Optional fields and required fields supported by WAF 2.0 - Web Application Firewall

This topic describes the log fields that are supported by Web Application Firewall (WAF).

Table for field retrieval

The following table describes the log fields that are supported by WAF. You can use the names of fields to retrieve the fields that you want to view.

First letter of a field name	Field
a	Fields related to accounts: account_action \| account_rule_id \| account_test Fields related to access control list (ACL) rules: acl_action \| acl_rule_id \| acl_rule_type \| acl_test Fields related to algorithms: algorithm_action \| algorithm_rule_id \| algorithm_test Fields related to data risk control: antifraud_action \| antifraud_test Fields related to scan protection: antiscan_action \| antiscan_rule_id \| antiscan_rule_type \| antiscan_test
b	Field used to record the protection type: block_action Field used to record the number of bytes in the response body: body_bytes_sent Field used to record the IDs of rules that allow requests: bypass_matched_ids
c	Fields related to HTTP flood protection: cc_action \| cc_rule_id \| cc_rule_type \| cc_test Field used to record the content type: content_type
d	Fields related to deep learning: deeplearning_action \| deeplearning_rule_id \| deeplearning_rule_type \| deeplearning_test Fields related to data leakage prevention: dlp_action \| dlp_rule_id \| dlp_test
f	Fields related to the final action: final_action \| final_plugin \| final_rule_id \| final_rule_type
h	Field used to record the Host request header: host Fields related to HTTP requests: http_cookie \| http_referer \| http_user_agent \| http_x_forwarded_for \| https
i	Fields related to bot threat intelligence: intelligence_action \| intelligence_rule_id \| intelligence_test
m	Field used to record the matched domain names that are protected by WAF: matched_host
n	Fields related to the positive security model: normalized_action \| normalized_rule_id \| normalized_rule_type \| normalized_test
q	Field used to record the query string: querystring
r	Field used to record the actual IP addresses of clients: real_client_ip Field used to record the region ID: region Fields related to clients that established connections with WAF: remote_addr \| remote_port Fields related to requests: request_body \| request_length \| request_method \| request_path \| request_time_msec \| request_traceid
s	Fields related to scenario-specific configuration: scene_action \| scene_id \| scene_rule_id \| scene_rule_type \| scene_test Fields related to the server: server_port \| server_protocol Fields related to SSL used by clients: ssl_cipher \| ssl_protocol Field used to record HTTP status codes: status Field used to record request exception causes: sigchl_invalid_type
t	Field used to record the time when requests were initiated: time
u	Fields related to the browser: ua_browser \| ua_browser_family \| ua_browser_type \| ua_browser_version Field used to record the client device type: ua_device_type Fields related to operating systems: ua_os \| ua_os_family Fields related to the origin server: upstream_addr \| upstream_response_time \| upstream_status Field used to record the account ID: user_id
w	Fields related to WAF protection: waf_action \| waf_rule_id \| waf_rule_type \| waf_test Fields related to app protection: wxbb_action \| wxbb_invalid_wua \| wxbb_rule_id \| wxbb_test

Description of the action field

The following table describes all actions that are supported by WAF.

