This topic describes the log fields supported by Web Application Firewall (WAF).

Table for field retrieval

The following table describes the exclusive fields that are supported by WAF. You can use the names of fields to retrieve the fields that you want to view.

First letter of a field name Field
a account_action | account_rule_id | account_test | acl_action | acl_rule_id | acl_rule_type | acl_test | algorithm_action | algorithm_rule_id | algorithm_test | antifraud_action | antifraud_test | antiscan_action | antiscan_rule_id | antiscan_rule_type | antiscan_test
b block_action | body_bytes_sent | bypass_matched_ids
c cc_action | cc_rule_id | cc_rule_type | cc_test | content_type
d deeplearning_action | deeplearning_rule_id | deeplearning_rule_type | deeplearning_test | dlp_action | dlp_rule_id | dlp_test
f final_action | final_plugin | final_rule_id | final_rule_type
h host | http_cookie | http_referer | http_user_agent | http_x_forwarded_for | https
i intelligence_action | intelligence_rule_id | intelligence_test
m matched_host
n normalized_action | normalized_rule_id | normalized_rule_type | normalized_test
q querystring
r real_client_ip | region | remote_addr | remote_port | request_body | request_length | request_method | request_path | request_time_msec | request_traceid
s scene_action | scene_id | scene_rule_id | scene_rule_type | scene_test | server_port | server_protocol | ssl_cipher | ssl_protocol | status
t time
u ua_browser | ua_browser_family | ua_browser_type | ua_browser_version | ua_device_type | ua_os | ua_os_family | upstream_addr | upstream_response_time | upstream_status| user_id
w waf_action | waf_rule_id | waf_rule_type | waf_test | wxbb_action | wxbb_invalid_wua | wxbb_rule_id | wxbb_test

The following table describes all actions that are supported by WAF.

Value of the action field Description
block Block, which indicates that WAF blocks client requests and returns 405 error pages to clients.
captcha_strict Strict slider CAPTCHA verification, which indicates that WAF returns pages used for slider CAPTCHA verification to the client. If a client passes strict slider CAPTCHA verification, WAF allows the request from the client. Otherwise, WAF blocks the request. A client must pass strict slider CAPTCHA verification each time the client sends a request.
captcha Common slider CAPTCHA verification, which indicates that WAF returns pages used for slider CAPTCHA verification to the client. If a client passes common slider CAPTCHA verification, WAF allows requests from the client in a specific time range. In this time range, the client can bypass the verification. By default, the time range is 30 minutes. If a client fails common slider CAPTCHA verification, WAF blocks requests from the client.
js JavaScript verification, which indicates that WAF returns JavaScript code to the client. The JavaScript code can be automatically executed by the browsers that the client uses. If a client passes JavaScript verification, WAF allows requests from the client in a specific time range. In this time range, the client can bypass the verification. By default, the time range is 30 minutes. If a client fails JavaScript verification, WAF blocks requests from the client.
pass Allow, which indicates that WAF allows client requests and forwards the requests to origin servers.
captcha_strict_pass Indicates that the client passes strict slider CAPTCHA verification and WAF allows the request from the client.
captcha_pass Indicates that the client passes common slider CAPTCHA verification and WAF allows the requests from the client.
js_pass Indicates that the client passes JavaScript verification and WAF allows the requests from the client.
mask Indicates that WAF masks the sensitive data that is returned from origin servers and returns the result to the client. Only the data leak prevention feature supports this action.
continue Allow. The specific meaning of the continue action varies based on the protection features. For more information, see the descriptions of the normalized_action and wxbb_action fields.

Required fields

Required fields refer to the fields that must be contained in WAF logs.

Field Description Required Sample value
acl_rule_type The type of the rule that is triggered. The rule is created for the blacklist or custom protection policy (ACL) feature. Valid values:
  • custom: indicates a rule that is created for the custom protection policy (ACL) feature.
  • blacklist: indicates a rule that is created for the blacklist feature.
Yes custom
bypass_matched_ids The ID of the rule that is triggered to allow requests. The rule can be a whitelist rule or a custom protection rule that allows requests.

If multiple rules are triggered at the same time to allow requests, this field records the IDs of all the rules. Multiple IDs are separated by commas (,).

