Optional fields and required fields supported by WAF 2.0 - Web Application Firewall

This topic describes the log fields that are supported by Web Application Firewall (WAF).

Table for field retrieval

The following table describes the log fields that are supported by WAF. You can use the names of fields to retrieve the fields that you want to view.

Initial	Field
a	Fields related to accounts: account_action \| account_rule_id \| account_test Fields related to access control list (ACL) rules: acl_action \| acl_rule_id \| acl_rule_type \| acl_test Fields related to algorithms: algorithm_action \| algorithm_rule_id \| algorithm_test Fields related to data risk control: antifraud_action \| antifraud_test Fields related to scan protection: antiscan_action \| antiscan_rule_id \| antiscan_rule_type \| antiscan_test
b	Field used to record protection types: block_action Field used to record the number of bytes in the response body: body_bytes_sent Field used to record the IDs of rules that allow requests: bypass_matched_ids
c	Fields related to HTTP flood protection: cc_action \| cc_rule_id \| cc_rule_type \| cc_test Field used to record content types: content_type
d	Fields related to deep learning: deeplearning_action \| deeplearning_rule_id \| deeplearning_rule_type \| deeplearning_test Fields related to data leakage prevention: dlp_action \| dlp_rule_id \| dlp_test Field used to record destination ports: dst_port
f	Fields related to final actions: final_action \| final_plugin \| final_rule_id \| final_rule_type
h	Field used to record Host request headers: host Fields related to HTTP requests: http_cookie \| http_referer \| http_user_agent \| http_x_forwarded_for \| https
i	Fields related to bot threat intelligence: intelligence_action \| intelligence_rule_id \| intelligence_test
m	Field used to record the matched domain names that are added to WAF: matched_host
n	Fields related to positive security models: normalized_action \| normalized_rule_id \| normalized_rule_type \| normalized_test
q	Field used to record query strings: querystring
r	Field used to record the originating IP addresses of clients: real_client_ip Field used to record the region IDs of instances: region Fields related to clients that established connections with WAF: remote_addr \| remote_port Fields related to requests: request_body \| request_length \| request_method \| request_path \| request_time_msec \| request_traceid \| request_uri
s	Fields related to scenario-specific configuration: scene_action \| scene_id \| scene_rule_id \| scene_rule_type \| scene_test Fields related to servers: server_port \| server_protocol Fields related to SSL settings used by clients: ssl_cipher \| ssl_protocol Field used to record HTTP status codes: status Field used to record request exception causes: sigchl_invalid_type Fields used to record IP addresses and ports that are used to connect to WAF: src_port \| src_ip Field used to record the time when requests were initiated: start_time
t	Field used to record the time when requests were initiated: time
u	Fields related to browsers: ua_browser \| ua_browser_family \| ua_browser_type \| ua_browser_version Field used to record client device types: ua_device_type Fields related to operating systems: ua_os \| ua_os_family Fields related to origin servers: upstream_addr \| upstream_response_time \| upstream_status Field used to record account IDs: user_id
w	Fields related to WAF protection: waf_action \| waf_rule_id \| waf_rule_type \| waf_test Fields related to app protection: wxbb_action \| wxbb_invalid_wua \| wxbb_rule_id \| wxbb_test

Description of the action field

The following table describes all actions that are supported by WAF.

