This document describes the proprietary fields in WAF logs.
Field index
The following table lists the fields available in WAF logs. You can search by field name to find a specific field.
Required fields
The following fields are included in every WAF log entry.
Parameter | Description | Example |
acl_rule_type | The type of the matched rule in the IP address blacklist or custom protection policy (ACL). Valid values:
| custom |
bypass_matched_ids | The ID of the matched allow rule. Allow rules include whitelist rules and custom protection policy rules that are configured with the "Allow" action. If a request matches multiple allow rules, this field contains a comma-separated list of all matched rule IDs. | 283531 |
cc_rule_type | The type of the matched rule in the HTTP flood protection module or a custom protection policy (for HTTP flood protection). Valid values:
| custom |
content_type | The value of the | application/x-www-form-urlencoded |
| The destination port of the request. | 443 |
final_action | The final action that WAF performed on the request. Valid values:
For more information about WAF actions, see WAF actions. This field is omitted if the request does not trigger any protection module, for example, if the request matches an allow rule or the client passes a captcha or JS verification. If a request triggers multiple protection modules at the same time, only the final action performed is logged. The priority of actions from highest to lowest is: block (block) > strict CAPTCHA (captcha_strict) > normal CAPTCHA (captcha) > dynamic token verification (sigchl) > JavaScript challenge (js). | block |
final_plugin | The protection module that performed the final action (
You can configure these protection modules in the WAF console on the page. For more information about these modules, see Overview of website protection configurations. This field is omitted if the request does not trigger any protection module, for example, if the request matches an allow rule or the client passes a captcha or JS verification. If a request simultaneously triggers multiple protection modules, only the protection module corresponding to the final action (final_action) is logged. | waf |
final_rule_id | The ID of the protection rule that WAF finally applies to a client request. The rule is the one that corresponds to final_action. | 115341 |
final_rule_type | The subtype of the protection rule (final_rule_id) that WAF finally applies to a client request. For example, under the | xss/webshell |
host | The value of the | api.example.com |
http_cookie | The value of the | k1=v1;k2=v2 |
http_referer | The value of the If the request contains no source URL information, this field displays | http://example.com |
http_user_agent | The value of the | Dalvik/2.1.0 (Linux; U; Android 10; Android SDK built for x86 Build/QSR1.200715.002) |
http_x_forwarded_for | The value of the | 47.100.XX.XX |
https | Indicates whether the request uses HTTPS.
| on |
matched_host | The protected domain name that the request matched. Note WAF supports wildcard domain names. For example, if you add | *.aliyun.com |
real_client_ip | The client's real IP address, as determined by WAF's request analysis. If WAF cannot determine the real client IP (for example, because the request is sent from a proxy server or the IP field in the request header is incorrect), the field displays | 192.0.XX.XX |
request_length | The size of the client request, including the request line, request header, and request body. Unit: byte. | 111111 |
request_method | The HTTP method of the client request. | GET |
request_time_msec | The time WAF takes to process a client request. Unit: millisecond. | 44 |
request_traceid | A unique identifier that WAF generates for the client request. | 7837b11715410386943437009ea1f0 |
request_uri | The request path and query string. | /news/search.php?id=1 |
server_protocol | The protocol used for the connection between the client and WAF. | HTTP/1.1 |
status | The HTTP status code that WAF returns to the client. For example, 200 (indicates a successful request). | 200 |
src_port | The source port of the connection to WAF. If the client connects directly to WAF, this field indicates the client's port. If another Layer 7 proxy (such as a CDN) is deployed in front of WAF, this field indicates the port of the upstream proxy. | 80 |
src_ip | The source IP address of the connection to WAF. If the client connects directly to WAF, this field indicates the client's IP address. If another Layer 7 proxy (such as a CDN) is deployed in front of WAF, this field indicates the IP address of the upstream proxy. | 198.51.XX.XX |
| The time the client request was initiated, as a Unix timestamp. Unit: second. | 1696534058 |
time | The time when the client request is initiated. It is expressed in the ISO 8601 standard and must be in UTC, in the format | 2018-05-02T16:03:59+08:00 |
upstream_addr | The IP address and port of the origin server. The format is | 198.51.XX.XX:443 |
upstream_response_time | The time elapsed from when the origin server responds to WAF's request until WAF forwards the response to the client. Unit: second. | 0.044 |
upstream_status | The HTTP status code that the origin server returns in response to a WAF request to origin. For example, 200 indicates that the request was successful. | 200 |
Optional fields
Optional fields are fields that you can choose to include in WAF logs. WAF records only the optional fields that you have enabled.
