test

The protection mode of the matched core protection rule. Valid values:

• true: monitoring mode. WAF logs matching requests but does not apply the protection action.

• false: prevention mode. WAF applies the specified protection action to matching requests.

false

major_protection_action

The action taken by a major event protection rule. Valid actions are listed in Descriptions of *_action fields.

block

major_protection_rule_id

The ID of the matched rule from a major event protection template.

2221

major_protection_rule_type

The type of the matched rule from a major event protection template. Valid values:

• waf_blocks: a rule group for major event protection.

• threat_intelligence: a threat intelligence rule for major event protection.

• blacklist: an IP address blacklist rule for major event protection.

• shiro: a rule for Shiro deserialization vulnerability protection.

waf_blocks

major_protection_test

The protection mode of the matched major event protection rule. Valid values:

• true: monitoring mode. WAF logs matching requests but does not apply the protection action.

• false: prevention mode. WAF applies the specified protection action to matching requests.

true

response_set_cookie

The Set-Cookie header in the response.

acw_tc=781bad3616674790875002820e2cebbc55b6e0dfd9579302762b1dece40e0a;path=\/;HttpOnly;Max-Age=1800

response_header

All headers in the response.

{"transfer-encoding":"chunked","set-cookie":"acw_tc=***;path=\/;HttpOnly;Max-Age=1800","content-type":"text\/html;charset=utf-8","x-powered-by":"PHP\/7.2.24","server":"nginx\/1.18.0","connection":"close"}

response_info

The response body. A maximum of 16 KB of the response body is recorded. If the value of the content-encoding header is gzip, the response body is Base64-encoded.

$_POST received: <br/>Array ( [***] => ) <hr/> $GLOBALS['HTTP_RAW_POST_DATA'] received: <br/> <hr/> php://input received: ***

request_path

The request path, which is the part of the URL after the domain name and before the query string (?).

/news/search.php

dlp_action

The protection action taken by a data leakage prevention rule. Valid values:

• monitor: Monitors the request.

• block: Blocks the request.

• filter: Masks sensitive information.

Valid actions are listed in Descriptions of *_action fields.

block

dlp_rule_id

The ID of the matched data leakage prevention rule.

20031483

dlp_test

The protection mode of the matched data leakage prevention rule. Valid values:

• true: monitoring mode. WAF logs matching requests but does not apply the protection action.

• false: prevention mode. WAF applies the specified protection action to matching requests.

true

querystring

The query string of the request, which is the part of the URL that follows the question mark (?).

title=tm_content%3Darticle&pid=123

scene_action

The protection action taken by a bot management scenario-specific rule. Valid values:

• js: Issues a JavaScript validation challenge.

• sigchl: Issues a dynamic token challenge.

• block: Blocks the request.

• monitor: Monitors the request.

• bypass: Allows the request.

• captcha: Issues a slider CAPTCHA challenge.

• captcha_strict: Issues a strict slider CAPTCHA challenge.

Valid actions are listed in Descriptions of *_action fields.

js

scene_id

The scenario ID of the matched bot management scenario-specific rule.

a82d992b_bc8c_47f0_87ce_******

scene_rule_id

The ID of the matched bot management scenario-specific rule and basic protection configuration rule.

js-a82d992b_bc8c_47f0_87ce_******

scene_rule_type

The type of the matched bot management scenario-specific rule. Valid values:

• bot_aialgo: an AI-powered intelligent protection rule.

• cc: a custom throttling rule.

• intelligence: Indicates threat intelligence.

• js: a JavaScript validation rule.

• sigchl: a dynamic token rule.

• sdk: an SDK signature and device collection rule or a secondary packaging detection rule.

bot_aialgo

scene_test

The protection mode of the matched bot management scenario-specific rule. Valid values:

• true: monitoring mode. WAF logs matching requests but does not apply the protection action.

• false: prevention mode. WAF applies the specified protection action to matching requests.

true

remote_addr

The IP address that directly connects to WAF.

If a client connects directly to WAF, this field records the client's IP address. If a Layer 7 proxy such as a CDN is deployed in front of WAF, this field records the IP address of the proxy.

198.51.XX.XX

remote_port

The port that directly connects to WAF.

If a client connects directly to WAF, this field records the client's port. If a Layer 7 proxy such as a CDN is deployed in front of WAF, this field records the port of the proxy.

80

waf_hit

The attack payload that matched a basic protection rule.

{"postarg_values":{"hit":["${jndi:ldap://"],"raw":"postarg.log4j=${jndi:ldap://"}}

compliance_hit

The content that matched a protocol violation rule.

**********7df271da040a

compliance_action

The action taken by a protocol violation rule. The only valid value is block.

Valid actions are listed in Descriptions of *_action fields.

block

compliance_rule_id

The ID of the matched protocol violation rule.

