These query statements are pre-built for use with Log Service for WAF. Copy any statement into an alert rule or log chart to monitor the corresponding metric.
You can click a metric to view the corresponding query statement. For more information about the metrics, see Common monitoring metrics.
Query structure
All statements share the same structure:
Start with
* |— a wildcard search that selects all log entries, followed by a SQL analytics block.Group results by
user_idandhost(domain name).Apply
WHERE countall > 120to filter out domain names with fewer than 120 requests in the window, which removes low-traffic hosts from the results.Use
countall / 60to compute average QPS (queries per second).Return the top 5 domain names ordered by the target metric.
WAF-specific log fields
Some queries filter on WAF log fields that are not standard HTTP fields:
| Field | Description | Values |
|---|---|---|
final_plugin | The WAF protection module that made the final decision on the request | cc (HTTP flood protection), acl (access control rules), antifraud (data risk control) |
waf_action | The action taken by WAF | block |
Latency monitoring
request_time_msec
The duration between the time when the client sends a request and the time when the client receives a response.
* |
SELECT
user_id,
host,
round(
round(request_time_cnt * 1.0000 / countall, 4) * 100,
2
) AS percent
FROM (
SELECT
user_id,
host,
count_if(request_time_msec > 500) AS request_time_cnt,
COUNT(*) AS countall
FROM log
GROUP BY
user_id,
host
)
GROUP BY
user_id,
host,
percentupstream_response_time
The duration between the time when WAF forwards a request to the origin server and the time when the origin server returns data.
* |
SELECT
user_id,
host,
round(
round(
upstream_response_time_cnt * 1.0000 / countall,
4
) * 100,
2
) AS percent
FROM (
SELECT
user_id,
host,
count_if(upstream_response_time > 500) AS upstream_response_time_cnt,
COUNT(*) AS countall
FROM log
GROUP BY
user_id,
host
)
GROUP BY
user_id,
host,
percentStatus code monitoring
The following queries return a full status code breakdown per domain name, ordered by the percentage of the target status code. All computed rate columns use round(round(status_N * 1.0000 / countall, 4) * 100, 2) to produce a percentage rounded to two decimal places.
status:200
The server has processed the request and returned the requested data.
* |
SELECT
user_id,
host AS "Domain name",
Rate_200 AS "Percentage of 200 status code",
Rate_302 AS "Percentage of 302 status code",
Rate_404 AS "Percentage of 404 status code",
Rate_405 AS "Percentage of 405 status code",
Rate_444 AS "Percentage of 444 status code",
Rate_499 AS "Percentage of 499 status code",
Rate_500 AS "Percentage of 500 status code",
Rate_502 AS "Percentage of 502 status code",
Rate_503 AS "Percentage of 503 status code",
Rate_504 AS "Percentage of 504 status code",
countall / 60 AS "aveQPS",
status_200,
status_302,
status_404,
status_405,
status_444,
status_499,
status_500,
status_502,
status_503,
status_504,
countall
FROM (
SELECT
user_id,
host,
round(
round(status_200 * 1.0000 / countall, 4) * 100,
2
) AS Rate_200,
round(
round(status_302 * 1.0000 / countall, 4) * 100,
2
) AS Rate_302,
round(
round (status_404 * 1.0000 / countall, 4) * 100,
2
) AS Rate_404,
round(
round (status_405 * 1.0000 / countall, 4) * 100,
2
) AS Rate_405,
round(
round (status_444 * 1.0000 / countall, 4) * 100,
2
) AS Rate_444,
round(
round (status_499 * 1.0000 / countall, 4) * 100,
2
) AS Rate_499,
round(
round(status_500 * 1.0000 / countall, 4) * 100,
2
) AS Rate_500,
round(
round(status_502 * 1.0000 / countall, 4) * 100,
2
) AS Rate_502,
round(
round(status_503 * 1.0000 / countall, 4) * 100,
2
) AS Rate_503,
round(
round(status_504 * 1.0000 / countall, 4) * 100,
2
) AS Rate_504,
status_200,
status_302,
status_404,
status_405,
status_444,
status_499,
status_500,
status_502,
status_503,
status_504,
countall
FROM (
SELECT
user_id,
host,
count_if(status = 200) AS status_200,
count_if(status = 302) AS status_302,
count_if(status = 404) AS status_404,
count_if(status = 405) AS status_405,
count_if(status = 444) AS status_444,
count_if(status = 499) AS status_499,
count_if(status = 500) AS status_500,
count_if(status = 502) AS status_502,
count_if(status = 503) AS status_503,
count_if(status = 504) AS status_504,
COUNT(*) AS countall
FROM log
GROUP BY
user_id,
host
)
)
WHERE
countall > 120
ORDER BY
Rate_200 DESC
LIMIT
5status:404
The server failed to find the requested resources.