Yes 283531
cc_rule_type The type of the rule that is triggered. The rule is created for the HTTP flood protection or custom protection policy (HTTP Flood Protection) feature. Valid values:
  • custom: indicates a custom protection rule (HTTP Flood Protection).
  • system: indicates an HTTP flood protection rule.
Yes custom
content_type The type of the requested content. Yes application/x-www-form-urlencoded
final_action The action that WAF performs on the client request. Valid values:
  • block: indicates that the request is blocked.
  • captcha_strict: indicates that strict slider CAPTCHA verification is performed.
  • captcha: indicates that common slider CAPTCHA verification is performed.
  • js: indicates that JavaScript verification is performed.

For more information about WAF protection actions, see Description of the action field.

If a request does not trigger a protection feature, the field is not recorded. For example, if a request matches a rule that allows the request or a client passes slider CAPTCHA verification or JavaScript verification, the field is not recorded.

If a request triggers multiple protection features at the same time, the field is recorded, and the field includes only the action that is performed. The following actions are listed in descending order of priority: block, strict slider CAPTCHA verification, common slider CAPTCHA verification, and JavaScript verification.

Yes block
final_plugin The protection feature that performs the action specified by final_action on the client request. Valid values:
  • waf: indicates the Protection Rules Engine feature.
  • deeplearning: indicates the Deep Learning Engine feature.
  • dlp: indicates the data leakage prevention feature.
  • account: indicates the account security feature.
  • normalized: indicates the positive security model feature.
  • acl: indicates the blacklist or custom protection policy (ACL) feature.
  • cc: indicates the HTTP flood protection and custom protection policy (HTTP Flood Protection) feature.
  • antiscan: indicates the scan protection feature.
  • scene: indicates scenario-specific configuration.
  • antifraud: indicates the data risk control feature.
  • bot_intelligence: indicates the bot threat intelligence feature.
  • algorithm: indicates the typical bot behavior identification feature.
  • wxbb: indicates the app protection feature.

To configure the preceding protection features, log on to the Web Application Firewall console and choose Protection Settings > Website Protection in the left-side navigation pane. For more information about WAF protection features, see Overview of website protection.

If a request does not trigger a protection feature, the field is not recorded. For example, if a request matches a rule that allows the request or a client passes slider CAPTCHA verification or JavaScript verification, the field is not recorded.

If a request triggers multiple protection features at the same time, the field is recorded, and the field includes only the protection feature that performs the action specified by final_action.

Yes waf
final_rule_id The ID of the rule that is applied to the client request. The rule defines the action that is recorded in the final_action field. Yes 115341
final_rule_type The subtype of the rule that is applied to the client request. The rule is indicated by final_rule_id.

For example, final_plugin:waf supports final_rule_type:sqli and final_rule_type:xss.

Yes xss/webshell
host The Host field of the request header, which contains the domain name or the IP address that is accessed. The value of this field varies based on your service settings. Yes api.example.com
http_referer The Referer field of the request header, which contains the source URL information about the request.

If the request does not contain the source URL information, the value of the field is displayed as a hyphen -.

Yes http://example.com
http_user_agent The User-Agent field of the request header. This field contains information about the browser and operating system. Yes Dalvik/2.1.0 (Linux; U; Android 10; Android SDK built for x86 Build/QSR1.200715.002)
http_x_forwarded_for The X-Forwarded_For (XFF) field of the request header. This field is used to identify the actual IP address of the client that is connected to the web server by using an HTTP proxy or a load balancing device. Yes 101.XX.XX.120
https Indicates whether the request is an HTTPS request. Valid values:
  • on: HTTPS request
  • off: HTTP request
Yes on
matched_host The domain name that is matched by WAF. The domain name is added to WAF for protection.
Note Wildcard domains can be added to WAF, and WAF may match a wildcard domain. For example, if the domain name *.aliyun.com is added to WAF and www.aliyun.com is requested, WAF matches the domain name *.aliyun.com.
Yes *.aliyun.com
querystring The query string in the client request. The query string refers to the part that follows the question mark (?) in the requested URL. Yes title=tm_content%3Darticle&pid=123
real_client_ip The actual IP address of the client that initiates the request. WAF identifies the actual IP address based on the analysis of the request.