Value of the action field	Description
block	The request is blocked. WAF blocks the client request and returns HTTP error code 405 to the client.
captcha_strict	Strict slider CAPTCHA verification is performed. WAF returns the pages that are used for slider CAPTCHA verification to the client. If the client passes strict slider CAPTCHA verification, WAF allows the request that is sent from the client. If the client fails strict slider CAPTCHA verification, WAF blocks the request. A client must pass strict slider CAPTCHA verification each time the client sends a request.
captcha	Common slider CAPTCHA verification is performed. WAF returns the pages that are used for slider CAPTCHA verification to the client. If the client passes common slider CAPTCHA verification, WAF allows the requests from the client within a specific time range. The client can bypass the verification within the time range. By default, the time range is 30 minutes. If the client fails common slider CAPTCHA verification, WAF blocks the requests from the client.
sigchl	Dynamic token authentication is performed and web requests are signed. When the client sends a request, the Web SDK that is issued by WAF generates a signature for the request. The signature is forwarded together with the request to the origin server. If the signature is generated and verified, the request is forwarded to the origin server. If the signature fails to be generated or verified, a code block that can be used to obtain a dynamic token is returned to the client and the request must be re-signed.
js	JavaScript validation is performed. WAF returns JavaScript code to the client. The JavaScript code is automatically executed by the browsers that the client uses. If the client passes JavaScript validation, WAF allows requests from the client within a specific time range. The client can bypass the validation within the time range. By default, the time range is 30 minutes. If the client fails JavaScript validation, WAF blocks requests from the client.
pass	WAF allows the request and forwards the request to the origin server.
captcha_strict_pass	The client passes strict slider CAPTCHA verification and WAF allows the request from the client.
captcha_pass	The client passes common slider CAPTCHA verification and WAF allows the request from the client.
sigchl_pass	The client passes dynamic token authentication and WAF allows the request from the client.
js_pass	The client passes JavaScript validation and WAF allows the request from the client.
mask	WAF masks the sensitive data that is returned from the origin server and returns the result to the client. Only the data leak prevention feature supports this action.
continue	WAF allows the request. The meaning of the continue action varies based on the protection features. For more information, see the descriptions of the normalized_action and wxbb_action fields.

Required fields

Required fields refer to the fields that must be included in WAF logs.