Enabling optional fields consumes more storage capacity. If you have sufficient storage capacity, we recommend enabling more optional fields for more comprehensive log analysis. For more information about how to configure optional fields, see Modify log settings.
Parameter | Description | Example |
acl_action | The action taken on a request that matches an IP address blacklist rule or a custom protection policy (access control list (ACL)) rule. Valid values:
For more information about WAF actions, see WAF actions. | block |
acl_rule_id | The ID of the matched IP address blacklist rule or custom protection policy (access control list (ACL)) rule. | 151235 |
acl_test | The protection mode of the matched IP address blacklist rule or custom protection policy (access control list (ACL)) rule. Valid values:
| false |
algorithm_action | The action taken on a request that matches a typical crawler behavior rule. Valid values:
For more information about WAF actions, see WAF actions. | block |
algorithm_rule_id | The ID of the matched typical crawler behavior rule. | 151235 |
algorithm_test | The protection mode of the matched typical crawler behavior rule. Valid values:
| false |
antifraud_action | The action taken on a request that matches a data risk control rule. Valid values:
For more information about WAF actions, see WAF actions. | block |
antifraud_test | The protection mode of the matched data risk control rule. Valid values:
| false |
antiscan_action | The action for the scan protection rule that is matched by a client request. The value can only be block, which blocks the request. For more information about WAF actions, see WAF actions. | block |
antiscan_rule_id | The ID of the matched scan protection rule. | 151235 |
antiscan_rule_type | The type of the matched scan protection rule. Valid values:
| highfreq |
antiscan_test | The protection mode of the matched scan protection rule. Valid values:
| false |
block_action | Important This field is deprecated due to a WAF feature upgrade and is replaced by the new final_plugin field. If you use block_action in your services, replace it with final_plugin as soon as possible. The WAF protection module that triggered the block action. These values map to the values of the
| waf |
body_bytes_sent | The size of the response body, excluding the response header. Unit: bytes. | 1111 |
cc_action | The action taken on a request that matches an HTTP flood protection rule or a custom protection policy (for HTTP flood protection) rule. Valid values:
For more information about WAF actions, see WAF actions. | block |
cc_rule_id | The ID of the matched HTTP flood protection rule or custom protection policy (for HTTP flood protection) rule. | 151234 |
cc_test | The protection mode of the matched HTTP flood protection rule or custom protection policy (for HTTP flood protection) rule. Valid values:
| false |
deeplearning_action | The action that is triggered when a client request matches a deep learning engine rule. The only value is block, which indicates that the request is blocked. For more information about WAF actions, see WAF actions. | block |
deeplearning_rule_id | The ID of the matched deep learning engine rule. | 151238 |
deeplearning_rule_type | The type of the matched deep learning engine rule. Valid values:
| xss |
deeplearning_test | The protection mode of the matched deep learning engine rule. Valid values:
| false |
dlp_action | The action taken on a request that matches a data leakage prevention (DLP) rule. Valid values:
For more information about WAF actions, see WAF actions. | mask |
dlp_rule_id | The ID of the matched data leakage prevention (DLP) rule. | 151245 |
dlp_test | The protection mode of the matched data leakage prevention (DLP) rule. Valid values:
| false |
intelligence_action | The action taken on a request that matches a bot threat intelligence rule. Valid values:
For more information about WAF actions, see WAF actions. | block |
intelligence_rule_id | The ID of the matched bot threat intelligence rule. | 152234 |
intelligence_test | The protection mode of the matched bot threat intelligence rule. Valid values:
| false |
normalized_action | The action taken on a request that matches a positive security model rule. Valid values:
For more information about WAF actions, see WAF actions. | block |
normalized_rule_id | The ID of the matched positive security model rule. | 151266 |
normalized_rule_type | The component of the request that matched a positive security model rule, indicating a deviation from the established baseline. Valid values:
| User-Agent |
normalized_test | The protection mode of the matched positive security model rule. Valid values:
| false |
querystring | The query string of the request URL, which is the part after the question mark (?). | title=tm_content%3Darticle&pid=123 |
region | The ID of the region where the WAF instance is deployed. Valid values:
| cn |
remote_addr | The source IP address of the connection to WAF. If a client connects to WAF directly, this field indicates the client IP address. If a Layer 7 proxy, such as a Content Delivery Network (CDN) instance, is deployed in front of WAF, this field indicates the IP address of the proxy. | 198.51.XX.XX |