If WAF cannot identify the actual IP address of the client, the value of the field is displayed as a hyphen -. For example, if a proxy server is used or the IP field in the request header is invalid, WAF cannot identify the actual IP address of the client.

Yes 1.XX.XX.1
remote_addr The IP address that is used to connect to WAF.

If WAF is directly connected to a client, this field records the actual IP address of the client. If a Layer 7 proxy, such as Content Delivery Network (CDN), is deployed in front of WAF, this field records the IP address of the proxy.

Yes 1.XX.XX.1
remote_port The port that is used to connect to WAF.

If WAF is directly connected to a client, this field records the port of the client. If a Layer 7 proxy, such as CDN, is deployed in front of WAF, this field records the port of the proxy.

Yes 80
request_length The number of bytes in the client request. The request includes the request line, request header, and request body. Unit: bytes. Yes 111111
request_method The request method. Yes GET
request_path The requested relative path. The relative path refers to the part between the domain name and the question mark (?) in the requested URL. The relative path does not include the query string. Yes /news/search.php
request_time_msec The time that is taken by WAF to process the client request. Unit: milliseconds. Yes 44
request_traceid The unique identifier that is generated by WAF for each request. Yes 7837b11715410386943437009ea1f0
server_protocol The protocol and version that are used by the origin server to respond to the request forwarded by WAF. Yes HTTP/1.1
status The HTTP status code that WAF sends in response to the request from the client. Example: 200, which indicates that the request is received and accepted. Yes 200
time The point in time at which the request is initiated. The time follows the ISO 8601 standard in the yyyy-MM-ddTHH:mm:ss+08:00 format. The time must be in UTC. Yes 2018-05-02T16:03:59+08:00
upstream_addr The IP address and port number of the origin server. The format is IP address:Port. Multiple pairs of IP addresses and ports are separated by commas (,). Yes 1.XX.XX.1:443
upstream_response_time The time that the origin server takes to respond to the request forwarded by WAF. Unit: seconds. Yes 0.044
upstream_status The HTTP status code that the origin server sends in response to the request from WAF. Example: 200, which indicates that the request is received and accepted. Yes 200

Optional fields

You can determine whether to include optional fields in WAF logs based on your business requirements. WAF logs record only the optional fields that you enable.

If you enable optional fields, WAF logs occupy more storage space. If you have sufficient log storage capacity, we recommend that you enable more optional fields to analyze logs in a more comprehensive manner. For more information about how to configure optional fields, see Modify log settings.

Field Description Required Sample value
account_action The action that is performed on the client request after an account security rule is triggered. The value is fixed as block, which indicates that the request is blocked.

For more information about WAF protection actions, see Description of the action field.

No block
account_rule_id The ID of the account security rule that is triggered. No 151235
account_test The protection mode that is used for the client request after an account security rule is triggered. Valid values:
  • true: indicates the observation mode. In this mode, logs are recorded. However, protection actions, such as block, are not triggered.
  • false: indicates the prevention mode. In this mode, WAF performs protection actions, such as block, on the request that matches the protection rule.
No false
acl_action The action that is performed on the client request after a rule created for the blacklist or custom protection policy (ACL) feature is triggered. Valid values:
  • block: indicates that the request is blocked.
  • captcha_strict: indicates that strict slider CAPTCHA verification is performed.
  • captcha: indicates that common slider CAPTCHA verification is performed.
  • js: indicates that JavaScript verification is performed.
  • captcha_strict_pass: indicates that the client passes strict slider CAPTCHA verification and WAF allows the request from the client.
  • captcha_pass: indicates that the client passes common slider CAPTCHA verification and WAF allows the request from the client.
  • js_pass: indicates that the client passes JavaScript verification and WAF allows the request from the client.

For more information about WAF protection actions, see Description of the action field.