Field	Description	Example
acl_rule_type	The type of the rule that is triggered. The rule is created for the blacklist or custom protection policy (ACL) feature. Valid values: custom: a rule that is created for the custom protection policy (ACL) feature. blacklist: a rule that is created for the blacklist feature.	custom
bypass_matched_ids	The ID of the rule that is triggered to allow requests. The rule can be a whitelist rule or a custom protection rule that allows requests. If multiple rules are triggered at the same time to allow requests, this field records the IDs of the rules. Multiple IDs are separated with commas (,).	283531
cc_rule_type	The type of the rule that is triggered. The rule is created for the HTTP flood protection feature or the custom protection policy (HTTP Flood Protection) feature. Valid values: custom: a rule that is created for the custom protection policy (HTTP Flood Protection) feature. system: an HTTP flood protection rule.	custom
content_type	The type of the requested content.	application/x-www-form-urlencoded
final_action	The action that is performed by WAF on the request. Valid values: block: The request is blocked. captcha_strict: Strict slider CAPTCHA verification is performed. captcha: Common slider CAPTCHA verification is performed. sigchl: Dynamic token authentication is performed. js: JavaScript validation is performed. For more information about WAF protection actions, see Description of the action field. If a request does not match a protection module, the field is not recorded. For example, if a request matches a rule that allows the request or a client passes slider CAPTCHA verification or JavaScript verification, the field is not recorded. If a request matches multiple protection modules at the same time, the field records only the action that is performed. The following actions are listed in descending order of priority: block (block), strict slider CAPTCHA verification (captcha_strict), common slider CAPTCHA verification (captcha), dynamic token authentication (sigchl), and JavaScript validation (js).	block
final_plugin	The protection module that performs the action on the request. The final_action field indicates the action that is performed. Valid values: waf: the protection rules engine feature. deeplearning: the deep learning engine feature. dlp: the data leakage prevention feature. account: the account security feature. normalized: the positive security model feature. acl: the blacklist feature or the custom protection policy (ACL) feature. cc: the HTTP flood protection feature or the custom protection policy (HTTP Flood Protection) feature. antiscan: the scan protection feature. scene: the scenario-specific configuration feature. antifraud: the data risk control feature. bot_intelligence: the bot threat intelligence feature. algorithm: the typical bot behavior identification feature. wxbb: the app protection feature. To configure the preceding protection features, log on to the Web Application Firewall console and choose Protection Settings > Website Protection in the left-side navigation pane. For more information about the protection features of WAF, see Overview. If a request does not match a protection module, the field is not recorded. For example, if a request matches a rule that allows the request or a client passes slider CAPTCHA verification or JavaScript verification, the field is not recorded. If a request matches multiple protection modules at the same time, the field records only the action that is performed. The final_action field indicates the action that is performed.	waf
final_rule_id	The ID of the rule that is applied to the request. The rule defines the action that is recorded in the final_action field.	115341
final_rule_type	The subtype of the rule that is applied to the request. The final_rule_id field indicates the applied rule. For example, `final_plugin:waf` supports `final_rule_type:sqli` and `final_rule_type:xss`.	xss/webshell
host	The Host header field of the request, which indicates the domain name or IP address to be accessed.	api.example.com
http_cookie	The cookie header field of the request, which indicates the cookie information about the client.	k1=v1;k2=v2
http_referer	The Referer header field of the request, which indicates the source URL information about the request. If the request does not contain the source URL information, the value of the field is displayed as a hyphen `(-)`.	http://example.com
http_user_agent	The User-Agent header field of the request. This field contains information about the browser and operating system.	Dalvik/2.1.0 (Linux; U; Android 10; Android SDK built for x86 Build/QSR1.200715.002)
http_x_forwarded_for	The X-Forwarded_For (XFF) field of the request header. This field is used to identify the originating IP address of the client that is connected to the web server by using an HTTP proxy or a load balancing device.	47.100.XX.XX
https	Indicates whether the request is an HTTPS request. The value on indicates an HTTPS request. If this field is empty, it indicates that the request is an HTTP request.	on
matched_host	The domain name that is matched by WAF. The domain name is added to WAF for protection. Note Wildcard domain names can be added to WAF, and WAF may match a wildcard domain name. For example, if the domain name .aliyun.com is added to WAF and www.aliyun.com is requested, WAF matches the domain name .aliyun.com.	*.aliyun.com
querystring	The query string in the request. The query string refers to the part that follows the question mark (?) in the requested URL.	title=tm_content%3Darticle&pid=123
real_client_ip	The originating IP address of the client that initiates the request. WAF identifies the actual IP address based on the analysis of the request. If WAF cannot identify the actual IP address of the client, for example, when a proxy server is used or the IP field in the request header is invalid, the value of the field is displayed as a hyphen `(-)`.	192.0.XX.XX
remote_addr	The IP address that is used to connect to WAF. If WAF is directly connected to a client, this field records the originating IP address of the client. If a Layer 7 proxy, such as Alibaba Cloud CDN, is deployed in front of WAF, this field records the IP address of the proxy.	198.51.XX.XX
remote_port	The port that is used to connect to WAF. If WAF is directly connected to a client, this field records the port of the client. If a Layer 7 proxy, such as CDN, is deployed in front of WAF, this field records the port of the proxy.	80
request_length	The number of bytes in the request. The request includes the request line, request header, and request body. Unit: bytes.	111111
request_method	The request method.	GET
request_path	The requested relative path. The relative path is the part between the domain name and the question mark (?) in the requested URL. The relative path does not include the query string.	/news/search.php
request_time_msec	The time required for WAF to process the request. Unit: milliseconds.	44
request_traceid	The unique identifier that is generated by WAF for each request.	7837b11715410386943437009ea1f0
server_protocol	The protocol and version that are used by the origin server to respond to the request that is forwarded by WAF.	HTTP/1.1
status	The HTTP status code that is included by WAF in the response to the request that is sent from the client. Example: the HTTP status code 200 indicates that the request is received and accepted.	200
time	The point in time at which the request is initiated. The point in time when the request is sent. The time follows the ISO 8601 standard in the `yyyy-MM-ddTHH:mm:ss+08:00` format.	2018-05-02T16:03:59+08:00
upstream_addr	The IP address and port of the origin server. The format is `IP:Port`. Multiple pairs of IP addresses and ports are separated by commas (,).	198.51.XX.XX:443
upstream_response_time	The total amount of time required for the origin server to respond to a back-to-origin request that is forwarded by WAF and for WAF to forward the response to the client. Unit: seconds.	0.044
upstream_status	The HTTP status code that is sent by the origin server in response to the request from WAF. Example: the HTTP status code 200 indicates that the request is received and accepted.	200

Optional fields

You can include optional fields in WAF logs based on your business requirements. WAF logs record only the optional fields that you enable.