Value of the action field	Description
block	The request is blocked. WAF blocks the client request and returns HTTP error code 405 to the client.
captcha_strict	Strict slider CAPTCHA verification is performed. WAF returns the pages used for slider CAPTCHA verification to the client. If the client passes strict slider CAPTCHA verification, WAF allows the request. Otherwise, WAF blocks the request. The client must pass strict slider CAPTCHA verification each time the client sends a request.
captcha	Common slider CAPTCHA verification is performed. WAF returns the pages used for slider CAPTCHA verification to the client. If a client passes common slider CAPTCHA verification, WAF allows requests that are sent from the client in a specific time range. By default, the time range is set to 30 minutes. Otherwise, WAF blocks requests from the client.
sigchl	Dynamic token authentication is performed, and web requests are signed. When the client sends a request, the Web SDK that is issued by WAF generates a signature for the request. The signature is forwarded together with the request to the origin server. If the signature is generated and verified, the request is forwarded to the origin server. If the signature fails to be generated or verified, a code block that can be used to obtain a dynamic token is returned to the client and the request must be re-signed.
js	JavaScript validation is performed. WAF returns JavaScript code to the client. The JavaScript code is automatically executed by the client browsers. If the client passes JavaScript validation, WAF allows requests that are sent from the client in a specific time range. By default, the time range is set to 30 minutes. Otherwise, WAF blocks requests from the client.
pass	The request is allowed. WAF allows the client request, and forwards the request to the origin server.
captcha_strict_pass	The client passes strict slider CAPTCHA verification, and WAF allows the client request.
captcha_pass	The client passes common slider CAPTCHA verification, and WAF allows the client request.
sigchl_pass	The client passes dynamic token authentication, and WAF allows the client request.
js_pass	The client passes JavaScript validation, and WAF allows the client request.
mask	WAF masks the sensitive data that is returned from the origin server and returns the result to the client. Only the data leakage prevention module supports this action.
continue	The request is allowed. The meaning of the continue action varies based on the protection module. For more information, see the descriptions of the normalized_action and wxbb_action fields in this topic.

Required fields

Required fields refer to the fields that must be included in WAF logs.