* |
SELECT
user_id,
host AS "Domain name",
Rate_200 AS "Percentage of 200 status code",
Rate_302 AS "Percentage of 302 status code",
Rate_404 AS "Percentage of 404 status code",
Rate_405 AS "Percentage of 405 status code",
Rate_500 AS "Percentage of 500 status code",
Rate_502 AS "Percentage of 502 status code",
Rate_503 AS "Percentage of 503 status code",
Rate_504 AS "Percentage of 504 status code",
countall / 60 AS "aveQPS",
status_200,
status_302,
status_404,
status_405,
status_500,
status_502,
status_503,
status_504,
countall
FROM (
SELECT
user_id,
host,
round(
round(status_200 * 1.0000 / countall, 4) * 100,
2
) AS Rate_200,
round(
round(status_302 * 1.0000 / countall, 4) * 100,
2
) AS Rate_302,
round(
round (status_404 * 1.0000 / countall, 4) * 100,
2
) AS Rate_404,
round(
round (status_405 * 1.0000 / countall, 4) * 100,
2
) AS Rate_405,
round(
round(status_500 * 1.0000 / countall, 4) * 100,
2
) AS Rate_500,
round(
round(status_502 * 1.0000 / countall, 4) * 100,
2
) AS Rate_502,
round(
round(status_503 * 1.0000 / countall, 4) * 100,
2
) AS Rate_503,
round(
round(status_504 * 1.0000 / countall, 4) * 100,
2
) AS Rate_504,
status_200,
status_302,
status_404,
status_405,
status_500,
status_502,
status_503,
status_504,
countall
FROM (
SELECT
user_id,
host,
count_if(status = 200) AS status_200,
count_if(status = 302) AS status_302,
count_if(status = 404) AS status_404,
count_if(status = 405) AS status_405,
count_if(status = 499) AS status_499,
count_if(status = 500) AS status_500,
count_if(status = 502) AS status_502,
count_if(status = 503) AS status_503,
count_if(status = 504) AS status_504,
COUNT(*) AS countall
FROM log
GROUP BY
user_id,
host
)
)
WHERE
countall > 120
ORDER BY
Rate_404 DESC
LIMIT
5status:499
The requested data is not returned because the connection timed out and the client closed the connection. The server returns the 499 status code to the client.
* |
SELECT
user_id,
host AS "Domain name",
Rate_200 AS "Percentage of 200 status code",
Rate_302 AS "Percentage of 302 status code",
Rate_404 AS "Percentage of 404 status code",
Rate_405 AS "Percentage of 405 status code",
Rate_444 AS "Percentage of 444 status code",
Rate_499 AS "Percentage of 499 status code",
Rate_500 AS "Percentage of 500 status code",
Rate_502 AS "Percentage of 502 status code",
Rate_503 AS "Percentage of 503 status code",
Rate_504 AS "Percentage of 504 status code",
countall / 60 AS "aveQPS",
status_200,
status_302,
status_404,
status_405,
status_444,
status_499,
status_500,
status_502,
status_503,
status_504,
countall
FROM(
SELECT
user_id,
host,
round(
round(status_200 * 1.0000 / countall, 4) * 100,
2
) AS Rate_200,
round(
round(status_302 * 1.0000 / countall, 4) * 100,
2
) AS Rate_302,
round(
round (status_404 * 1.0000 / countall, 4) * 100,
2
) AS Rate_404,
round(
round (status_405 * 1.0000 / countall, 4) * 100,
2
) AS Rate_405,
round(
round (status_444 * 1.0000 / countall, 4) * 100,
2
) AS Rate_444,
round(
round (status_499 * 1.0000 / countall, 4) * 100,
2
) AS Rate_499,
round(
round(status_500 * 1.0000 / countall, 4) * 100,
2
) AS Rate_500,
round(
round(status_502 * 1.0000 / countall, 4) * 100,
2
) AS Rate_502,
round(
round(status_503 * 1.0000 / countall, 4) * 100,
2
) AS Rate_503,
round(
round(status_504 * 1.0000 / countall, 4) * 100,
2
) AS Rate_504,
status_200,
status_302,
status_404,
status_405,
status_444,
status_499,
status_500,
status_502,
status_503,
status_504,
countall
FROM (
SELECT
user_id,
host,
count_if(status = 200) AS status_200,
count_if(status = 302) AS status_302,
count_if(status = 404) AS status_404,
count_if(status = 405) AS status_405,
count_if(status = 444) AS status_444,
count_if(status = 499) AS status_499,
count_if(status = 500) AS status_500,
count_if(status = 502) AS status_502,
count_if(status = 503) AS status_503,
count_if(status = 504) AS status_504,
COUNT(*) AS countall
FROM log
GROUP BY
user_id,
host
)
)
WHERE
countall > 120
ORDER BY
Rate_499 DESC
LIMIT
5status:500
The server failed to process the request because an internal error occurred on the server.
