This topic describes the log fields supported by Web Application Firewall (WAF).
Table for field retrieval
The following table describes the log fields that are supported by WAF. You can use the names of fields to query specific fields.
First letter of a field name | Field |
---|---|
a |
|
b |
|
c |
|
d |
|
f | final-related fields: final_action | final_plugin | final_rule_id | final_rule_type |
h |
|
i | Bot threat intelligence-related fields: intelligence_action | intelligence_rule_id | intelligence_test |
m | Field for matched domain names that are protected by WAF: matched_host |
n | Positive security model-related fields: normalized_action | normalized_rule_id | normalized_rule_type | normalized_test |
q | Query string field: querystring |
r |
|
s |
|
t | Request time field: time |
u |
|
w |
|
The following table describes all actions that are supported by WAF.
Value of the action field | Description |
---|---|
block | Indicates the block action. WAF blocks a request from the client and returns the 405 error page to the client. |
captcha_strict | Indicates strict slider CAPTCHA verification. WAF returns a page used for slider CAPTCHA verification to the client. If the client passes strict slider CAPTCHA verification, WAF allows the request from the client. If the client fails strict slider CAPTCHA verification, WAF blocks the request. A client must pass strict slider CAPTCHA verification each time the client sends a request. |
captcha | Indicates common slider CAPTCHA verification. WAF returns a page used for slider CAPTCHA verification to the client. If the client passes common slider CAPTCHA verification, WAF allows the requests from the client within a specific time range. During this time range, the client can bypass the verification. By default, the time range is 30 minutes. If the client fails common slider CAPTCHA verification, WAF blocks the requests from the client. |
sigchl | Indicates dynamic token authentication. Web requests are signed. When the client sends a request, the Web SDK issued by WAF generates a signature for the request. The signature is forwarded together with the request. If the signature is generated and verified, the request is sent to the origin server. If the signature fails to be generated or verified, a code block for the client to obtain a dynamic token is returned and the request must be signed again. |
js | Indicates JavaScript verification. WAF returns JavaScript code to the client. The JavaScript code is automatically executed by the browsers that the client uses. If the client passes JavaScript verification, WAF allows requests from the client within a specific time range. During this time range, the client can bypass the verification. By default, the time range is 30 minutes. If the client fails JavaScript verification, WAF blocks requests from the client. |
pass | Indicates the Allow action. WAF allows the request from the client and forwards the request to the origin server. |
captcha_strict_pass | Indicates that the client passes strict slider CAPTCHA verification and WAF allows the request from the client. |
captcha_pass | Indicates that the client passes common slider CAPTCHA verification and WAF allows the requests from the client. |
sigchl_pass | Indicates that the client passes dynamic token authentication and WAF allows the requests from the client. |
js_pass | Indicates that the client passes JavaScript verification and WAF allows the requests from the client. |
mask | Indicates that WAF masks the sensitive data that is returned from the origin server and returns the result to the client. Only the data leak prevention feature supports this action. |
continue | Indicates the allow action. The specific meaning of the continue field varies based on the protection features. For more information, see the descriptions of the normalized_action and wxbb_action fields. |
Required fields
Required fields refer to the fields that must be contained in WAF logs.
Field | Description | Sample value |
---|---|---|
acl_rule_type | The type of the rule that is triggered. The rule is created for the blacklist or custom
protection policy (ACL) feature. Valid values:
|
custom |
bypass_matched_ids | The ID of the rule that is triggered to allow requests. The rule can be a whitelist
rule or a custom protection rule that allows requests.
If multiple rules are triggered at the same time to allow requests, this field records the IDs of all the rules. Multiple IDs are separated by commas (,). |
283531 |
cc_rule_type | The type of the rule that is triggered. The rule is created for the HTTP flood protection
or custom protection policy (HTTP Flood Protection) feature. Valid values:
|
custom |
content_type | The type of the requested content. | application/x-www-form-urlencoded |
final_action | The action that WAF performs on the request. Valid values:
For more information about WAF protection actions, see Description of the action field. If a request does not trigger a protection feature, the field is not recorded. For example, if a request matches a rule that allows requests or a client passes slider CAPTCHA verification or JavaScript verification, the field is not recorded. The following actions are listed in descending order of priority: block, strict slider CAPTCHA verification, common slider CAPTCHA verification, dynamic token authentication, and JavaScript verification. |
block |
final_plugin | The protection feature that performs the action specified by final_action on the request.
Valid values:
To configure the preceding protection features, log on to the Web Application Firewall console and choose in the left-side navigation pane. For more information about WAF protection features, see Overview of website protection. If a request does not trigger a protection feature, the field is not recorded. For example, if a request matches a rule that allows requests or a client passes slider CAPTCHA verification or JavaScript verification, the field is not recorded. If a request triggers multiple protection features at the same time, the field is recorded, and the field includes only the protection feature that performs the action specified by final_action. |
waf |
final_rule_id | The ID of the rule that is applied to the request. The rule defines the action that is recorded in the final_action field. | 115341 |
final_rule_type | The subtype of the rule that is applied to the request. The rule is indicated by final_rule_id.