Field	Description	Example
acl_rule_type	The type of the matched rule. The rule is created for the IP address blacklist or custom protection policy (ACL policy) module. Valid values: custom: a rule that is created for the custom protection policy (ACL policy) module blacklist: a rule that is created for the IP address blacklist module	custom
bypass_matched_ids	The ID of the matched rule that allows the client request. The rule is created for the whitelist or custom protection policy module. If multiple rules that allow the request are matched at a time, this field records the IDs of all the rules. Multiple IDs are separated with commas (,).	283531
cc_rule_type	The type of the matched rule. The rule is created for the HTTP flood protection or custom protection policy (HTTP flood protection policy) module. Valid values: custom: a rule that is created for the custom protection policy (HTTP flood protection policy) module system: a rule that is created for the HTTP flood protection policy module	custom
content_type	The type of the request content.	application/x-www-form-urlencoded
dst_port	The destination port.	443
final_action	The final action that is performed by WAF on the request. Valid values: block: The request is blocked. captcha_strict: Strict slider CAPTCHA verification is performed. captcha: Common slider CAPTCHA verification is performed. sigchl: Dynamic token authentication is performed. js: JavaScript validation is performed. For more information about WAF protection actions, see the Description of the action field in this topic. If a request does not trigger a protection module, this field is not recorded. For example, if a request matches a rule that allows the request or a request is allowed after the client passes CAPTCHA verification or JavaScript validation, this field is not recorded. If a request triggers multiple protection modules at a time, this field is recorded and includes only the final action that is performed. The following actions are listed in descending order of priority: block (block), strict slider CAPTCHA verification (captcha_strict), common slider CAPTCHA verification (captcha), dynamic token authentication (sigchl), and JavaScript validation (js).	block
final_plugin	The protection module based on which the final action is performed on the request. The final_action field records the final action that is performed. Valid values: waf: the protection rules engine module deeplearning: the deep learning engine module dlp: the data leakage prevention module account: the account security module normalized: the positive security model module acl: the IP address blacklist or custom protection policy (ACL policy) module cc: the HTTP flood protection or custom protection policy (HTTP flood protection policy) module antiscan: the scan protection module scene: the scenario-specific configuration module antifraud: the data risk control module intelligence: the bot threat intelligence module algorithm: the typical bot behavior identification module wxbb: the app protection module To configure the preceding protection modules, log on to the WAF console and choose Protection Configurations > Website Protection in the left-side navigation pane. For more information about the protection modules of WAF, see Overview. If a request does not trigger a protection module, this field is not recorded. For example, if a request matches a rule that allows the request or a request is allowed after the client passes CAPTCHA verification or JavaScript validation, this field is not recorded. If a request triggers multiple protection modules at a time, this field is recorded and includes only the final action that is performed. The final_action field records the final action that is performed.	waf
final_rule_id	The ID of the rule based on which the final action is performed. The final_action field records the final action that is performed.	115341
final_rule_type	The subtype of the rule based on which the final action is performed. The final_rule_id field records the rule. For example, `final_plugin:waf` supports `final_rule_type:sqli` and `final_rule_type:xss`.	xss/webshell
host	The Host field in the request header that contains the requested domain name or IP address.	api.example.com
http_cookie	The Cookie field in the request header that contains the cookie information of the client.	k1=v1;k2=v2
http_referer	The Referer field in the request header that contains information about the source URL of the request. If the request does not contain the source URL information, the value of this field is displayed as a hyphen (`-`).	http://example.com
http_user_agent	The User-Agent field in the request header that contains information about the browser and the operating system.	Dalvik/2.1.0 (Linux; U; Android 10; Android SDK built for x86 Build/QSR1.200715.002)
http_x_forwarded_for	The X-Forwarded-For (XFF) field in the request header. This field is used to identify the originating IP address of the client that is connected to the web server by using an HTTP proxy or a load balancer.	47.100.XX.XX
https	Indicates whether the request is an HTTPS request. The value on indicates that the request is an HTTPS request. If the field is empty, the request is an HTTP request.	on
matched_host	The matched domain name that is added to WAF. Note The domain name can be an exact-match domain name or a wildcard domain name. For example, if the .aliyun.com domain name is added to WAF and www.aliyun.com is requested, the .aliyun.com domain name may be matched.	*.aliyun.com
real_client_ip	The originating IP address of the client that sends the request. WAF analyzes the request to identify the IP address. If WAF cannot identify the originating IP address of the client, the value of this field is displayed as a hyphen (`-`). For example, when a proxy server is used or the IP field in the request header is invalid, WAF cannot identify the originating IP address of the client.	192.0.XX.XX
request_length	The number of bytes in the request, including the bytes in the request line, request header, and request body. Unit: bytes.	111111
request_method	The request method.	GET
request_time_msec	The amount of time that WAF takes to process the request. Unit: milliseconds.	44
request_traceid	The unique identifier that WAF generates for the client request.	7837b11715410386943437009ea1f0
request_uri	The request path and request parameters.	/news/search.php?id=1
server_protocol	The protocol and the protocol version that are used by the origin server to respond to the request forwarded by WAF.	HTTP/1.1
status	The HTTP status code that is included in the response from WAF to the client. Example: 200, which indicates that the request is received and accepted.	200
src_port	The port that is used to connect to WAF. If no Layer 7 proxies are deployed in front of WAF, this field records the port of the client. If a Layer 7 proxy, such as Alibaba Cloud CDN, is deployed in front of WAF, this field records the port of the Layer 7 proxy.	80
src_ip	The IP address that is used to connect to WAF. If no Layer 7 proxies are deployed in front of WAF, this field records the IP address of the client. If a Layer 7 proxy, such as Alibaba Cloud CDN, is deployed in front of WAF, this field records the IP address of the Layer 7 proxy.	198.51.XX.XX
start_time	The time when the request was sent. Unit: seconds.	1696534058
time	The time when the request was sent. The time follows the ISO 8601 standard in the `yyyy-MM-ddTHH:mm:ss+08:00` format. The time is displayed in UTC.	2018-05-02T16:03:59+08:00
upstream_addr	The IP address and port of the origin server. The format is `IP:Port`. Multiple pairs of IP addresses and port numbers are separated with commas (,).	198.51.XX.XX:443
upstream_response_time	The total amount of time required for the origin server to respond to the request forwarded by WAF and for WAF to forward the response to the client. Unit: seconds.	0.044
upstream_status	The HTTP status code that is sent by the origin server in response to the request forwarded by WAF. Example: 200, which indicates that the request is received and accepted.	200

Optional fields

You can include optional fields in WAF logs based on your business requirements. WAF logs record only the optional fields that you enable.

If you enable optional fields, WAF logs occupy more storage space. If you have sufficient log storage capacity, we recommend that you enable additional optional fields. This way, you can perform log analysis in a more comprehensive manner. For more information about how to configure optional fields, see Modify log settings.

