Web Application Firewall:Log fields

Initial

Field

a

• Fields related to protected objects: account

• Fields related to custom rules: acl_action | acl_rule_id | acl_rule_type | acl_test

• Fields related to scan protection: antiscan_action | antiscan_rule_id | antiscan_rule_type | antiscan_test

• Fields related to bot management: appsdk_umid

b

• Field for the number of bytes in the response body that the server returns to the client: body_bytes_sent

  Important

  The body_bytes_sent field is not supported for protected objects that are added to WAF from FC.

• Field for the ID of a rule that allows requests: bypass_matched_ids

c

• Fields related to HTTP flood protection: cc_action | cc_rule_id | cc_rule_type | cc_test

• Field for the content type of a request: content_type

• Fields related to protocol violation attacks: compliance_hit | compliance_action | compliance_rule_id | compliance_rule_type | compliance_test

• Fields related to bot management: client_id

d

• Fields related to data leakage prevention: dlp_action | dlp_rule_id | dlp_test

• Field for the destination port of a request: dst_port

  Important

  The dst_port field is not supported for protected objects that are added to WAF from MSE, ALB, or FC.

f

Fields related to the final protection action performed on a client request: final_action | final_plugin | final_rule_id | final_rule_type

h

• Fields related to client request headers: host | http_cookie | http_referer | http_user_agent | http_x_forwarded_for

• Field for HTTPS requests: https

• Fields related to bot management traffic fingerprints: http2_fingerprint

j

• Fields related to bot management traffic fingerprints: ja3_fingerprint | ja4_fingerprint

m

• Field for the protected object that matches a request: matched_host

• Fields related to major event support: major_protection_action | major_protection_rule_id | major_protection_rule_type | major_protection_test

n

Fields related to triggered actions: non_terminating_rules

q

Field for the query string: querystring

r

• Field for the real client IP address: real_client_ip

• Field for the region ID of the instance: region

• Fields related to the client response: response_set_cookie | response_header | response_info

  Important

  The response_set_cookie, response_header, and response_info fields are not supported for protected objects that are added to WAF from services such as ALB, MSE, or FC.

• Fields for the IP address and port that directly connect to WAF (to be deprecated, use the equivalent fields src_ip and src_port): remote_addr | remote_port

• Fields related to the client request: request_body |request_headers_all|request_header| request_length | request_method | request_path | request_time_msec | request_traceid | request_traceid_origin | remote_region_id|request_uri

  Important

  The request_header field is not supported for protected objects that are added to WAF from MSE or FC.

s

• Field for the requested WAF port: server_port

  Important

  The server_port field is not supported for protected objects that are added to WAF from MSE, ALB, or FC.

• Field for the protocol between the client and WAF: server_protocol

  Important

  The server_protocol field is not supported for protected objects that are added to WAF from FC.

• Fields for the cipher suite or TLS: ssl_cipher | ssl_protocol

• Field for the HTTP status code: status

• Fields related to bot management: scene_action | scene_id | scene_rule_id | scene_rule_type | scene_test | wxbb_info_tbl

• Fields related to semantic analysis attacks: sema_hit | sema_action | sema_rule_id | sema_rule_type | sema_test

• Field for the time when the client initiated the request: start_time

• Fields for the IP address and port that directly connect to WAF: src_ip|src_port

t

• Field for the time when the client initiated the request: time

• Fields related to triggered actions: terminating_rules

u

• Fields related to the response from the origin server to the origin fetch request from WAF: upstream_addr | upstream_response_time | upstream_status

  Important

  The upstream_addr field is not supported for protected objects that are added to WAF from FC.

• Field for the account ID: user_id

w

• Fields related to web core protection rules: waf_action | waf_rule_id | waf_rule_type | waf_test

• Fields related to web core protection attacks: waf_hit

• Fields related to bot management: websdk_umid

Name

Description

Example

bypass_matched_ids

The ID of the WAF rule that allows the client request. This includes whitelist rules and custom mitigation policies that are configured with the Allow action.

If a request hits multiple rules of this type, all the rule IDs are recorded. Multiple rule IDs are separated by commas (,).