If you enable optional fields, WAF logs occupy more storage space. If you have sufficient log storage capacity, we recommend that you enable more optional fields to analyze logs in a more comprehensive manner. For more information about how to configure optional fields, see Modify log settings.

Field	Description	Example
account_action	The action that is performed on the request after an account security rule is triggered. This parameter has a fixed value of block. The value indicates that the request is blocked. For more information about WAF protection actions, see Description of the action field.	block
account_rule_id	The ID of the account security rule that is triggered.	151235
account_test	The protection mode that is used for the request after an account security rule is triggered. Valid values: true: the observation mode. In this mode, logs are recorded, but protection actions such as blocking are not triggered. false: the prevention mode. In this mode, WAF performs protection actions such as blocking the request that matches the protection rule.	false
acl_action	The action that is performed on the request after a rule created for the blacklist or custom protection policy (ACL) feature is triggered. Valid values: block: The request is blocked. captcha_strict: Strict slider CAPTCHA verification is performed. captcha: Common slider CAPTCHA verification is performed. js: JavaScript validation is performed. captcha_strict_pass: The client passes strict slider CAPTCHA verification and WAF allows the request from the client. captcha_pass: The client passes common slider CAPTCHA verification and WAF allows the requests from the client. js_pass: The client passes JavaScript validation and WAF allows the requests from the client. For more information about WAF protection actions, see Description of the action field.	block
acl_rule_id	The ID of the rule that is triggered. The rule is created for the blacklist or custom protection policy (ACL) feature.	151235
acl_test	The protection mode that is used for the request after a rule created for the blacklist or custom protection policy (ACL) feature is triggered. Valid values: true: the observation mode. In this mode, logs are recorded, but protection actions such as blocking are not triggered. false: the prevention mode. In this mode, WAF performs protection actions such as blocking the request that matches the protection rule.	false
algorithm_action	The action that is performed on the request after a rule created for the typical bot behavior identification feature is triggered. Valid values: block: The request is blocked. captcha: Common slider CAPTCHA verification is performed. js: JavaScript validation is performed. captcha_pass: The client passes common slider CAPTCHA verification and WAF allows the requests from the client. js_pass: The client passes JavaScript validation and WAF allows the requests from the client. For more information about WAF protection actions, see Description of the action field.	block
algorithm_rule_id	The ID of the rule that is triggered. The rule is created for the typical bot behavior identification feature.	151235
algorithm_test	The protection mode that is used for the request after a rule created for the typical bot behavior identification feature is triggered. Valid values: true: the observation mode. In this mode, logs are recorded, but protection actions such as blocking are not triggered. false: the prevention mode. In this mode, WAF performs protection actions such as blocking the request that matches the protection rule.	false
antifraud_action	The action that is performed on the request after a rule created for the data risk control feature is triggered. Valid values: pass: The request is allowed. block: The request is blocked. captcha: Common slider CAPTCHA verification is performed. For more information about WAF protection actions, see Description of the action field.	block
antifraud_test	The protection mode that is used for the request after a rule created for the data risk control feature is triggered. Valid values: true: the observation mode. In this mode, logs are recorded, but protection actions such as blocking are not triggered. false: the prevention mode. In this mode, WAF performs protection actions such as blocking the request that matches the protection rule.	false
antiscan_action	The action that is performed on the request after a rule created for the scan protection feature is triggered. This parameter has a fixed value of block. The value indicates that the request is blocked. For more information about WAF protection actions, see Description of the action field.	block
antiscan_rule_id	The ID of the scan protection rule that is matched.	151235
antiscan_rule_type	The type of the scan protection rule that is matched. Valid values: highfreq: a rule that blocks IP addresses from which web attacks are frequently initiated. dirscan: a rule that defends against directory traversal attacks. scantools: a rule that blocks the IP addresses of scanners. collaborative: a collaborative defense rule.	highfreq
antiscan_test	The protection mode that is used for the request after a scan protection rule is matched. Valid values: true: the observation mode. In this mode, logs are recorded, but protection actions such as blocking are not triggered. false: the prevention mode. In this mode, WAF performs protection actions such as blocking the request that matches the protection rule.	false