Field	Description	Example
account_action	The action that is performed on the client request based on an account security rule. This field is fixed as block, which indicates that the request is blocked. For more information about WAF protection actions, see the Description of the action field in this topic.	block
account_rule_id	The ID of the matched account security rule.	151235
account_test	The protection mode that is used for the client request based on a account security rule. Valid values: true: monitoring mode. In this mode, logs are recorded but protection actions, such as blocking, are not performed. false: prevention mode. In this mode, WAF performs protection actions, such as blocking, on requests that match the protection rule.	false
acl_action	The action that is performed on the client request based on a rule created for the IP address blacklist or custom protection policy (ACL policy) module. Valid values: block: The request is blocked. captcha_strict: Strict slider CAPTCHA verification is performed. captcha: Common slider CAPTCHA verification is performed. js: JavaScript validation is performed. captcha_strict_pass: The client passes strict slider CAPTCHA verification, and WAF allows the request from the client. captcha_pass: The client passes common slider CAPTCHA verification, and WAF allows the request from the client. js_pass: The client passes JavaScript validation, and WAF allows the request from the client. For more information about WAF protection actions, see the Description of the action field in this topic.	block
acl_rule_id	The ID of the matched rule. The rule is created for the IP address blacklist or custom protection policy (ACL policy) module.	151235
acl_test	The protection mode that is used for the client request based on a rule created for the IP address blacklist or custom protection policy (ACL policy) module. Valid values: true: monitoring mode. In this mode, logs are recorded but protection actions, such as blocking, are not performed. false: prevention mode. In this mode, WAF performs protection actions, such as blocking, on requests that match the protection rule.	false
algorithm_action	The action that is performed on the client request based on a rule created for the typical bot behavior identification module. Valid values: block: The request is blocked. captcha: Common slider CAPTCHA verification is performed. js: JavaScript validation is performed. captcha_pass: The client passes common slider CAPTCHA verification, and WAF allows the request from the client. js_pass: The client passes JavaScript validation, and WAF allows the request from the client. For more information about WAF protection actions, see the Description of the action field in this topic.	block
algorithm_rule_id	The ID of the matched rule. The rule is created for the typical bot behavior identification module.	151235
algorithm_test	The protection mode that is used for the client request based on a rule created for the typical bot behavior identification module. Valid values: true: monitoring mode. In this mode, logs are recorded but protection actions, such as blocking, are not performed. false: prevention mode. In this mode, WAF performs protection actions, such as blocking, on requests that match the protection rule.	false
antifraud_action	The action that is performed on the client request based on a rule created for the data risk control module. Valid values: pass: The request is allowed. block: The request is blocked. captcha: Common slider CAPTCHA verification is performed. For more information about WAF protection actions, see the Description of the action field in this topic.	block
antifraud_test	The protection mode that is used for the client request based on a rule created for the data risk control module. Valid values: true: monitoring mode. In this mode, logs are recorded but protection actions, such as blocking, are not performed. false: prevention mode. In this mode, WAF performs protection actions, such as blocking, on requests that match the protection rule.	false
antiscan_action	The action that is performed on the client request based on a rule created for the scan protection module. This field is fixed as block, which indicates that the request is blocked. For more information about WAF protection actions, see the Description of the action field in this topic.	block
antiscan_rule_id	The ID of the matched rule. The rule is created for the scan protection module.	151235
antiscan_rule_type	The type of the matched rule. The rule is created for the scan protection module. Valid values: highfreq: a rule that blocks IP addresses from which web attacks are frequently initiated dirscan: a rule that defends against directory traversal attacks scantools: a rule that blocks the IP addresses of scanners collaborative: a collaborative defense rule	highfreq
antiscan_test	The protection mode that is used for the client request based on a rule created for the scan protection module. Valid values: true: monitoring mode. In this mode, logs are recorded but protection actions, such as blocking, are not performed. false: prevention mode. In this mode, WAF performs protection actions, such as blocking, on requests that match the protection rule.	false