* |
SELECT
user_id,
host AS "Domain name",
Rate_200 AS "Percentage of 200 status code",
Rate_302 AS "Percentage of 302 status code",
Rate_404 AS "Percentage of 404 status code",
Rate_405 AS "Percentage of 405 status code",
Rate_444 AS "Percentage of 444 status code",
Rate_499 AS "Percentage of 499 status code",
Rate_500 AS "Percentage of 500 status code",
Rate_502 AS "Percentage of 502 status code",
Rate_503 AS "Percentage of 503 status code",
Rate_504 AS "Percentage of 504 status code",
countall / 60 AS "aveQPS",
status_200,
status_302,
status_404,
status_405,
status_444,
status_499,
status_500,
status_502,
status_503,
status_504,
countall
FROM(
SELECT
user_id,
host,
round(
round(status_200 * 1.0000 / countall, 4) * 100,
2
) AS Rate_200,
round(
round(status_302 * 1.0000 / countall, 4) * 100,
2
) AS Rate_302,
round(
round (status_404 * 1.0000 / countall, 4) * 100,
2
) AS Rate_404,
round(
round (status_405 * 1.0000 / countall, 4) * 100,
2
) AS Rate_405,
round(
round (status_444 * 1.0000 / countall, 4) * 100,
2
) AS Rate_444,
round(
round (status_499 * 1.0000 / countall, 4) * 100,
2
) AS Rate_499,
round(
round(status_500 * 1.0000 / countall, 4) * 100,
2
) AS Rate_500,
round(
round(status_502 * 1.0000 / countall, 4) * 100,
2
) AS Rate_502,
round(
round(status_503 * 1.0000 / countall, 4) * 100,
2
) AS Rate_503,
round(
round(status_504 * 1.0000 / countall, 4) * 100,
2
) AS Rate_504,
status_200,
status_302,
status_404,
status_405,
status_444,
status_499,
status_500,
status_502,
status_503,
status_504,
countall
FROM (
SELECT
user_id,
host,
count_if(status = 200) AS status_200,
count_if(status = 302) AS status_302,
count_if(status = 404) AS status_404,
count_if(status = 405) AS status_405,
count_if(status = 444) AS status_444,
count_if(status = 499) AS status_499,
count_if(status = 500) AS status_500,
count_if(status = 502) AS status_502,
count_if(status = 503) AS status_503,
count_if(status = 504) AS status_504,
COUNT(*) AS countall
FROM log
GROUP BY
user_id,
host
)
)
WHERE
countall > 120
ORDER BY
Rate_500 DESC
LIMIT
5status:502
The server is used as a gateway or a proxy and receives an invalid response from the upstream server. The origin server does not respond because the back-to-origin network is unstable or the back-to-origin IP address is blocked.
