Log Service for WAF collects request-level data for every domain name protected by Web Application Firewall (WAF). Use these metrics to set alert thresholds and detect anomalies before they affect your users.
The metrics fall into two categories:
Performance metrics — measure latency and response times between the client, WAF, and origin servers
Security and status code metrics — indicate blocked requests, attack patterns, and server-side errors
Performance metrics
| Metric | What it measures | Recommended threshold | What to do |
|---|
request_time_msec | End-to-end latency: from when the client sends a request to when the client receives a response. | Set based on your typical service response time. | Check network connectivity between the client and WAF, and between WAF and the origin server. Verify the origin server is responding normally. |
upstream_response_time | Latency between WAF forwarding a request to the origin server and receiving the response. | | |
ssl_handshake_time | Time to complete the Secure Sockets Layer (SSL) handshake between the client and WAF during HTTPS requests. | | |
Security and status code metrics
Successful requests
| Metric | What it measures | Recommended threshold | What to do |
|---|
status:200 | The server processed the request and returned the requested data. | Set to 90% before initializing workloads; adjust as needed. | If the percentage drops below the threshold, check which other status codes have increased and investigate accordingly. |
Security-triggered responses
| Metric | What it measures | Recommended threshold | What to do |
|---|
status:302 and block_action:tmd | CAPTCHA was triggered. Code 302 indicates that CAPTCHA is triggered. | Start with 5–10% during initial rollout; adjust based on WAF-blocked traffic volume. | Determine whether the domain is under an HTTP flood attack. If so, customize HTTP flood protection rules to block the attack traffic. Also check for spikes in 5xx or 4xx status codes that may indicate a broader attack. |
status:200 and block_action:tmd | HTTP flood protection was triggered. Code 200 indicates that CAPTCHA is not triggered and the HTTP flood protection is triggered. | Same as above. | Same as above. |
status:200 and block_action:antifraud | The request was blocked by data risk control. | Test the alert rule before applying it to production. | If alerts are frequent, contact the Alibaba Cloud R&D team to adjust the alert threshold. |
status:405 | The request was blocked by web application protection rules or HTTP ACL policy rules. | | Use the log analysis feature to identify which rule blocked the request and whether it is a false positive. |
status:444 | The request was blocked by custom HTTP flood protection rules. | | Determine whether the domain is under an HTTP flood attack and refine your custom rules. If the blocked traffic is legitimate API traffic, adjust the threshold or allow API calls on specified servers. |
Client-side errors
| Metric | What it measures | Recommended threshold | What to do |
|---|
status:404 | The server cannot find the requested resources. | Set based on your baseline 404 rate. | Check the source IP addresses: a single IP triggering many 404s may indicate a path traversal attack; multiple IPs may indicate a misconfiguration or missing files on the server. |
status:499 | After a client sends a request, the server does not return data. After the maximum wait time of the client is reached, the client disconnects, and the server returns this status code. | Set based on your baseline client timeout rate. | Check whether the origin server has slow responses or high database query latency. Also check whether an attack has exhausted resources on the origin server. |
Server-side errors
| Metric | What it measures | Recommended threshold | What to do |
|---|
status:500 | A request cannot be processed due to the 500 Internal Server Error. | Set based on your baseline error rate. | Check origin server load and database status. |
status:502 | WAF received an invalid response from the origin server (Bad Gateway). The origin server does not respond due to low quality performance of the back-to-origin network or the fact that back-to-origin requests are blocked by access control policies configured for the origin server. | Set based on your baseline error rate. | Check back-to-origin network quality, the origin server's access control policies, and origin server load and database status. Verify the origin server is not blocking the back-to-origin IP address of WAF. |
status:503 | The origin server is unavailable due to overload or maintenance. | Set based on your baseline error rate. | Check for exceptions on the origin server. |
status:504 | WAF did not receive a timely response from the origin server (Gateway Timeout). | Set based on your baseline timeout rate. | Possible causes: origin server overload, the origin server discarded requests without resetting the connection, or a protocol-level communication failure. |