283531

content_type

The content type of the request.

application/x-www-form-urlencoded

dst_port

The destination port of the request.

443

final_action

The final protection action that WAF performs on the client request. Valid values:

• block: blocks the request.

• captcha_strict: strict slider challenge.

• captcha: slider challenge.

• sigchl: dynamic token challenge.

• js: JavaScript challenge.

  Important

  If the triggered action is a JavaScript challenge, token challenge, or slider challenge, a 200 status code is returned.

For more information about WAF protection actions, see Description of WAF protection actions (*_action).

This field is not recorded if a request does not trigger any protection module. This includes scenarios where the request hits a rule that allows the request or the client passes a slider or JavaScript challenge.

If a request triggers multiple protection modules, only the final protection action is recorded. The protection actions are prioritized in the following descending order: Block (block) > Strict slider challenge (captcha_strict) > Slider challenge (captcha) > JavaScript challenge (js).

block

final_plugin

The protection module that corresponds to the final protection action (final_action) performed on the client request. Valid values:

• waf: web core protection rules.

• acl: IP blacklist and custom rules (access control).

• cc: HTTP flood protection and custom mitigation policies (HTTP flood protection).

• antiscan: scan protection.

• dlp: data leakage prevention.

• scene: scenario-specific configuration (including apps).

• intelligence: bot threat intelligence.

• wxbb: app protection.

• Sema: Provides semantic protection.

• scc_gdrl: peak traffic throttling.

• major_protection: major event support.

• compliance: protocol violation (protocol compliance).

This field is not recorded if a request does not trigger any protection module. This includes scenarios where the request hits a rule that allows the request or the client passes a slider or JavaScript challenge.

If a request triggers multiple protection modules, only the protection module that corresponds to the final protection action (final_action) is recorded.

waf

final_rule_id

The ID of the protection rule that is applied to the client request. This is the ID of the rule that corresponds to the final_action.

115341

final_rule_type

The subtype of the protection rule (final_rule_id) that is applied to the client request.

For example, if final_plugin:waf, the rule subtypes can be final_rule_type:sqli, final_rule_type:xss, and more.

xss/webShell

host

The Host field in the client request header. This field indicates the accessed domain name. It can also be an IP address based on your business settings.

api.example.com

http_cookie

The Cookie field in the client request header. This field indicates the cookie information of the source client.

k1=v1;k2=v2

http_referer

The Referer field in the client request header. This field indicates the source URL of the request.

If the request has no source URL, this field is displayed as -.

http://example.com

http_user_agent

The User-Agent field in the client request header. This field contains information such as the identifier of the browser and operating system of the source client.

Dalvik/2.1.0 (Linux; U; Android 10; Android SDK built for x86 Build/QSR1.200715.002)

http_x_forwarded_for

The X-Forwarded-For (XFF) field in the client request header. This field is used to identify the original IP address of a client that connects to a web server through an HTTP proxy or a load balancing service.

47.100.XX.XX

https

Indicates whether the request is an HTTPS request.

• If the value is on, the request is an HTTPS request.

• If the value is empty, the request is an HTTP request.

on

matched_host

The WAF protected object that matches the client request. The object can be a cloud service instance or a domain name.

*.aliyundoc.com

request_uri

The request path and request parameters.

/news/search.php?id=1

real_client_ip

The real IP address of the client that initiated the request. WAF determines the IP address after it analyzes the request. You can directly use this IP address in your services.

If WAF cannot determine the real client IP address, this field is displayed as -. This may occur if the user accesses your service through a proxy server or the IP address field in the request header is invalid.

192.0.XX.XX

region

The region ID of the WAF instance. Valid values:

• cn: the Chinese mainland.

• int: outside the Chinese mainland.

cn

src_port

The port that directly connects to WAF.

If WAF is directly connected to the client, this field indicates the client port. If a Layer 7 proxy such as CDN is deployed before WAF, this field indicates the port of the proxy that is deployed before WAF.

80

src_ip

The IP address that directly connects to WAF.

If WAF is directly connected to the client, this field indicates the client IP address. If a Layer 7 proxy such as CDN is deployed before WAF, this field indicates the IP address of the proxy that is deployed before WAF.