300033

compliance_rule_type

The type of the matched protocol violation rule. The only valid value is protocol_violation.

protocol_violation

compliance_test

The protection mode of the matched protocol violation rule. Valid values:

• true: monitoring mode. WAF logs matching requests but does not apply the protection action.

• false: prevention mode. WAF applies the specified protection action to matching requests.

false

sema_hit

The content that matched a semantic analysis rule.

{"queryarg_values":{"hit":["\" from mysql.user"],"raw":"queryarg.y=\" from mysql.user"}}

sema_action

The action taken by a semantic analysis rule. The only valid value is block.

Valid actions are listed in Descriptions of *_action fields.

block

sema_rule_id

The ID of the matched semantic analysis rule.

810015

sema_rule_type

The type of the matched semantic analysis rule. The only valid value is sqli, which indicates an SQL injection rule.

sqli

sema_test

The protection mode of the matched semantic analysis rule. Valid values:

• true: monitoring mode. WAF logs matching requests but does not apply the protection action.

• false: prevention mode. WAF applies the specified protection action to matching requests.

false

wxbb_info_tbl

Device information from a request that matched an app protection rule for bot management.

{

"abnormal_imei": "0",

"abnormal_time": "1",

*****

"appversion": "9.4.3",

"brand": "Android",

*****

}

websdk_umid

The unique device identifier for a web client, identified by bot management.

6543211729a19aa0123456

appsdk_umid

The unique device identifier for an app client, identified by bot management.

3c76912d48ec5eb1ea6cb775ce1ba609

client_id

The client type identified by bot management.

Python-urllib

ja3_fingerprint

The JA3 fingerprint of the traffic, identified by bot management.

5c9e5897bbebcef37337bffb97587518

ja4_fingerprint

The JA4 fingerprint of the traffic, identified by bot management.

b251a742b13fde5fba044eddfd05af34

http2_fingerprint

The HTTP/2 fingerprint of the traffic, identified by bot management.

52d84b11737d980aef856699f885ca86

non_terminating_rules

Information about requests that match rules with non-terminating actions. This includes requests that match rules with the Log or Origin Custom Header action, and requests that pass challenges such as JavaScript Validation, CAPTCHA, Strict CAPTCHA, or Dynamic Token. These correspond to requests where the action field is js_pass, captcha_pass, captcha_strict_pass, sigchl_pass, monitor, or upstream_tag. If a request matches multiple such rules, all matched rules are recorded.

[{"id":"12345678","action":"monitor","defense_scene":"waf_base"},{"id":"123123123","type":"suspicious_idc","action":"monitor","defense_scene":"bot_manager"},

{"id":"12341234","bypass_punish":"1","defense_scene":"custom_acl"}]

terminating_rules

Information about requests that match rules with terminating actions. This includes requests that match the Block action, and requests that fail challenges such as JavaScript Validation, CAPTCHA, Strict CAPTCHA, or Dynamic Token. These correspond to requests where the action field is block, js, captcha, captcha_strict, or sigchl.

[{"id":"123456","action":"block","defense_scene":"custom_acl"}]

remote_country_id

The country ID associated with the IP address.

CN

pp_state

proxy_protocol uses a status bitmap. Bitwise flags identify the processing status of proxy_protocol in a request:

• Bit 0 (value 1): The client sent a proxy_protocol v1 header.

• Bit 1 (value 2): The client sent a proxy_protocol v2 header.

• Bit 2 (value 4): The client IP address was obtained from the proxy_protocol header.

• Bit 3 (value 8): The proxy_protocol header was passed to the origin server.

You can use a bitwise AND (&) operation to check if a specific flag is set.

6 (binary 0110, 6 & 2 == 2, 6 & 4 == 4, indicates that a Proxy Protocol v2 request was received and the client IP was obtained from it)

Action

Description

block

Blocks the web request and returns an HTTP 405 error page to the client.

captcha_strict

Performs strict slider CAPTCHA verification. WAF presents a slider CAPTCHA page to the client. WAF allows the request only if the client successfully completes the CAPTCHA. Otherwise, the request is blocked. In this mode, every request from the client requires verification.

captcha

Performs common slider CAPTCHA verification. WAF presents a slider CAPTCHA page to the client. If the client successfully completes the CAPTCHA, WAF allows subsequent requests from the client for a period (default: 30 minutes) without re-verification. Otherwise, the request is blocked.

js

Performs JavaScript validation. WAF issues a JavaScript challenge to the client's browser. If the browser successfully executes the JavaScript code, WAF allows subsequent requests from the client for a period (default: 30 minutes) without further challenges. Otherwise, the request is blocked.

js_pass

Indicates that the client passed the JavaScript validation, and WAF allowed the request.

sigchl

Performs dynamic token authentication. WAF provides a Web SDK for the client to sign outgoing requests. If a request has a valid signature, WAF forwards it to the origin server. If the signature is invalid or missing, WAF challenges the client to re-sign the request.