remote_port | The source port of the connection to WAF. If a client connects to WAF directly, this field indicates the client port. If a Layer 7 proxy, such as a CDN instance, is deployed in front of WAF, this field indicates the port of the proxy. | 80 |
request_body | The request body. | i am the request body, encrypted or not! |
request_path | The path of the request URL, which is the part after the domain name and before the question mark (?). | /news/search.php |
scene_action | The action taken on a request that matches a scenario-specific configuration rule. Valid values:
For more information about WAF actions, see WAF actions. | block |
scene_id | The scenario ID of the matched scenario-specific configuration rule. | 151235 |
scene_rule_id | The ID of the matched scenario-specific configuration rule. | 153678 |
scene_rule_type | The type of the matched scenario-specific configuration rule. Valid values:
| bot_aialgo |
sigchl_invalid_type | The reason a request was flagged as anomalous during a dynamic token authentication challenge. Valid values:
| sigchl_invalid_sig |
scene_test | The protection mode of the matched scenario-specific configuration rule. Valid values:
| false |
server_port | The WAF port that received the request. | 443 |
ssl_cipher | The cipher suite that is used by the client request. | ECDHE-RSA-AES128-GCM-SHA256 |
ssl_protocol | The SSL/TLS protocol and version that are used by the client request. | TLSv1.2 |
ua_browser | The name of the browser that sent the request. Important This field has not been supported in WAF logs since December 15, 2021 (the field is not recorded in WAF logs even if you enable this optional field in Log Settings). We recommend that you use the http_user_agent (required field) to obtain User-Agent information for client requests. | ie9 |
ua_browser_family | The family of the browser that sent the request. Important WAF logs have not supported this field since December 15, 2021. (Even if you enable this optional field in Log Settings, the field is not recorded in WAF logs). We recommend that you use the http_user_agent field (a required field) to obtain the User-Agent information of client requests. | internet explorer |
ua_browser_type | The type of the browser that sent the request. Important WAF logs have not supported this field since December 15, 2021. Even if you enable this optional field in Log Settings, the field is not recorded in WAF logs. We recommend that you use the http_user_agent field (a required field) to obtain the User-Agent of client requests. | web_browser |
ua_browser_version | The version of the browser that sent the request. Important This field is no longer supported in WAF logs as of December 15, 2021. Even if you enable this optional field in Log Settings, the field is not recorded in WAF logs. We recommend that you use the http_user_agent field (a required field) to obtain User-Agent information from client requests. | 9.0 |
ua_device_type | The device type of the client that sent the request. Important WAF logs have not supported this field since December 15, 2021 (even if you enable this optional field in Log Settings, the field is not recorded in WAF logs). We recommend that you use the http_user_agent (required field) to obtain information about the User-Agent from client requests. | computer |
ua_os | The operating system of the client that sent the request. Important Support for this field in WAF logs was discontinued on December 15, 2021. Even if you enable this optional field in Log Settings, the field is not recorded in WAF logs. We recommend that you use the http_user_agent field (a required field) to obtain User-Agent information from client requests. | windows_7 |
ua_os_family | The operating system family of the client that sent the request. Important As of December 15, 2021, this field is deprecated and is no longer recorded in WAF logs, even if you enable it as an optional field in Log Settings. We recommend that you obtain User-Agent information for client requests from the http_user_agent field, which is a required field. | windows |
user_id | The ID of the Alibaba Cloud account that owns the WAF instance. | 17045741******** |
waf_action | The action that is taken when a client request matches a rule in the protection rules engine. The value can only be block, which means to block the request. For more information about WAF actions, see WAF actions. | block |
waf_rule_id | The ID of the matched protection rules engine rule. | 113406 |
waf_rule_type | The type of the matched protection rules engine rule. Valid values:
| xss |
waf_test | The protection mode of the matched protection rules engine rule. Valid values:
| false |
wxbb_action | The action taken on a request that matches an app protection rule. Valid values:
For more information about WAF actions, see WAF actions. | block |
wxbb_invalid_wua | The reason an app protection rule flagged a request as anomalous. Valid values:
| wxbb_invalid_sign |
wxbb_rule_id | The ID of the matched app protection rule. | 156789 |
wxbb_test | The protection mode of the matched app protection rule. Valid values:
| false |