198.51.XX.XX

start_time

The time when the client initiated the request. Unit: seconds.

1696534058

request_length

The number of bytes in the client request. This includes the request line, request header, and request body. Unit: bytes.

111111

request_method

The method of the client request.

GET

request_time_msec

The period of time that WAF takes to process the client request. Unit: milliseconds.

44

request_traceid

The unique identifier that WAF generates for the client request.

7837b11715410386943437009ea1f0

request_traceid_origin 

The original ID of the request.

7ce319151*****18890e

remote_region_id

The province ID that corresponds to the IP address.

410000

server_protocol

The protocol between the client and WAF.

HTTP/1.1

ssl_cipher

The cipher suite that the client request uses.

ECDHE-RSA-AES128-GCM-SHA256

ssl_protocol

The SSL/TLS protocol and version that the client request uses.

TLSv1.2

status

The HTTP status code that WAF returns for the client request. For example, 200 indicates that the request is successful.

200

time

The time when the client initiated the request. The time is in the ISO 8601 standard and UTC. The time is in the yyyy-MM-ddTHH:mm:ss+08:00 format.

2018-05-02T16:03:59+08:00

upstream_addr

The IP address and port of the origin server. The value is in the IP:Port format. Multiple records are separated by commas (,).

198.51.XX.XX:443

upstream_response_time

The period of time that the origin server takes to process the origin fetch request from WAF. Unit: seconds.

0.044

upstream_status

The HTTP status code that the origin server returns for the origin fetch request from WAF. For example, 200 indicates that the request is successful.

200

user_id

The ID of the Alibaba Cloud account to which the WAF instance belongs.

17045741********

Name

Description

Example

account

The extracted account information. You must first complete the account extraction configuration for the protected object.

user1

acl_action

The protection action for the IP blacklist rule or custom rule (access control) that the client request hits. Valid values:

• block: blocks the request.

• captcha_strict: strict slider challenge.

• captcha: slider challenge.

• js: JavaScript challenge.

• captcha_strict_pass: The client passed the strict slider challenge, and WAF allowed the request.

• captcha_pass: The client passed the slider challenge, and WAF allowed the request.

• js_pass: The client passed the JavaScript challenge, and WAF allowed the request.

  Important

  If the triggered action is a JavaScript challenge, token challenge, or slider challenge, a 200 status code is returned.

For more information about WAF protection actions, see Description of WAF protection actions (*_action).

block

acl_rule_id

The ID of the IP blacklist rule or custom rule (access control) that the client request hits.

151235

acl_rule_type

The type of the IP blacklist rule or custom rule (access control) that the client request hits. Valid values:

• custom: a custom rule (access control).

• blacklist: an IP blacklist rule.

• scene/basic: basic bot protection.

• region_block: a Location Blacklist rule.

• scene/appsdk_custom: bot protection for apps.

custom

acl_test

The protection mode of the IP blacklist rule or custom rule (access control) that the client request hits. Valid values:

• true: monitor mode. WAF records logs but does not trigger protection actions such as Block.

• false: prevention mode. WAF performs protection actions such as Block on requests that hit protection rules.

false

antiscan_action

The protection action for the scan protection rule that the client request hits. The only valid value is block, which indicates that the request is blocked.

For more information about WAF protection actions, see Description of WAF protection actions (*_action).

block

antiscan_rule_id

The ID of the scan protection rule that the client request hits.

151235

antiscan_rule_type

The type of the scan protection rule that the client request hits. Valid values:

• highfreq: a high-frequency scan blocking rule.

• dirscan: a directory traversal blocking rule.

• scantools: a scanner blocking rule.

highfreq

antiscan_test

The protection mode of the scan protection rule that the client request hits. Valid values:

• true: monitor mode. WAF records logs but does not trigger protection actions such as Block.

• false: prevention mode. WAF performs protection actions such as Block on requests that hit protection rules.

false

body_bytes_sent

The number of bytes in the response body that the server returns to the client. This does not include the response header. Unit: bytes.