block_action	Important This field is no longer valid due to WAF upgrades. This field is replaced with the field final_plugin. If the block_action field is used in your services, replace the field with final_plugin at the earliest opportunity. The WAF protection feature that is triggered to block the request. Valid values: tmd:the HTTP flood protection feature. The value is equivalent to the cc value of final_plugin. waf:the web attack protection feature. The value is equivalent to the waf value of final_plugin. acl: the custom protection policy feature. The value is equivalent to the acl value of final_plugin. deeplearning: the deep learning engine feature. The value is equivalent to the deeplearning value of final_plugin. antiscan: the scan protection feature. The value is equivalent to the antiscan value of final_plugin. antifraud: the data risk control feature. The value is equivalent to the antifraud value of final_plugin. antibot: the bot management feature. The value is equivalent to the intelligence, algorithm, wxbb, and scene values of final_plugin.	waf
body_bytes_sent	The number of bytes in the response body that is returned by the server to the client. The number of bytes of the response header is not counted. Unit: bytes.	1111
cc_action	The action that is performed on the request after a rule created for the HTTP flood protection or custom protection policy (HTTP Flood Protection) feature is triggered. Valid values: block: The request is blocked. captcha: Common slider CAPTCHA verification is performed. js: JavaScript validation is performed. captcha_pass: The client passes common slider CAPTCHA verification and WAF allows the request from the client. js_pass: The client passes JavaScript validation and WAF allows the request from the client. For more information about WAF protection actions, see Description of the action field.	block
cc_rule_id	The ID of the rule that is triggered. The rule is created for the HTTP flood protection feature or the custom protection policy (HTTP Flood Protection) feature.	151234
cc_test	The protection mode that is used for the request after a rule created for the HTTP flood protection or custom protection policy (HTTP Flood Protection) feature is triggered. Valid values: true: the observation mode. In this mode, logs are recorded, but protection actions such as blocking are not triggered. false: the prevention mode. In this mode, WAF performs protection actions such as blocking the request that matches the protection rule.	false
deeplearning_action	The action that is performed on the request after a rule created for the deep learning engine feature is triggered. This parameter has a fixed value of block. The value indicates that the request is blocked. For more information about WAF protection actions, see Description of the action field.	block
deeplearning_rule_id	The ID of the rule that is triggered. The rule is created for the deep learning engine feature.	151238
deeplearning_rule_type	The type of the rule that is triggered. The rule is created for the deep learning engine feature. Valid values: xss: a rule that defends against XSS attacks. code_exec: a rule that defends against specific attacks. The attacks exploit code execution vulnerabilities. webshell: a rule that defends against webshell uploads. sqli: a rule that defends against Structured Query Language (SQL) injection. lfilei: a rule that defends against local file inclusion. rfilei: a rule that defends against remote file inclusion. other: other protection rules.	xss
deeplearning_test	The protection mode that is used for the request after a rule created for the deep learning engine feature is triggered. Valid values: true: the observation mode. In this mode, logs are recorded, but protection actions such as blocking are not triggered. false: the prevention mode. In this mode, WAF performs protection actions such as blocking the request that matches the protection rule.	false
dlp_action	The action that is performed on the request after a rule created for the data leakage prevention feature is triggered. Valid values: block: The request is blocked. mask: Sensitive data is masked. For more information about WAF protection actions, see Description of the action field.	mask
dlp_rule_id	The ID of the rule that is triggered. The rule is created for the data leakage prevention feature.	151245
dlp_test	The protection mode that is used for the request after a rule created for the data leakage prevention feature is triggered. Valid values: true: the observation mode. In this mode, logs are recorded, but protection actions such as blocking are not triggered. false: the prevention mode. In this mode, WAF performs protection actions such as blocking the request that matches the protection rule.	false
intelligence_action	The action that is performed on the request after a rule created for the bot threat intelligence feature is triggered. Valid values: block: The request is blocked. captcha_strict: Strict slider CAPTCHA verification is performed. captcha: Common slider CAPTCHA verification is performed. js: JavaScript validation is performed. captcha_strict_pass: The client passes strict slider CAPTCHA verification and WAF allows the request from the client. captcha_pass: The client passes common slider CAPTCHA verification and WAF allows the requests from the client. js_pass: The client passes JavaScript validation and WAF allows the requests from the client. For more information about WAF protection actions, see Description of the action field.	block