block_action	Important This field is no longer valid due to WAF upgrades. This field is replaced with the final_plugin field. If the block_action field is used in your services, replace the field with the final_plugin field at the earliest opportunity. The WAF protection module that is triggered to block the request. Valid values: tmd: the HTTP flood protection module. The value is equivalent to the cc value of the final_plugin field. waf: the web attack protection module. The value is equivalent to the waf value of the final_plugin field. acl: the custom protection policy module. The value is equivalent to the acl value of the final_plugin field. deeplearning: the deep learning engine module. The value is equivalent to the deeplearning value of the final_plugin field. antiscan: the scan protection module. The value is equivalent to the antiscan value of the final_plugin field. antifraud: the data risk control module. The value is equivalent to the antifraud value of the final_plugin field. antibot: the bot management module. The value is equivalent to the intelligence, algorithm, wxbb, and scene values of the final_plugin field.	waf
body_bytes_sent	The number of bytes returned to the client from the server, excluding the number of bytes in the response header. Unit: bytes.	1111
cc_action	The action that is performed on the client request based on a rule created for the HTTP flood protection or custom protection policy (HTTP flood protection policy) module. Valid values: block: The request is blocked. captcha: Common slider CAPTCHA verification is performed. js: JavaScript validation is performed. captcha_pass: The client passes common slider CAPTCHA verification, and WAF allows the client request. js_pass: The client passes JavaScript validation, and WAF allows the client request. For more information about WAF protection actions, see the Description of the action field in this topic.	block
cc_rule_id	The ID of the matched rule. The rule is created for the HTTP flood protection or custom protection policy (HTTP flood protection policy) module.	151234
cc_test	The protection mode that is used for the client request based on a rule created for the HTTP flood protection or custom protection policy (HTTP flood protection policy) module. Valid values: true: monitoring mode. In this mode, logs are recorded but protection actions, such as blocking, are not performed. false: prevention mode. In this mode, WAF performs protection actions, such as blocking, on requests that match the protection rule.	false
deeplearning_action	The action that is performed on the client request based on a rule created for the deep learning engine module. This field is fixed as block, which indicates that the request is blocked. For more information about WAF protection actions, see the Description of the action field in this topic.	block
deeplearning_rule_id	The ID of the matched rule. The rule is created for the deep learning engine module.	151238
deeplearning_rule_type	The type of the matched rule. The rule is created for the deep learning engine module. Valid values: xss: a rule used to defend against cross-site scripting (XSS) attacks code_exec: a rule used to defend against attacks that exploit code execution vulnerabilities webshell: a rule used to defend against webshell uploads sqli: a rule used to defend against SQL injection attacks lfilei: a rule used to defend against local file inclusion rfilei: a rule used to defend against remote file inclusion other: other protection rules	xss
deeplearning_test	The protection mode that is used for the client request based on a rule created for the deep learning engine module. Valid values: true: monitoring mode. In this mode, logs are recorded but protection actions, such as blocking, are not performed. false: prevention mode. In this mode, WAF performs protection actions, such as blocking, on requests that match the protection rule.	false
dlp_action	The action that is performed on the client request based on a rule created for the data leakage prevention module. Valid values: block: The request is blocked. mask: Sensitive data is masked. For more information about WAF protection actions, see the Description of the action field in this topic.	mask
dlp_rule_id	The ID of the matched rule. The rule is created for the data leakage prevention module.	151245
dlp_test	The protection mode that is used for the client request based on a rule created for the data leakage prevention module. Valid values: true: monitoring mode. In this mode, logs are recorded but protection actions, such as blocking, are not performed. false: prevention mode. In this mode, WAF performs protection actions, such as blocking, on requests that match the protection rule.	false
intelligence_action	The action that is performed on the client request based on a rule created for the bot threat intelligence module. Valid values: block: The request is blocked. captcha_strict: Strict slider CAPTCHA verification is performed. captcha: Common slider CAPTCHA verification is performed. js: JavaScript validation is performed. captcha_strict_pass: The client passes strict slider CAPTCHA verification, and WAF allows the client request. captcha_pass: The client passes common slider CAPTCHA verification, and WAF allows the client request. js_pass: The client passes JavaScript validation, and WAF allows the client request. For more information about WAF protection actions, see the Description of the action field in this topic.	block
intelligence_rule_id	The ID of the matched rule. The rule is created for the bot threat intelligence module.	152234
intelligence_test	The protection mode that is used for the client request based on a rule created for the bot threat intelligence module. Valid values: true: monitoring mode. In this mode, logs are recorded but protection actions, such as blocking, are not performed. false: prevention mode. In this mode, WAF performs protection actions, such as blocking, on requests that match the protection rule.	false