* |
SELECT
user_id,
host AS "Domain name",
Rate_200 AS "Percentage of 200 status code",
Rate_302 AS "Percentage of 302 status code",
Rate_404 AS "Percentage of 404 status code",
Rate_405 AS "Percentage of 405 status code",
Rate_444 AS "Percentage of 444 status code",
Rate_499 AS "Percentage of 499 status code",
Rate_500 AS "Percentage of 500 status code",
Rate_502 AS "Percentage of 502 status code",
Rate_503 AS "Percentage of 503 status code",
Rate_504 AS "Percentage of 504 status code",
countall / 60 AS "aveQPS",
status_200,
status_302,
status_404,
status_405,
status_444,
status_499,
status_500,
status_502,
status_503,
status_504,
countall
FROM(
SELECT
user_id,
host,
round(
round(status_200 * 1.0000 / countall, 4) * 100,
2
) AS Rate_200,
round(
round(status_302 * 1.0000 / countall, 4) * 100,
2
) AS Rate_302,
round(
round (status_404 * 1.0000 / countall, 4) * 100,
2
) AS Rate_404,
round(
round (status_405 * 1.0000 / countall, 4) * 100,
2
) AS Rate_405,
round(
round (status_444 * 1.0000 / countall, 4) * 100,
2
) AS Rate_444,
round(
round (status_499 * 1.0000 / countall, 4) * 100,
2
) AS Rate_499,
round(
round(status_500 * 1.0000 / countall, 4) * 100,
2
) AS Rate_500,
round(
round(status_502 * 1.0000 / countall, 4) * 100,
2
) AS Rate_502,
round(
round(status_503 * 1.0000 / countall, 4) * 100,
2
) AS Rate_503,
round(
round(status_504 * 1.0000 / countall, 4) * 100,
2
) AS Rate_504,
status_200,
status_302,
status_404,
status_405,
status_444,
status_499,
status_500,
status_502,
status_503,
status_504,
countall
FROM (
SELECT
user_id,
host,
count_if(status = 200) AS status_200,
count_if(status = 302) AS status_302,
count_if(status = 404) AS status_404,
count_if(status = 405) AS status_405,
count_if(status = 444) AS status_444,
count_if(status = 499) AS status_499,
count_if(status = 500) AS status_500,
count_if(status = 502) AS status_502,
count_if(status = 503) AS status_503,
count_if(status = 504) AS status_504,
COUNT(*) AS countall
FROM log
GROUP BY
user_id,
host
)
)
WHERE
countall > 120
ORDER BY
Rate_502 DESC
LIMIT
5status:503
The service is unavailable because the server is overloaded or being maintained.
* |
SELECT
user_id,
host AS "Domain name",
Rate_200 AS "Percentage of 200 status code",
Rate_302 AS "Percentage of 302 status code",
Rate_404 AS "Percentage of 404 status code",
Rate_405 AS "Percentage of 405 status code",
Rate_444 AS "Percentage of 444 status code",
Rate_499 AS "Percentage of 499 status code",
Rate_500 AS "Percentage of 500 status code",
Rate_502 AS "Percentage of 502 status code",
Rate_503 AS "Percentage of 503 status code",
Rate_504 AS "Percentage of 504 status code",
countall / 60 AS "aveQPS",
status_200,
status_302,
status_404,
status_405,
status_444,
status_499,
status_500,
status_502,
status_503,
status_504,
countall
FROM(
SELECT
user_id,
host,
round(
round(status_200 * 1.0000 / countall, 4) * 100,
2
) AS Rate_200,
round(
round(status_302 * 1.0000 / countall, 4) * 100,
2
) AS Rate_302,
round(
round (status_404 * 1.0000 / countall, 4) * 100,
2
) AS Rate_404,
round(
round (status_405 * 1.0000 / countall, 4) * 100,
2
) AS Rate_405,
round(
round (status_444 * 1.0000 / countall, 4) * 100,
2
) AS Rate_444,
round(
round (status_499 * 1.0000 / countall, 4) * 100,
2
) AS Rate_499,
round(
round(status_500 * 1.0000 / countall, 4) * 100,
2
) AS Rate_500,
round(
round(status_502 * 1.0000 / countall, 4) * 100,
2
) AS Rate_502,
round(
round(status_503 * 1.0000 / countall, 4) * 100,
2
) AS Rate_503,
round(
round(status_504 * 1.0000 / countall, 4) * 100,
2
) AS Rate_504,
status_200,
status_302,
status_404,
status_405,
status_444,
status_499,
status_500,
status_502,
status_503,
status_504,
countall
FROM (
SELECT
user_id,
host,
count_if(status = 200) AS status_200,
count_if(status = 302) AS status_302,
count_if(status = 404) AS status_404,
count_if(status = 405) AS status_405,
count_if(status = 444) AS status_444,
count_if(status = 499) AS status_499,
count_if(status = 500) AS status_500,
count_if(status = 502) AS status_502,
count_if(status = 503) AS status_503,
count_if(status = 504) AS status_504,
COUNT(*) AS countall
FROM log
GROUP BY
user_id,
host
)
)
WHERE
countall > 120
ORDER BY
Rate_503 DESC
LIMIT
5status:504
The server is used as a gateway or a proxy and does not receive the request from the upstream server in time.