1111

cc_action

The protection action for the custom rule (Frequency Control) that the client request hits. Valid values:

• block: blocks the request.

• captcha: slider challenge.

• js: JavaScript challenge.

• captcha_pass: The client passed the slider challenge, and WAF allowed the request.

• js_pass: The client passed the JavaScript challenge, and WAF allowed the request.

For more information about WAF protection actions, see Description of WAF protection actions (*_action).

block

cc_rule_id

The ID of the custom rule (Frequency Control) that the client request hits.

151234

cc_rule_type

The type of the rule that the client request hits. Valid values:

• custom: a custom rule (Frequency Control).

• system: an HTTP flood protection rule.

custom

cc_test

The protection mode of the custom rule (Frequency Control) that the client request hits. Valid values:

• true: monitor mode. WAF records logs but does not trigger protection actions such as Block.

• false: prevention mode. WAF performs protection actions such as Block on requests that hit protection rules.

false

request_body

The request body. A maximum of 8 KB of data can be stored.

test123curl -ki https://automated-acltest02.***.top/ --resolve automated-acltest02.***.top:443:39.107.XX.XX

request_headers_all

Records all headers in the request.

{

"Accept": "*/*",

"Accept-Encoding": "gz**, de**te, **r",

"Accept-Language": "zh-Hans-CN;q=1",

"Connection": "keep-***ve",

"Content-Length": "1**6",

"Content-Type": "application/json",

"Cookie": "cookie_key=***; acw_tc=0abc****opqrstuvwxyz0***7890;",

"Host": "1.****.****.1",

...

}

request_header

A custom request header. After you select this field, you must enter the name of the request header. You can add up to five custom request headers. Separate multiple header names with commas (,).

{"ttt":"abcd"}

server_port

The requested WAF port.

443

waf_action

The protection action for the web core protection rule that the client request hits. The only valid value is block, which indicates that the request is blocked.

For more information about WAF protection actions, see Description of WAF protection actions (*_action).

block

waf_rule_id

The ID of the web core protection rule that the client request hits.

113406

waf_rule_type

The type of the web core protection rule that the client request hits. Valid values:

• sqli: SQL injection.

• xss: cross-site scripting (XSS).

• code_exec: code execution.

• crlf: CRLF injection.

• lfilei: local file inclusion.

• rfilei: remote file inclusion.

• webshell: Webshell.

• csrf: cross-site request forgery.

• other: other protection rules.

• cmdi: OS command injection.

• expression_injection: expression injection.

• java_deserialization: Java deserialization.

• php_deserialization: PHP deserialization.

• ssrf: server-side request forgery (SSRF).

• path_traversal: path traversal.

• protocol_violation: protocol violation.

• arbitrary_file_uploading: arbitrary file upload.

• dot_net_deserialization: .NET deserialization.

• scanner_behavior: scanner behavior.

• logic_flaw: business logic flaw.

• arbitrary_file_reading: Arbitrary File Read.

• arbitrary_file_download: arbitrary file download.

• xxe: XML external entity (XXE) injection.

xss

waf_test

The protection mode of the web core protection rule that the client request hits. Valid values:

• true: monitor mode. WAF records logs but does not trigger protection actions such as Block.

• false: prevention mode. WAF performs protection actions such as Block on requests that hit protection rules.

false

major_protection_action

The protection action for the major event support template that the client request hits. For more information about WAF protection actions, see Description of WAF protection actions (*_action).

block

major_protection_rule_id

The ID of the rule in the major event support template that the client request hits.

2221

major_protection_rule_type

The type of the rule in the major event support template that the client request hits. Valid values:

• waf_blocks: a major event support rule group.

• threat_intelligence: major event support threat intelligence.

• blacklist: a major event support IP blacklist.

• shiro: Shiro deserialization vulnerability protection.

waf_blocks

major_protection_test

The protection mode for major event support that the client request hits. Valid values:

• true: monitor mode. WAF records logs but does not trigger protection actions such as Block.

• false: prevention mode. WAF performs protection actions such as Block on requests that hit protection rules.

true

response_set_cookie

The cookie sent in the client response.

acw_tc=781bad3616674790875002820e2cebbc55b6e0dfd9579302762b1dece40e0a;path=\/;HttpOnly;Max-Age=1800

response_header

All response headers of the client.