normalized_action	The action that is performed on the client request based on a rule created for the positive security model module. Valid values: block: The request is blocked. continue: The request is allowed. For more information about WAF protection actions, see the Description of the action field in this topic.	block
normalized_rule_id	The ID of the matched rule. The rule is created for the positive security model module.	151266
normalized_rule_type	The type of the matched rule. The rule is created for the positive security model module. Valid values: User-Agent: a User-Agent-based baseline rule. If the User-Agent field of a request header does not conform to the baseline, an attack may occur. This description applies to other rule types. Referer: a Referer-based baseline rule. URL: a URL-based baseline rule. Cookie: a cookie-based baseline rule. Body: a request body-based baseline rule.	User-Agent
normalized_test	The action that is performed on the client request based on a rule created for the positive security model module. Valid values: true: monitoring mode. In this mode, logs are recorded but protection actions, such as blocking, are not performed. false: prevention mode. In this mode, WAF performs protection actions, such as blocking, on requests that match the protection rule.	false
querystring	The query string in the request. The query string follows a question mark (?) in the request URL.	title=tm_content%3Darticle&pid=123
region	The region where the WAF instance resides. Valid values: cn: The WAF instance resides in the Chinese mainland. int: The WAF instance resides outside the Chinese mainland.	cn
remote_addr	The IP address that is used to connect to WAF. If no Layer 7 proxies are deployed in front of WAF, this field records the IP address of the client. If a Layer 7 proxy, such as Alibaba Cloud CDN, is deployed in front of WAF, this field records the IP address of the Layer 7 proxy.	198.51.XX.XX
remote_port	The port that is used to connect to WAF. If no Layer 7 proxies are deployed in front of WAF, this field records the port of the client. If a Layer 7 proxy, such as Alibaba Cloud CDN, is deployed in front of WAF, this field records the port of the Layer 7 proxy.	80
request_body	The request body.	i am the request body, encrypted or not!
request_path	The relative path that is requested. The relative path is the part between the domain name and the question mark (?) in the request URL. The relative path does not include the query string.	/news/search.php
scene_action	The action that is performed on the client request based on a rule created for the scenario-specific configuration module. Valid values: block: The request is blocked. captcha: Common slider CAPTCHA verification is performed. sigchl: Dynamic token authentication is performed. js: JavaScript validation is performed. captcha_pass: The client passes common slider CAPTCHA verification, and WAF allows the client request. sigchl_pass: The client passes dynamic token authentication, and WAF allows the client request. js_pass: The client passes JavaScript validation, and WAF allows the client request. For more information about WAF protection actions, see the Description of the action field in this topic.	block
scene_id	The scenario ID of the matched rule. The rule is created for the scenario-specific configuration module.	151235
scene_rule_id	The ID of the matched rule. The rule is created for the scenario-specific configuration module.	153678
scene_rule_type	The type of the matched rule. The rule is created for the scenario-specific configuration module. Valid values: bot_aialgo: an intelligent protection rule js: a rule that blocks script-based bots intelligence: a rule that blocks attacks based on bot threat intelligence or data center blacklists sdk: a rule that checks for abnormal signatures of SDK-integrated apps and abnormal device behavior cc: an IP address-based throttling rule or a custom session-based throttling rule sigchl: a dynamic token authentication rule	bot_aialgo
sigchl_invalid_type	The reason why the request is considered abnormal based on a dynamic token authentication rule. Valid values: sigchl_invalid_sig: The signature verification failed. The following list describes the common causes of this error: The request does not carry a signature. The parameter that is passed to add a signature is different from the parameter received by WAF. sigchl_is_replay: The signature timestamp is abnormal. A replay attack may occur. sigchl_is_driver: The request is considered a WebDriver attack request.	sigchl_invalid_sig
scene_test	The action that is performed on the client request based on a rule created for the scenario-specific configuration module. Valid values: true: monitoring mode. In this mode, logs are recorded but protection actions, such as blocking, are not performed. false: prevention mode. In this mode, WAF performs protection actions, such as blocking, on requests that match the protection rule.	false
server_port	The destination port.	443
ssl_cipher	The cipher suite that is used by the client.	ECDHE-RSA-AES128-GCM-SHA256
ssl_protocol	The SSL or TLS protocol version that is used by the client.	TLSv1.2
ua_browser	The name of the browser that initiates the request. Important Starting December 15, 2021, this field is no longer included in WAF logs even if you enable this field in your log settings. To obtain information about the User-Agent field in the request header, we recommend that you enable the http_user_agent required field. For more information, see the description of the http_user_agent field in this topic.	ie9
ua_browser_family	The family to which the browser belongs. Important Starting December 15, 2021, this field is no longer included in WAF logs even if you enable this field in your log settings. To obtain information about the User-Agent field in the request header, we recommend that you enable the http_user_agent required field. For more information, see the description of the http_user_agent field in this topic.	internet explorer