intelligence_rule_id	The ID of the rule that is triggered. The rule is created for the bot threat intelligence feature.	152234
intelligence_test	The protection mode that is used for the request after a rule created for the bot threat intelligence feature is triggered. Valid values: true: the observation mode. In this mode, logs are recorded, but protection actions such as blocking are not triggered. false: the prevention mode. In this mode, WAF performs protection actions such as blocking the request that matches the protection rule.	false
normalized_action	The action that is performed on the request after a rule created for the positive security model feature is triggered. Valid values: block: The request is blocked. continue: The request is allowed. For more information about WAF protection actions, see Description of the action field.	block
normalized_rule_id	The ID of the rule that is triggered. The rule is created for the positive security model feature.	151266
normalized_rule_type	The type of the rule that is triggered. The rule is created for the positive security model feature. Valid values: User-Agent: a User-Agent-based baseline rule. If the User-Agent field of a request header does not conform to the baseline, an attack may occur. This description applies to other rule types. Referer: a Referer-based baseline rule. URL: a URL-based baseline rule. Cookie: a cookie-based baseline rule. Body: a request body-based baseline rule.	User-Agent
normalized_test	The protection mode that is used for the request after a rule created for the positive security model feature is triggered. Valid values: true: the observation mode. In this mode, logs are recorded, but protection actions such as blocking are not triggered. false: the prevention mode. In this mode, WAF performs protection actions such as blocking the request that matches the protection rule.	false
region	The ID of the region where the WAF instance resides. Valid values: cn: The WAF instance resides in the Chinese mainland. int: The WAF instance resides outside the Chinese mainland.	cn
request_body	The request body.	i am the request body, encrypted or not!
scene_action	The action that is performed on the request after a rule created for scenario-specific configuration is triggered. Valid values: block: The request is blocked. captcha: Common slider CAPTCHA verification is performed. sigchl: Dynamic token authentication is performed. js: JavaScript validation is performed. captcha_pass: The client passes common slider CAPTCHA verification and WAF allows the requests from the client. sigchl_pass: The client passes dynamic token authentication and WAF allows the requests from the client. js_pass: The client passes JavaScript validation and WAF allows the requests from the client. For more information about WAF protection actions, see Description of the action field.	block
scene_id	The scenario ID of the rule that is triggered. The rule is created for scenario-specific configuration.	151235
scene_rule_id	The ID of the rule that is triggered. The rule is created for scenario-specific configuration.	153678
scene_rule_type	The type of the rule that is triggered. The rule is created for scenario-specific configuration. Valid values: bot_aialgo: a intelligent protection rule. js: a rule that blocks script-based bots. intelligence: a rule that blocks attacks based on bot threat intelligence or data center blacklists. sdk: a rule that checks for abnormal signatures of SDK-integrated apps and abnormal device behaviors. cc: an IP address-based throttling rule or a custom session-based throttling rule. sigchl: a dynamic token authentication rule.	bot_aialgo
sigchl_invalid_type	The reason why the request is considered abnormal by dynamic token authentication rules. Valid values: sigchl_invalid_sig: Signature verification fails. The following section describes the common causes of the preceding error: A request does not carry a signature. The parameter that is passed when a signature is added is different from the parameter received by WAF. sigchl_is_replay: The signature timestamp is abnormal. A replay attack may occur. sigchl_is_driver: The request is considered a WebDriver attack request.	sigchl_invalid_sig
scene_test	The protection mode that is used for the request after a rule created for scenario-specific configuration is triggered. Valid values: true: the observation mode. In this mode, logs are recorded, but protection actions such as blocking are not triggered. false: the prevention mode. In this mode, WAF performs protection actions such as blocking the request that matches the protection rule.	false
server_port	The destination port that is requested.	443
ssl_cipher	The cipher suite that is used in the request.	ECDHE-RSA-AES128-GCM-SHA256
ssl_protocol	The SSL protocol or TLS protocol and version that are used in the request.	TLSv1.2
ua_browser	The name of the browser that initiates the request. Important From December 15, 2021, this field is no longer supported by WAF. This field is not recorded even if you select the field on the Log Settings page. To obtain the information about the User-Agent field of the request, we recommend that you use the required field http_user_agent.	ie9
ua_browser_family	The family to which the browser belongs. Important From December 15, 2021, this field is no longer supported by WAF. This field is not recorded even if you select the field on the Log Settings page. To obtain the information about the User-Agent field of the request, we recommend that you use the required field http_user_agent.	internet explorer