* |
SELECT
user_id,
host AS "Domain name",
Rate_200 AS "Percentage of 200 status code",
Rate_302 AS "Percentage of 302 status code",
Rate_404 AS "Percentage of 404 status code",
Rate_405 AS "Percentage of 405 status code",
Rate_444 AS "Percentage of 444 status code",
Rate_499 AS "Percentage of 499 status code",
Rate_500 AS "Percentage of 500 status code",
Rate_502 AS "Percentage of 502 status code",
Rate_503 AS "Percentage of 503 status code",
Rate_504 AS "Percentage of 504 status code",
countall / 60 AS "aveQPS",
status_200,
status_302,
status_404,
status_405,
status_444,
status_499,
status_500,
status_502,
status_503,
status_504,
countall
FROM(
SELECT
user_id,
host,
round(
round(status_200 * 1.0000 / countall, 4) * 100,
2
) AS Rate_200,
round(
round(status_302 * 1.0000 / countall, 4) * 100,
2
) AS Rate_302,
round(
round (status_404 * 1.0000 / countall, 4) * 100,
2
) AS Rate_404,
round(
round (status_405 * 1.0000 / countall, 4) * 100,
2
) AS Rate_405,
round(
round (status_444 * 1.0000 / countall, 4) * 100,
2
) AS Rate_444,
round(
round (status_499 * 1.0000 / countall, 4) * 100,
2
) AS Rate_499,
round(
round(status_500 * 1.0000 / countall, 4) * 100,
2
) AS Rate_500,
round(
round(status_502 * 1.0000 / countall, 4) * 100,
2
) AS Rate_502,
round(
round(status_503 * 1.0000 / countall, 4) * 100,
2
) AS Rate_503,
round(
round(status_504 * 1.0000 / countall, 4) * 100,
2
) AS Rate_504,
status_200,
status_302,
status_404,
status_405,
status_444,
status_499,
status_500,
status_502,
status_503,
status_504,
countall
FROM (
SELECT
user_id,
host,
count_if(status = 200) AS status_200,
count_if(status = 302) AS status_302,
count_if(status = 404) AS status_404,
count_if(status = 405) AS status_405,
count_if(status = 444) AS status_444,
count_if(status = 499) AS status_499,
count_if(status = 500) AS status_500,
count_if(status = 502) AS status_502,
count_if(status = 503) AS status_503,
count_if(status = 504) AS status_504,
COUNT(*) AS countall
FROM log
GROUP BY
user_id,
host
)
)
WHERE
countall > 120
ORDER BY
Rate_504 DESC
LIMIT
5WAF protection monitoring
The following queries filter on WAF-specific fields (final_plugin and waf_action) to surface requests that WAF acted on. Use them to monitor the volume and rate of blocked traffic per domain name.
status:302 or 200 and final_plugin:'cc'
JavaScript CAPTCHA validation is triggered.