{"transfer-encoding":"chunked","set-cookie":"acw_tc=***;path=\/;HttpOnly;Max-Age=1800","content-type":"text\/html;charset=utf-8","x-powered-by":"PHP\/7.2.24","server":"nginx\/1.18.0","connection":"close"}

response_info

The response body of the client. A maximum of 16 KB of data can be stored. If the content-encoding header is gzip, the response body is recorded in Base64 encoding.

$_POST received: <br/>Array ( [***] => ) <hr/> $GLOBALS['HTTP_RAW_POST_DATA'] received: <br/> <hr/> php://input received: ***

request_path

The relative path of the request. This is the part of the requested URL that follows the domain name and precedes the question mark (?). This does not include the query string.

/news/search.php

dlp_action

The protection action for the data leakage prevention rule that the client request hits. Valid values:

• monitor: Specifies the observation.

• block: Blocks access.

• filter: Mask.

For more information about WAF protection actions, see Description of WAF protection actions (*_action).

block

dlp_rule_id

The ID of the data leakage prevention rule that the client request hits.

20031483

dlp_test

The protection mode of the data leakage prevention rule that the client request hits. Valid values:

• true: monitor mode. WAF records logs but does not trigger protection actions such as Block.

• false: prevention mode. WAF performs protection actions such as Block on requests that hit protection rules.

true

querystring

The query string in the client request. This is the part of the requested URL that follows the question mark (?).

title=tm_content%3Darticle&pid=123

scene_action

The protection action for the scenario-specific configuration rule for bot management that the client request hits. Valid values:

• js: JavaScript challenge.

• sigchl: dynamic token challenge.

• block: Blocks access.

• monitor: Specifies the observation.

• bypass: Allow.

• captcha: slider challenge.

• captcha_strict: strict slider challenge.

For more information about WAF protection actions, see Description of WAF protection actions (*_action).

js

scene_id

The scenario ID of the scenario-specific configuration rule for bot management that the client request hits.

a82d992b_bc8c_47f0_87ce_******

scene_rule_id

The ID of the scenario-specific configuration rule for bot management and the ID of the basic protection configuration rule that the client request hits.

js-a82d992b_bc8c_47f0_87ce_******

scene_rule_type

The type of the scenario-specific configuration rule for bot management that the client request hits. Valid values:

• bot_aialgo: an intelligent protection rule.

• cc: a custom throttling rule.

• intelligence: a threat intelligence rule.

• js: a JavaScript challenge rule.

• sigchl: a dynamic token rule.

• sdk: an SDK signature and device collection rule, and a repackaging detection rule.

bot_aialgo

scene_test

The protection mode of the scenario-specific configuration rule for bot management that the client request hits. Valid values:

• true: monitor mode. WAF records logs but does not trigger protection actions such as Block.

• false: prevention mode. WAF performs protection actions such as Block on requests that hit protection rules.

true

remote_addr

The IP address that directly connects to WAF.

If WAF is directly connected to the client, this field indicates the client IP address. If a Layer 7 proxy such as CDN is deployed before WAF, this field indicates the IP address of the proxy that is deployed before WAF.

198.51.XX.XX

remote_port

The port that directly connects to WAF.

If WAF is directly connected to the client, this field indicates the client port. If a Layer 7 proxy such as CDN is deployed before WAF, this field indicates the port of the proxy that is deployed before WAF.

80

waf_hit

The content of the basic protection attack that is hit.

{"postarg_values":{"hit":["${jndi:ldap://"],"raw":"postarg.log4j=${jndi:ldap://"}}

compliance_hit

The content of the protocol violation attack that is hit.

**********7df271da040a

compliance_action

The protection action for the protocol compliance rule that the client request hits. The only valid value is block, which indicates that the request is blocked.

For more information about WAF protection actions, see Description of WAF protection actions (*_action).

block

compliance_rule_id

The ID of the protocol compliance rule that the client request hits.