ua_browser_type	The type of the browser that initiates the request. Important Starting December 15, 2021, this field is no longer included in WAF logs even if you enable this field in your log settings. To obtain information about the User-Agent field in the request header, we recommend that you enable the http_user_agent required field. For more information, see the description of the http_user_agent field in this topic.	web_browser
ua_browser_version	The version of the browser that initiates the request. Important Starting December 15, 2021, this field is no longer included in WAF logs even if you enable this field in your log settings. To obtain information about the User-Agent field in the request header, we recommend that you enable the http_user_agent required field. For more information, see the description of the http_user_agent field in this topic.	9.0
ua_device_type	The device type of the client that initiates the request. Important Starting December 15, 2021, this field is no longer included in WAF logs even if you enable this field in your log settings. To obtain information about the User-Agent field in the request header, we recommend that you enable the http_user_agent required field. For more information, see the description of the http_user_agent field in this topic.	computer
ua_os	The operating system of the client that initiates the request. Important Starting December 15, 2021, this field is no longer included in WAF logs even if you enable this field in your log settings. To obtain information about the User-Agent field in the request header, we recommend that you enable the http_user_agent required field. For more information, see the description of the http_user_agent field in this topic.	windows_7
ua_os_family	The family to which the operating system of the client belongs. Important Starting December 15, 2021, this field is no longer included in WAF logs even if you enable this field in your log settings. To obtain information about the User-Agent field in the request header, we recommend that you enable the http_user_agent required field. For more information, see the description of the http_user_agent field in this topic.	windows
user_id	The ID of the Alibaba Cloud account to which the WAF instance belongs.	17045741********
waf_action	The action that is performed on the client request based on a rule created for the protection rules engine module. This field is fixed as block, which indicates that the request is blocked. For more information about WAF protection actions, see the Description of the action field in this topic.	block
waf_rule_id	The ID of the matched rule. The rule is created for the protection rules engine module.	113406
waf_rule_type	The type of the matched rule. The rule is created for the protection rules engine module. Valid values: xss: a rule used to defend against XSS attacks code_exec: a rule used to defend against attacks that exploit code execution vulnerabilities webshell: a rule that defends against webshell uploads sqli: a rule used to defend against SQL injection attacks lfilei: a rule used to defend against local file inclusion rfilei: a rule used to defend against remote file inclusion other: other protection rules	xss
waf_test	The protection mode that is used for the client request based on a rule created for the protection rules engine module. Valid values: true: monitoring mode. In this mode, logs are recorded but protection actions, such as blocking, are not performed. false: prevention mode. In this mode, WAF performs protection actions, such as blocking, on requests that match the protection rule.	false
wxbb_action	The action that is performed on the client request based on a rule created for the app protection module. Valid values: block: The request is blocked because the signature verification failed. captcha: Common slider CAPTCHA verification is performed. js: JavaScript validation is performed. continue: The request is allowed because the signature verification passed. For more information about WAF protection actions, see the Description of the action field in this topic.	block
wxbb_invalid_wua	The reason why the request is considered abnormal based on a rule created for the app protection module. Valid values: wxbb_simulator: A simulator is used. wxbb_proxy: A proxy is used. wxbb_root: A rooted device is used. wxbb_hook: Hooking is used. wxbb_antireplay: The wToken signature string is used. A replay attack may occur. wxbb_virtual: Multi-boxing is configured for WAF SDK-integrated apps. wxbb_debugged: The device is in debug mode. wxbb_invalid_sign: The signature verification failed. The following list describes common causes of this error: The request does not carry a signature. The parameter that is passed to add a signature is different from the parameter received by WAF. For example, the `a= 1&b=2` parameter is passed, but the parameter received by WAF is `b= 2&a=1`. The content of the passed parameter is not encoded, but the content received by WAF is Base64-encoded.	wxbb_invalid_sign
wxbb_rule_id	The ID of the matched rule. The rule is created for the app protection module.	156789
wxbb_test	The protection mode that is used for the client request based on a rule created for the app protection module. Valid values: true: monitoring mode. In this mode, logs are recorded but protection actions, such as blocking, are not performed. false: prevention mode. In this mode, WAF performs protection actions, such as blocking, on requests that match the protection rule.	false