No block
acl_rule_id The ID of the rule that is triggered. The rule is created for the blacklist or custom protection policy (ACL) feature. No 151235
acl_test The protection mode that is used for the client request after a rule created for the blacklist or custom protection policy (ACL) feature is triggered. Valid values:
  • true: indicates the observation mode. In this mode, logs are recorded. However, protection actions, such as block, are not triggered.
  • false: indicates the prevention mode. In this mode, WAF performs protection actions, such as block, on the request that matches the protection rule.
No false
algorithm_action The action that is performed on the client request after a rule created for the typical bot behavior identification feature is triggered. Valid values:
  • block: indicates that the request is blocked.
  • captcha: indicates that common slider CAPTCHA verification is performed.
  • js: indicates that JavaScript verification is performed.
  • captcha_pass: indicates that the client passes common slider CAPTCHA verification and WAF allows the request from the client.
  • js_pass: indicates that the client passes JavaScript verification and WAF allows the request from the client.

For more information about WAF protection actions, see Description of the action field.

No block
algorithm_rule_id The ID of the rule that is triggered. The rule is created for the typical bot behavior identification feature. No 151235
algorithm_test The protection mode that is used for the client request after a rule created for the typical bot behavior identification feature is triggered. Valid values:
  • true: indicates the observation mode. In this mode, logs are recorded. However, protection actions, such as block, are not triggered.
  • false: indicates the prevention mode. In this mode, WAF performs protection actions, such as block, on the request that matches the protection rule.
No false
antifraud_action The action that is performed on the client request after a rule created for the data risk control feature is triggered. Valid values:
  • pass: indicates that the request is allowed.
  • block: indicates that the request is blocked.
  • captcha: indicates that common slider CAPTCHA verification is performed.

For more information about WAF protection actions, see Description of the action field.

No block
antifraud_test The protection mode that is used for the client request after a rule created for the data risk control feature is triggered. Valid values:
  • true: indicates the observation mode. In this mode, logs are recorded. However, protection actions, such as block, are not triggered.
  • false: indicates the prevention mode. In this mode, WAF performs protection actions, such as block, on the request that matches the protection rule.
No false
antiscan_action The action that is performed on the client request after a rule created for the scan protection feature is triggered. The value is fixed as block, which indicates that the request is blocked.

For more information about WAF protection actions, see Description of the action field.

No block
antiscan_rule_id The ID of the rule that is triggered. The rule is created for the scan protection feature. No 151235
antiscan_rule_type The type of the rule that is triggered. The rule is created for the scan protection feature. Valid values:
  • highfreq: indicates a rule that blocks IP addresses from which web attacks are frequently initiated.
  • dirscan: indicates a rule that defends against directory traversal attacks.
  • scantools: indicates a rule that blocks the IP addresses of scanning tools.
  • collaborative: indicates a collaborative defense rule.
No highfreq
antiscan_test The protection mode that is used for the client request after a rule created for the scan protection feature is triggered. Valid values:
  • true: indicates the observation mode. In this mode, logs are recorded. However, protection actions, such as block, are not triggered.
  • false: indicates the prevention mode. In this mode, WAF performs protection actions, such as block, on the request that matches the protection rule.
No false
block_action
Notice This field is no longer valid due to WAF upgrades. The field final_plugin replaces this field. If the block_action field is used in your services, replace the field with final_plugin at the earliest opportunity.
The WAF protection feature that is triggered to block the request. Valid values:
  • tmd: indicates HTTP flood protection. The value is equivalent to the cc value of final_plugin.
  • waf: indicates web attack protection. The value is equivalent to the waf value of final_plugin.
  • acl: indicates the custom protection policy feature. The value is equivalent to the acl value of final_plugin.
  • deeplearning: indicates Deep Learning Engine. The value is equivalent to the deeplearning value of final_plugin.
  • antiscan: indicates scan protection. The value is equivalent to the antiscan value of final_plugin.
  • antifraud: indicates data risk control. The value is equivalent to the antifraud value of final_plugin.
  • antibot: indicates bot management. The value is equivalent to the intelligence, algorithm, wxbb, and scene values of final_plugin.
No waf
body_bytes_sent The number of bytes in the request body. Unit: bytes. No 1111
cc_action The action that is performed on the client request after a rule created for the HTTP flood protection or custom protection policy (HTTP Flood Protection) feature is triggered. Valid values:
  • block: indicates that the request is blocked.
  • captcha: indicates that common slider CAPTCHA verification is performed.
  • js: indicates that JavaScript verification is performed.
  • captcha_pass: indicates that the client passes common slider CAPTCHA verification and WAF allows the request from the client.
  • js_pass: indicates that the client passes JavaScript verification and WAF allows the request from the client.