* |
SELECT
user_id,
host AS "Domain name",
Rate_200 AS "Percentage of 200 status code",
Rate_302 AS "Percentage of 302 status code",
Rate_404 AS "Percentage of 404 status code",
Rate_405 AS "Percentage of 405 status code",
Rate_444 AS "Percentage of 444 status code",
Rate_499 AS "Percentage of 499 status code",
Rate_500 AS "Percentage of 500 status code",
Rate_502 AS "Percentage of 502 status code",
Rate_503 AS "Percentage of 503 status code",
Rate_504 AS "Percentage of 504 status code",
countall / 60 AS "aveQPS",
status_200,
status_302,
status_404,
status_405,
status_444,
status_499,
status_500,
status_502,
status_503,
status_504,
countall
FROM (
SELECT
user_id,
host,
round(
round(status_200 * 1.0000 / countall, 4) * 100,
2
) AS Rate_200,
round(
round(status_302 * 1.0000 / countall, 4) * 100,
2
) AS Rate_302,
round(
round (status_404 * 1.0000 / countall, 4) * 100,
2
) AS Rate_404,
round(
round (status_405 * 1.0000 / countall, 4) * 100,
2
) AS Rate_405,
round(
round (status_444 * 1.0000 / countall, 4) * 100,
2
) AS Rate_444,
round(
round (status_499 * 1.0000 / countall, 4) * 100,
2
) AS Rate_499,
round(
round(status_500 * 1.0000 / countall, 4) * 100,
2
) AS Rate_500,
round(
round(status_502 * 1.0000 / countall, 4) * 100,
2
) AS Rate_502,
round(
round(status_503 * 1.0000 / countall, 4) * 100,
2
) AS Rate_503,
round(
round(status_504 * 1.0000 / countall, 4) * 100,
2
) AS Rate_504,
status_200,
status_302,
status_404,
status_405,
status_444,
status_499,
status_500,
status_502,
status_503,
status_504,
countall
FROM (
SELECT
user_id,
host,
count_if(
status = 200
AND final_plugin = 'cc'
) AS status_200,
count_if(
status = 302
AND final_plugin = 'cc'
) AS status_302,
count_if(status = 404) AS status_404,
count_if(status = 405) AS status_405,
count_if(status = 444) AS status_444,
count_if(status = 499) AS status_499,
count_if(status = 500) AS status_500,
count_if(status = 502) AS status_502,
count_if(status = 503) AS status_503,
count_if(status = 504) AS status_504,
COUNT(*) AS countall
FROM log
GROUP BY
user_id,
host
)
)
WHERE
countall > 120
ORDER BY
Rate_200 DESC
LIMIT
5status:200 and final_plugin:'antifraud'
The request is blocked by data risk control rules.
* |
SELECT
user_id,
host AS "Domain name",
Rate_200 AS "Percentage of 200 status code",
Rate_302 AS "Percentage of 302 status code",
Rate_404 AS "Percentage of 404 status code",
Rate_405 AS "Percentage of 405 status code",
Rate_444 AS "Percentage of 444 status code",
Rate_499 AS "Percentage of 499 status code",
Rate_500 AS "Percentage of 500 status code",
Rate_502 AS "Percentage of 502 status code",
Rate_503 AS "Percentage of 503 status code",
Rate_504 AS "Percentage of 504 status code",
countall / 60 AS "aveQPS",
status_200,
status_302,
status_404,
status_405,
status_444,
status_499,
status_500,
status_502,
status_503,
status_504,
countall
FROM (
SELECT
user_id,
host,
round(
round(status_200 * 1.0000 / countall, 4) * 100,
2
) AS Rate_200,
round(
round(status_302 * 1.0000 / countall, 4) * 100,
2
) AS Rate_302,
round(
round (status_404 * 1.0000 / countall, 4) * 100,
2
) AS Rate_404,
round(
round (status_405 * 1.0000 / countall, 4) * 100,
2
) AS Rate_405,
round(
round (status_444 * 1.0000 / countall, 4) * 100,
2
) AS Rate_444,
round(
round (status_499 * 1.0000 / countall, 4) * 100,
2
) AS Rate_499,
round(
round(status_500 * 1.0000 / countall, 4) * 100,
2
) AS Rate_500,
round(
round(status_502 * 1.0000 / countall, 4) * 100,
2
) AS Rate_502,
round(
round(status_503 * 1.0000 / countall, 4) * 100,
2
) AS Rate_503,
round(
round(status_504 * 1.0000 / countall, 4) * 100,
2
) AS Rate_504,
status_200,
status_302,
status_404,
status_405,
status_444,
status_499,
status_500,
status_502,
status_503,
status_504,
countall
FROM (
SELECT
user_id,
host,
count_if(
status = 200
AND final_plugin = 'antifraud'
) AS status_200,
count_if(status = 302) AS status_302,
count_if(status = 404) AS status_404,
count_if(status = 405) AS status_405,
count_if(status = 444) AS status_444,
count_if(status = 499) AS status_499,
count_if(status = 500) AS status_500,
count_if(status = 502) AS status_502,
count_if(status = 503) AS status_503,
count_if(status = 504) AS status_504,
COUNT(*) AS countall
FROM log
GROUP BY
user_id,
host
)
)
WHERE
countall > 120
ORDER BY
Rate_200 DESC
LIMIT
5status:405 and waf_action:'block'
The request is blocked by the Protection Rules Engine.