Initial	Field
a	Fields related to accounts: account_action \| account_rule_id \| account_test Fields related to access control list (ACL) rules: acl_action \| acl_rule_id \| acl_rule_type \| acl_test Fields related to algorithms: algorithm_action \| algorithm_rule_id \| algorithm_test Fields related to data risk control: antifraud_action \| antifraud_test Fields related to scan protection: antiscan_action \| antiscan_rule_id \| antiscan_rule_type \| antiscan_test
b	Field used to record protection types: block_action Field used to record the number of bytes in the response body: body_bytes_sent Field used to record the IDs of rules that allow requests: bypass_matched_ids
c	Fields related to HTTP flood protection: cc_action \| cc_rule_id \| cc_rule_type \| cc_test Field used to record content types: content_type
d	Fields related to deep learning: deeplearning_action \| deeplearning_rule_id \| deeplearning_rule_type \| deeplearning_test Fields related to data leakage prevention: dlp_action \| dlp_rule_id \| dlp_test Field used to record destination ports: dst_port
f	Fields related to final actions: final_action \| final_plugin \| final_rule_id \| final_rule_type
h	Field used to record Host request headers: host Fields related to HTTP requests: http_cookie \| http_referer \| http_user_agent \| http_x_forwarded_for \| https
i	Fields related to bot threat intelligence: intelligence_action \| intelligence_rule_id \| intelligence_test
m	Field used to record the matched domain names that are added to WAF: matched_host
n	Fields related to positive security models: normalized_action \| normalized_rule_id \| normalized_rule_type \| normalized_test
q	Field used to record query strings: querystring
r	Field used to record the originating IP addresses of clients: real_client_ip Field used to record the region IDs of instances: region Fields related to clients that established connections with WAF: remote_addr \| remote_port Fields related to requests: request_body \| request_length \| request_method \| request_path \| request_time_msec \| request_traceid \| request_uri
s	Fields related to scenario-specific configuration: scene_action \| scene_id \| scene_rule_id \| scene_rule_type \| scene_test Fields related to servers: server_port \| server_protocol Fields related to SSL settings used by clients: ssl_cipher \| ssl_protocol Field used to record HTTP status codes: status Field used to record request exception causes: sigchl_invalid_type Fields used to record IP addresses and ports that are used to connect to WAF: src_port \| src_ip Field used to record the time when requests were initiated: start_time
t	Field used to record the time when requests were initiated: time
u	Fields related to browsers: ua_browser \| ua_browser_family \| ua_browser_type \| ua_browser_version Field used to record client device types: ua_device_type Fields related to operating systems: ua_os \| ua_os_family Fields related to origin servers: upstream_addr \| upstream_response_time \| upstream_status Field used to record account IDs: user_id
w	Fields related to WAF protection: waf_action \| waf_rule_id \| waf_rule_type \| waf_test Fields related to app protection: wxbb_action \| wxbb_invalid_wua \| wxbb_rule_id \| wxbb_test