300033

compliance_rule_type

The type of the protocol compliance rule that the client request hits. The only valid value is protocol_violation.

protocol_violation

compliance_test

The protection mode of the protocol compliance rule that the client request hits. Valid values:

• true: monitor mode. WAF records logs but does not trigger protection actions such as Block.

• false: prevention mode. WAF performs protection actions such as Block on requests that hit protocol compliance rules.

false

sema_hit

The content of the semantic analysis attack that is hit.

{"queryarg_values":{"hit":["\" from mysql.user"],"raw":"queryarg.y=\" from mysql.user"}}

sema_action

The protection action for the semantic analysis rule that the client request hits. The only valid value is block, which indicates that the request is blocked.

For more information about WAF protection actions, see Description of WAF protection actions (*_action).

block

sema_rule_id

The ID of the semantic analysis rule that the client request hits.

810015

sema_rule_type

The type of the semantic analysis rule that the client request hits. The only valid value is sqli, which indicates an SQL injection protection rule.

sqli

sema_test

The protection mode of the semantic analysis rule that the client request hits. Valid values:

• true: monitor mode. WAF records logs but does not trigger protection actions such as Block.

• false: prevention mode. WAF performs protection actions such as Block on requests that hit protection rules.

false

wxbb_info_tbl

The device information for the app protection rule in bot management that is hit.

{

"abnormal_imei": "0",

"abnormal_time": "1",

*****

"appversion": "9.4.3",

"brand": "Android",

*****

}

websdk_umid

The unique device ID of the web client in bot management.

6543211729a19aa0123456

appsdk_umid

The unique device ID of the app client in bot management.

3c76912d48ec5eb1ea6cb775ce1ba609

client_id

The client type detected by bot management.

Python-urllib

ja3_fingerprint

The JA3 traffic fingerprint for bot management.

5c9e5897bbebcef37337bffb97587518

ja4_fingerprint

The JA4 traffic fingerprint for bot management.

b251a742b13fde5fba044eddfd05af34

http2_fingerprint

The HTTP/2 traffic fingerprint for bot management.

52d84b11737d980aef856699f885ca86

non_terminating_rules

The request triggers the Monitor or Add Tag action, or passes a JavaScript Validation, Slider CAPTCHA, Strict Slider CAPTCHA, or Dynamic Token challenge. The action field is "js_pass", "captcha_pass", "captcha_strict_pass", "sigchl_pass", "monitor", or "upstream_tag". If a request hits multiple rules, all the rules are recorded.

[{"id":"12345678","action":"monitor","defense_scene":"waf_base"},{"id":"123123123","type":"suspicious_idc","action":"monitor","defense_scene":"bot_manager"},

{"id":"12341234","bypass_punish":"1","defense_scene":"custom_acl"}]

terminating_rules

The request triggers the Block action, or fails a JavaScript Validation, Slider CAPTCHA, Strict Slider CAPTCHA, or Dynamic Token challenge. The action field is "block", "js", "captcha", "captcha_strict", or "sigchl".

[{"id":"123456","action":"block","defense_scene":"custom_acl"}]

Protection action

Meaning

block

Blocks the client request and returns a 405 error page to the client.

captcha_strict

Strict slider challenge. WAF returns a slider challenge page to the client. If the client passes the challenge, WAF allows the request. Otherwise, WAF blocks the request. In strict slider challenge mode, every request from the client must be verified.

captcha

Slider challenge. WAF returns a slider challenge page to the client. If the client passes the challenge, WAF allows all requests from the client for a period of time (30 minutes by default) without further verification. Otherwise, WAF blocks the request.

js

JavaScript challenge. WAF returns a piece of JavaScript code that a standard browser can automatically run. If the client runs the JavaScript code, WAF allows all requests from the client for a period of time (30 minutes by default) without further verification. Otherwise, WAF blocks the request.

js_pass

The client passed the JavaScript challenge, and WAF allowed the request.

sigchl

Dynamic token challenge. This action signs web requests. When a client sends a request, the web SDK that WAF provides signs the request and includes the signature in the request. If the signature is valid, the request is sent to the origin server. Otherwise, WAF returns a dynamic token script and requires the client to re-sign the request.