For more information about WAF protection actions, see Description of the action field.

No block
cc_rule_id The ID of the rule that is triggered. The rule is created for the HTTP flood protection or custom protection policy (HTTP Flood Protection) feature. No 151234
cc_test The protection mode that is used for the client request after a rule created for the HTTP flood protection or custom protection policy (HTTP Flood Protection) feature is triggered. Valid values:
  • true: indicates the observation mode. In this mode, logs are recorded. However, protection actions, such as block, are not triggered.
  • false: indicates the prevention mode. In this mode, WAF performs protection actions, such as block, on the request that matches the protection rule.
No false
deeplearning_action The action that is performed on the client request after a rule created for the Deep Learning Engine is triggered. The value is fixed as block, which indicates that the request is blocked.

For more information about WAF protection actions, see Description of the action field.

No block
deeplearning_rule_id The ID of the rule that is triggered. The rule is created for Deep Learning Engine. No 151238
deeplearning_rule_type The type of the rule that is triggered. The rule is created for Deep Learning Engine. Valid values:
  • xss: indicates a rule that defends against XSS attacks.
  • code_exec: indicates a rule that defends against specific attacks. The attacks exploit code execution vulnerabilities.
  • webshell: indicates a rule that defends against webshell uploads.
  • sqli: indicates a rule that defends against SQL injection.
  • lfilei: indicates a rule that defends against local file inclusion.
  • rfilei: indicates a rule that defends against remote file inclusion.
  • other: indicates other protection rules.
No xss
deeplearning_test The protection mode that is used for the client request after a rule created for the Deep Learning Engine is triggered. Valid values:
  • true: indicates the observation mode. In this mode, logs are recorded. However, protection actions, such as block, are not triggered.
  • false: indicates the prevention mode. In this mode, WAF performs protection actions, such as block, on the request that matches the protection rule.
No false
dlp_action The action that is performed on the client request after a rule created for the data leakage prevention feature is triggered. Valid values:
  • block: indicates that the request is blocked.
  • mask: indicates that sensitive data is masked.

For more information about WAF protection actions, see Description of the action field.

No mask
dlp_rule_id The ID of the rule that is triggered. The rule is created for the data leakage prevention feature. No 151245
dlp_test The protection mode that is used for the client request after a rule created for the data leakage prevention feature is triggered. Valid values:
  • true: indicates the observation mode. In this mode, logs are recorded. However, protection actions, such as block, are not triggered.
  • false: indicates the prevention mode. In this mode, WAF performs protection actions, such as block, on the request that matches the protection rule.
No false
intelligence_action The action that is performed on the client request after a rule created for the bot threat intelligence feature is triggered. Valid values:
  • block: indicates that the request is blocked.
  • captcha_strict: indicates that strict slider CAPTCHA verification is performed.
  • captcha: indicates that common slider CAPTCHA verification is performed.
  • js: indicates that JavaScript verification is performed.
  • captcha_strict_pass: indicates that the client passes strict slider CAPTCHA verification and WAF allows the request from the client.
  • captcha_pass: indicates that the client passes common slider CAPTCHA verification and WAF allows the request from the client.
  • js_pass: indicates that the client passes JavaScript verification and WAF allows the request from the client.

For more information about WAF protection actions, see Description of the action field.

No block
intelligence_rule_id The ID of the rule that is triggered. The rule is created for the bot threat intelligence feature. No 152234
intelligence_test The protection mode that is used for the client request after a rule created for the bot threat intelligence feature is triggered. Valid values:
  • true: indicates the observation mode. In this mode, logs are recorded. However, protection actions, such as block, are not triggered.
  • false: indicates the prevention mode. In this mode, WAF performs protection actions, such as block, on the request that matches the protection rule.
No false
normalized_action The action that is performed on the client request after a rule created for the positive security model feature is triggered. Valid values:
  • block: indicates that the request is blocked.
  • continue: indicates that the request is allowed.