ua_browser_type	The type of the browser that initiates the request. Important From December 15, 2021, this field is no longer supported by WAF. This field is not recorded even if you select the field on the Log Settings page. To obtain the information about the User-Agent field of the request, we recommend that you use the required field http_user_agent.	web_browser
ua_browser_version	The version of the browser that initiates the request. Important From December 15, 2021, this field is no longer supported by WAF. This field is not recorded even if you select the field on the Log Settings page. To obtain the information about the User-Agent field of the request, we recommend that you use the required field http_user_agent.	9.0
ua_device_type	The device type of the client that initiates the request. Important From December 15, 2021, this field is no longer supported by WAF. This field is not recorded even if you select the field on the Log Settings page. To obtain the information about the User-Agent field of the request, we recommend that you use the required field http_user_agent.	computer
ua_os	The operating system of the client that initiates the request. Important From December 15, 2021, this field is no longer supported by WAF. This field is not recorded even if you select the field on the Log Settings page. To obtain the information about the User-Agent field of the request, we recommend that you use the required field http_user_agent.	windows_7
ua_os_family	The family to which the operating system of the client belongs. Important From December 15, 2021, this field is no longer supported by WAF. This field is not recorded even if you select the field on the Log Settings page. To obtain the information about the User-Agent field of the request, we recommend that you use the required field http_user_agent.	windows
user_id	The ID of the Alibaba Cloud account to which the WAF instance belongs.	17045741********
waf_action	The action that is performed on the request after a rule created for the protection rules engine feature is triggered. This parameter has a fixed value of block. The value indicates that the request is blocked. For more information about WAF protection actions, see Description of the action field.	block
waf_rule_id	The ID of the rule that is triggered. The rule is created for the protection rules engine feature.	113406
waf_rule_type	The type of the rule that is triggered. The rule is created for the protection rules engine feature. Valid values: xss: a rule that defends against XSS attacks. code_exec: a rule that defends against specific attacks. The attacks exploit code execution vulnerabilities. webshell: a rule that defends against webshell uploads. sqli: a rule that defends against Structured Query Language (SQL) injection. lfilei: a rule that defends against local file inclusion. rfilei: a rule that defends against remote file inclusion. other: other protection rules.	xss
waf_test	The protection mode that is used for the request after a rule created for the protection rules engine feature is triggered. Valid values: true: the observation mode. In this mode, logs are recorded, but protection actions such as blocking are not triggered. false: the prevention mode. In this mode, WAF performs protection actions such as blocking the request that matches the protection rule.	false
wxbb_action	The action that is performed on the request after a rule created for the app protection feature is triggered. Valid values: block: The request is blocked because the signature fails verification. captcha: Common slider CAPTCHA verification is performed. js: JavaScript validation is performed. continue: The request is allowed because the signature passed verification. For more information about WAF protection actions, see Description of the action field.	block
wxbb_invalid_wua	The reason why requests are considered abnormal based on the rule created for the app protection feature. Valid values: wxbb_simulator: A simulator is used. wxbb_proxy: A proxy is used. wxbb_root: A rooted device is used. wxbb_hook: Hooking is used. wxbb_antireplay: Replay attacks occur. The replay attacks use the signature string wToken. wxbb_virtual: Multi-boxing is configured for Anti-Bot SDK-integrated apps. wxbb_debugged: The device is in debug mode. wxbb_invalid_sign: Signature verification fails. The following section describes the common causes of the preceding error: A request does not carry a signature. The parameter that is passed when a signature is added is different from the parameter received by WAF. For example, the parameter `a= 1&b=2` is passed, but the parameter received by WAF is `b= 2&a=1`. The content of the passed parameter is not encoded, but the content received by WAF is Base64-encoded.	wxbb_invalid_sign
wxbb_rule_id	The ID of the rule that is triggered. The rule is created for the app protection feature.	156789
wxbb_test	The protection mode that is used for the request after a rule created for the app protection feature is triggered. Valid values: true: the observation mode. In this mode, logs are recorded, but protection actions such as blocking are not triggered. false: the prevention mode. In this mode, WAF performs protection actions such as blocking the request that matches the protection rule.	false