This query counts status 405 responses where waf_action = 'block', which indicates that the Protection Rules Engine explicitly blocked the request.
* |
SELECT
user_id,
host AS "Domain name",
Rate_200 AS "Percentage of 200 status code",
Rate_302 AS "Percentage of 302 status code",
Rate_404 AS "Percentage of 404 status code",
Rate_405 AS "Percentage of 405 status code",
Rate_444 AS "Percentage of 444 status code",
Rate_499 AS "Percentage of 499 status code",
Rate_500 AS "Percentage of 500 status code",
Rate_502 AS "Percentage of 502 status code",
Rate_503 AS "Percentage of 503 status code",
Rate_504 AS "Percentage of 504 status code",
countall / 60 AS "aveQPS",
status_200,
status_302,
status_404,
status_405,
status_444,
status_499,
status_500,
status_502,
status_503,
status_504,
countall
FROM(
SELECT
user_id,
host,
round(
round(status_200 * 1.0000 / countall, 4) * 100,
2
) AS Rate_200,
round(
round(status_302 * 1.0000 / countall, 4) * 100,
2
) AS Rate_302,
round(
round (status_404 * 1.0000 / countall, 4) * 100,
2
) AS Rate_404,
round(
round (status_405 * 1.0000 / countall, 4) * 100,
2
) AS Rate_405,
round(
round (status_444 * 1.0000 / countall, 4) * 100,
2
) AS Rate_444,
round(
round (status_499 * 1.0000 / countall, 4) * 100,
2
) AS Rate_499,
round(
round(status_500 * 1.0000 / countall, 4) * 100,
2
) AS Rate_500,
round(
round(status_502 * 1.0000 / countall, 4) * 100,
2
) AS Rate_502,
round(
round(status_503 * 1.0000 / countall, 4) * 100,
2
) AS Rate_503,
round(
round(status_504 * 1.0000 / countall, 4) * 100,
2
) AS Rate_504,
status_200,
status_302,
status_404,
status_405,
status_444,
status_499,
status_500,
status_502,
status_503,
status_504,
countall
FROM (
SELECT
user_id,
host,
count_if(status = 200) AS status_200,
count_if(status = 302) AS status_302,
count_if(status = 404) AS status_404,
count_if(
status = 405
AND waf_action = 'block'
) AS status_405,
count_if(status = 444) AS status_444,
count_if(status = 499) AS status_499,
count_if(status = 500) AS status_500,
count_if(status = 502) AS status_502,
count_if(status = 503) AS status_503,
count_if(status = 504) AS status_504,
COUNT(*) AS countall
FROM log
GROUP BY
user_id,
host
)
)
WHERE
countall > 120
ORDER BY
Rate_405 DESC
LIMIT
5status:405 and final_plugin:'acl'
The request is blocked by the blacklist or custom access control rules.
This query counts status 405 responses where final_plugin = 'acl', which indicates that an access control list (ACL) rule — such as a blacklist or custom access control rule — blocked the request.