For more information about WAF protection actions, see Description of the action field.

No block
normalized_rule_id The ID of the rule that is triggered. The rule is created for the positive security model feature. No 151266
normalized_rule_type The type of the rule that is triggered. The rule is created for the positive security model feature. Valid values:
  • User-Agent: indicates a User-Agent-based baseline rule. If the User-Agent field of a request header does not conform to the baseline, an attack may occur. This description applies to other rule types.
  • Referer: indicates a Referer-based baseline rule.
  • URL: indicates a URL-based baseline rule.
  • Cookie: indicates a cookie-based baseline rule.
  • Body: indicates a request body-based baseline rule.
No User-Agent
normalized_test The protection mode that is used for the client request after a rule created for the positive security model feature is triggered. Valid values:
  • true: indicates the observation mode. In this mode, logs are recorded. However, protection actions, such as block, are not triggered.
  • false: indicates the prevention mode. In this mode, WAF performs protection actions, such as block, on the request that matches the protection rule.
No false
region The ID of the region where the WAF instance resides. Valid values:
  • cn: the Chinese mainland
  • int: outside the Chinese mainland
No cn
request_body The request body. No i am the request body, encrypted or not!
scene_action The action that is performed on the client request after a rule created for scenario-specific configuration is triggered. Valid values:
  • block: indicates that the request is blocked.
  • captcha: indicates that common slider CAPTCHA verification is performed.
  • js: indicates that JavaScript verification is performed.
  • captcha_pass: indicates that the client passes common slider CAPTCHA verification and WAF allows the request from the client.
  • js_pass: indicates that the client passes JavaScript verification and WAF allows the request from the client.

For more information about WAF protection actions, see Description of the action field.

No block
scene_id The scenario ID of the rule that is triggered. The rule is created for scenario-specific configuration. No 151235
scene_rule_id The ID of the rule that is triggered. The rule is created for scenario-specific configuration. No 153678
scene_rule_type The type of the rule that is triggered. The rule is created for scenario-specific configuration. Valid values:
  • bot_aialgo: indicates an intelligent protection rule.
  • js: indicates a rule that blocks script-based bots.
  • intelligence: indicates a rule that blocks attacks based on bot threat intelligence or data center blacklists.
  • sdk: indicates a rule that checks for abnormal signatures of SDK-integrated apps and abnormal device behaviors.
  • cc: indicates an IP address-based throttling rule or a custom session-based throttling rule.
No bot_aialgo
scene_test The protection mode that is used for the client request after a rule created for scenario-specific configuration is triggered. Valid values:
  • true: indicates the observation mode. In this mode, logs are recorded. However, protection actions, such as block, are not triggered.
  • false: indicates the prevention mode. In this mode, WAF performs protection actions, such as block, on the request that matches the protection rule.
No false
server_port The requested destination port. No 443
ssl_cipher The cipher suite that is used in the client request. No ECDHE-RSA-AES128-GCM-SHA256
ssl_protocol The SSL or TLS protocol and version that are used in the client request. No TLSv1.2
ua_browser The name of the browser that initiates the request.
Notice From December 15, 2021, this field is no longer supported by WAF. This field is not recorded even if you select the field on the Log Settings page. We recommend that you use the required field http_user_agent to obtain the information about the User-Agent field of the client request. For more information, see http_user_agent.
No ie9
ua_browser_family The family to which the browser belongs.
Notice From December 15, 2021, this field is no longer supported by WAF. This field is not recorded even if you select the field on the Log Settings page. We recommend that you use the required field http_user_agent to obtain the information about the User-Agent field of the client request. For more information, see http_user_agent.
No internet explorer
ua_browser_type The type of the browser that initiates the request.
Notice From December 15, 2021, this field is no longer supported by WAF. This field is not recorded even if you select the field on the Log Settings page. We recommend that you use the required field http_user_agent to obtain the information about the User-Agent field of the client request. For more information, see http_user_agent.
No web_browser
ua_browser_version The version of the browser that initiates the request.
Notice From December 15, 2021, this field is no longer supported by WAF. This field is not recorded even if you select the field on the Log Settings page. We recommend that you use the required field http_user_agent to obtain the information about the User-Agent field of the client request. For more information, see http_user_agent.
No 9.0
ua_device_type The device type of the client that initiates the request.
Notice From December 15, 2021, this field is no longer supported by WAF. This field is not recorded even if you select the field on the Log Settings page. We recommend that you use the required field http_user_agent to obtain the information about the User-Agent field of the client request. For more information, see http_user_agent.
No computer
ua_os The operating system of the client that initiates the request.
Notice From December 15, 2021, this field is no longer supported by WAF. This field is not recorded even if you select the field on the Log Settings page. We recommend that you use the required field http_user_agent to obtain the information about the User-Agent field of the client request. For more information, see http_user_agent.
No windows_7
ua_os_family The family to which the operating system of the client belongs.
Notice From December 15, 2021, this field is no longer supported by WAF. This field is not recorded even if you select the field on the Log Settings page. We recommend that you use the required field http_user_agent to obtain the information about the User-Agent field of the client request. For more information, see http_user_agent.
No windows
user_id The ID of the Alibaba Cloud account to which the WAF instance belongs. No 17045741********
waf_action The action that is performed on the client request after a rule created for the Protection Rules Engine is triggered. The value is fixed as block, which indicates that the request is blocked.