First letter of a field name	Field
a	Fields related to accounts: account_action \| account_rule_id \| account_test Fields related to access control list (ACL) rules: acl_action \| acl_rule_id \| acl_rule_type \| acl_test Fields related to algorithms: algorithm_action \| algorithm_rule_id \| algorithm_test Fields related to data risk control: antifraud_action \| antifraud_test Fields related to scan protection: antiscan_action \| antiscan_rule_id \| antiscan_rule_type \| antiscan_test
b	Field used to record the protection type: block_action Field used to record the number of bytes in the response body: body_bytes_sent Field used to record the IDs of rules that allow requests: bypass_matched_ids
c	Fields related to HTTP flood protection: cc_action \| cc_rule_id \| cc_rule_type \| cc_test Field used to record the content type: content_type
d	Fields related to deep learning: deeplearning_action \| deeplearning_rule_id \| deeplearning_rule_type \| deeplearning_test Fields related to data leakage prevention: dlp_action \| dlp_rule_id \| dlp_test
f	Fields related to the final action: final_action \| final_plugin \| final_rule_id \| final_rule_type
h	Field used to record the Host request header: host Fields related to HTTP requests: http_cookie \| http_referer \| http_user_agent \| http_x_forwarded_for \| https
i	Fields related to bot threat intelligence: intelligence_action \| intelligence_rule_id \| intelligence_test
m	Field used to record the matched domain names that are protected by WAF: matched_host
n	Fields related to the positive security model: normalized_action \| normalized_rule_id \| normalized_rule_type \| normalized_test
q	Field used to record the query string: querystring
r	Field used to record the actual IP addresses of clients: real_client_ip Field used to record the region ID: region Fields related to clients that established connections with WAF: remote_addr \| remote_port Fields related to requests: request_body \| request_length \| request_method \| request_path \| request_time_msec \| request_traceid
s	Fields related to scenario-specific configuration: scene_action \| scene_id \| scene_rule_id \| scene_rule_type \| scene_test Fields related to the server: server_port \| server_protocol Fields related to SSL used by clients: ssl_cipher \| ssl_protocol Field used to record HTTP status codes: status Field used to record request exception causes: sigchl_invalid_type
t	Field used to record the time when requests were initiated: time
u	Fields related to the browser: ua_browser \| ua_browser_family \| ua_browser_type \| ua_browser_version Field used to record the client device type: ua_device_type Fields related to operating systems: ua_os \| ua_os_family Fields related to the origin server: upstream_addr \| upstream_response_time \| upstream_status Field used to record the account ID: user_id
w	Fields related to WAF protection: waf_action \| waf_rule_id \| waf_rule_type \| waf_test Fields related to app protection: wxbb_action \| wxbb_invalid_wua \| wxbb_rule_id \| wxbb_test