* |
SELECT
user_id,
host AS "Domain name",
Rate_200 AS "Percentage of 200 status code",
Rate_302 AS "Percentage of 302 status code",
Rate_404 AS "Percentage of 404 status code",
Rate_405 AS "Percentage of 405 status code",
Rate_444 AS "Percentage of 444 status code",
Rate_499 AS "Percentage of 499 status code",
Rate_500 AS "Percentage of 500 status code",
Rate_502 AS "Percentage of 502 status code",
Rate_503 AS "Percentage of 503 status code",
Rate_504 AS "Percentage of 504 status code",
countall / 60 AS "aveQPS",
status_200,
status_302,
status_404,
status_405,
status_444,
status_499,
status_500,
status_502,
status_503,
status_504,
countall
FROM(
SELECT
user_id,
host,
round(
round(status_200 * 1.0000 / countall, 4) * 100,
2
) AS Rate_200,
round(
round(status_302 * 1.0000 / countall, 4) * 100,
2
) AS Rate_302,
round(
round (status_404 * 1.0000 / countall, 4) * 100,
2
) AS Rate_404,
round(
round (status_405 * 1.0000 / countall, 4) * 100,
2
) AS Rate_405,
round(
round (status_444 * 1.0000 / countall, 4) * 100,
2
) AS Rate_444,
round(
round (status_499 * 1.0000 / countall, 4) * 100,
2
) AS Rate_499,
round(
round(status_500 * 1.0000 / countall, 4) * 100,
2
) AS Rate_500,
round(
round(status_502 * 1.0000 / countall, 4) * 100,
2
) AS Rate_502,
round(
round(status_503 * 1.0000 / countall, 4) * 100,
2
) AS Rate_503,
round(
round(status_504 * 1.0000 / countall, 4) * 100,
2
) AS Rate_504,
status_200,
status_302,
status_404,
status_405,
status_444,
status_499,
status_500,
status_502,
status_503,
status_504,
countall
FROM (
SELECT
user_id,
host,
count_if(status = 200) AS status_200,
count_if(status = 302) AS status_302,
count_if(status = 404) AS status_404,
count_if(
status = 405
AND final_plugin = 'acl'
) AS status_405,
count_if(status = 444) AS status_444,
count_if(status = 499) AS status_499,
count_if(status = 500) AS status_500,
count_if(status = 502) AS status_502,
count_if(status = 503) AS status_503,
count_if(status = 504) AS status_504,
COUNT(*) AS countall
FROM log
GROUP BY
user_id,
host
)
)
WHERE
countall > 120
ORDER BY
Rate_405 DESC
LIMIT
5status:444
The request is blocked by HTTP flood protection rules.
* |
SELECT
user_id,
host AS "Domain name",
Rate_200 AS "Percentage of 200 status code",
Rate_302 AS "Percentage of 302 status code",
Rate_404 AS "Percentage of 404 status code",
Rate_405 AS "Percentage of 405 status code",
Rate_444 AS "Percentage of 444 status code",
Rate_499 AS "Percentage of 499 status code",
Rate_500 AS "Percentage of 500 status code",
Rate_502 AS "Percentage of 502 status code",
Rate_503 AS "Percentage of 503 status code",
Rate_504 AS "Percentage of 504 status code",
countall / 60 AS "aveQPS",
status_200,
status_302,
status_404,
status_405,
status_444,
status_499,
status_500,
status_502,
status_503,
status_504,
countall
FROM(
SELECT
user_id,
host,
round(
round(status_200 * 1.0000 / countall, 4) * 100,
2
) AS Rate_200,
round(
round(status_302 * 1.0000 / countall, 4) * 100,
2
) AS Rate_302,
round(
round (status_404 * 1.0000 / countall, 4) * 100,
2
) AS Rate_404,
round(
round (status_405 * 1.0000 / countall, 4) * 100,
2
) AS Rate_405,
round(
round (status_444 * 1.0000 / countall, 4) * 100,
2
) AS Rate_444,
round(
round (status_499 * 1.0000 / countall, 4) * 100,
2
) AS Rate_499,
round(
round(status_500 * 1.0000 / countall, 4) * 100,
2
) AS Rate_500,
round(
round(status_502 * 1.0000 / countall, 4) * 100,
2
) AS Rate_502,
round(
round(status_503 * 1.0000 / countall, 4) * 100,
2
) AS Rate_503,
round(
round(status_504 * 1.0000 / countall, 4) * 100,
2
) AS Rate_504,
status_200,
status_302,
status_404,
status_405,
status_444,
status_499,
status_500,
status_502,
status_503,
status_504,
countall
FROM (
SELECT
user_id,
host,
count_if(status = 200) AS status_200,
count_if(status = 302) AS status_302,
count_if(status = 404) AS status_404,
count_if(status = 405) AS status_405,
count_if(status = 444) AS status_444,
count_if(status = 499) AS status_499,
count_if(status = 500) AS status_500,
count_if(status = 502) AS status_502,
count_if(status = 503) AS status_503,
count_if(status = 504) AS status_504,
COUNT(*) AS countall
FROM log
GROUP BY
user_id,
host
)
)
WHERE
countall > 120
ORDER BY
Rate_444 DESC
LIMIT
5What's next
Common monitoring metrics — descriptions of all metrics available in Log Service for WAF