For more information about WAF protection actions, see Description of the action field.

No block
waf_rule_id The ID of the rule that is triggered. The rule is created for Protection Rules Engine. No 113406
waf_rule_type The type of the rule that is triggered. The rule is created for Protection Rules Engine. Valid values:
  • xss: indicates a rule that defends against XSS attacks.
  • code_exec: indicates a rule that defends against specific attacks. The attacks exploit code execution vulnerabilities.
  • webshell: indicates a rule that defends against webshell uploads.
  • sqli: indicates a rule that defends against SQL injection.
  • lfilei: indicates a rule that defends against local file inclusion.
  • rfilei: indicates a rule that defends against remote file inclusion.
  • other: indicates other protection rules.
No xss
waf_test The protection mode that is used for the client request after a rule created for the Protection Rules Engine is triggered. Valid values:
  • true: indicates the observation mode. In this mode, logs are recorded. However, protection actions, such as block, are not triggered.
  • false: indicates the prevention mode. In this mode, WAF performs protection actions, such as block, on the request that matches the protection rule.
No false
wxbb_action The action that is performed on the client request after a rule created for the app protection feature is triggered. Valid values:
  • block: indicates that the request is blocked because the signature fails verification.
  • captcha: indicates that common slider CAPTCHA verification is performed.
  • js: indicates that JavaScript verification is performed.
  • continue: indicates that the request is allowed because the signature passes verification.

For more information about WAF protection actions, see Description of the action field.

No block
wxbb_invalid_wua The reason why client requests are considered abnormal based on the rule created for the app protection feature. Valid values:
  • wxbb_simulator: indicates that a simulator is used.
  • wxbb_proxy: indicates that a proxy is used.
  • wxbb_root: indicates that a rooted device is used.
  • wxbb_hook: indicates that hooking is used.
  • wxbb_antireplay: indicates that replay attacks are detected. The replay attacks use the signature string wToken.
  • wxbb_virtual: indicates that multiboxing is configured for Anti-Bot SDK-integrated apps.
  • wxbb_debugged: indicates that the device is in debug mode.
  • wxbb_invalid_sign: indicates that signature verification fails.
    The following information describes common causes:
    • A request does not carry a signature.
    • The parameter passed when a signature is added is different from the parameter received by WAF. For example, the parameter a= 1&b=2 is passed, but the parameter received by WAF is b= 2&a=1. The content of the passed parameter is not encoded, but the content received by WAF is Base64-encoded.
No wxbb_invalid_sign
wxbb_rule_id The ID of the rule that is triggered. The rule is created for the app protection feature. No 156789
wxbb_test The protection mode that is used for the client request after a rule created for the app protection feature is triggered. Valid values:
  • true: indicates the observation mode. In this mode, logs are recorded. However, protection actions, such as block, are not triggered.
  • false: indicates the prevention mode. In this mode, WAF performs protection actions, such as block, on the request that matches the protection rule.
No false