For example, |
xss/webshell |
host | The Host header field of the request, which indicates the domain name or IP address to be accessed. | api.example.com |
http_cookie | The cookie header field of the request, which indicates the cookie information about the client. | k1=v1;k2=v2 |
http_referer | The Referer header field of the request, which indicates the source URL information
about the request.
If the request does not contain the source URL information, the value of the field
is displayed as a hyphen ( |
http://example.com |
http_user_agent | The User-Agent field of the request header. This field contains information about the browser and operating system. | Dalvik/2.1.0 (Linux; U; Android 10; Android SDK built for x86 Build/QSR1.200715.002) |
http_x_forwarded_for | The X-Forwarded_For (XFF) field of the request header. This field is used to identify the originating IP address of the client that is connected to the web server by using an HTTP proxy or a load balancing device. | 47.100.XX.XX |
https | Indicates whether the request is an HTTPS request. Valid values:
|
on |
matched_host | The domain name that is matched by WAF. The domain name is added to WAF for protection.
Note Wildcard domains can be added to WAF, and WAF may match a wildcard domain. For example,
if the domain name *.aliyun.com is added to WAF and www.aliyun.com is requested, WAF
matches the domain name *.aliyun.com.
|
*.aliyun.com |
querystring | The query string in the request. The query string refers to the part that follows the question mark (?) in the requested URL. | title=tm_content%3Darticle&pid=123 |
real_client_ip | The originating IP address of the client that initiates the request. WAF identifies
the originating IP address based on the analysis of the request.
If WAF cannot identify the originating IP address of the client, the value of the
field is displayed as a hyphen ( |
192.0.XX.XX |
remote_addr | The IP address that is used to connect to WAF.
If WAF is directly connected to a client, this field records the originating IP address of the client. If a Layer 7 proxy, such as Alibaba Cloud CDN (CDN), is deployed in front of WAF, this field records the IP address of the proxy. |
198.51.XX.XX |
remote_port | The port that is used to connect to WAF.
If WAF is directly connected to a client, this field records the port of the client. If a Layer 7 proxy, such as CDN, is deployed in front of WAF, this field records the port of the proxy. |
80 |
request_length | The number of bytes in the request. The request includes the request line, request header, and request body. Unit: bytes. | 111111 |
request_method | The request method. | GET |
request_path | The requested relative path. The relative path refers to the part between the domain name and the question mark (?) in the requested URL. The relative path does not include the query string. | /news/search.php |
request_time_msec | The time that is taken by WAF to process the request. Unit: milliseconds. | 44 |
request_traceid | The unique identifier that is generated by WAF for each request. | 7837b11715410386943437009ea1f0 |
server_protocol | The protocol and version that are used by the origin server to respond to the request forwarded by WAF. | HTTP/1.1 |
status | The HTTP status code that is returned by WAF to the client. Example: 200, which indicates that the request is received and accepted. | 200 |
time | The point in time at which the request is initiated. The time follows the ISO 8601 standard in the yyyy-MM-ddTHH:mm:ss+08:00 format. The time must be in UTC.
|
2018-05-02T16:03:59+08:00 |
upstream_addr | The IP address and port number of the origin server. The format is IP address:Port . Multiple pairs of IP addresses and ports are separated by commas (,).
|
198.51.XX.XX:443 |
upstream_response_time | The time that the origin server requires to respond to the request forwarded by WAF. Unit: seconds. | 0.044 |
upstream_status | The HTTP status code that is sent by the origin server as a response to the request from WAF. Example: 200, which indicates that the request is received and accepted. | 200 |
Optional fields
You can include optional fields in WAF logs based on your business requirements. WAF logs record only the optional fields that you enable.
If you enable optional fields, WAF logs occupy more storage space. If you have sufficient log storage capacity, we recommend that you enable more optional fields. This helps you to analyze logs in a more comprehensive manner. For more information about how to configure optional fields, see Modify log settings.
Field | Description | Sample value |
---|---|---|
account_action | The action that is performed on the request after an account security rule is triggered.
The value is fixed as block, which indicates that the request is blocked.
For more information about WAF protection actions, see Description of the action field. |
block |
account_rule_id | The ID of the account security rule that is triggered. | 151235 |
account_test | The protection mode that is used for the request after an account security rule is
triggered. Valid values:
|
false |
acl_action | The action that is performed on the request after a rule created for the blacklist
or custom protection policy (ACL) feature is triggered. Valid values:
For more information about WAF protection actions, see Description of the action field. |
block |
acl_rule_id | The ID of the rule that is triggered. The rule is created for the blacklist or custom protection policy (ACL) feature. | 151235 |
acl_test | The protection mode that is used for the request after a rule created for the blacklist
or custom protection policy (ACL) feature is triggered. Valid values:
|
false |
algorithm_action | The action that is performed on the request after a rule created for the typical bot
behavior identification feature is triggered. Valid values:
For more information about WAF protection actions, see Description of the action field. |
block |
algorithm_rule_id | The ID of the rule that is triggered. The rule is created for the typical bot behavior identification feature. | 151235 |
algorithm_test | The protection mode that is used for the request after a rule created for the typical
bot behavior identification feature is triggered. Valid values:
|
false |
antifraud_action | The action that is performed on the request after a rule created for the data risk
control feature is triggered. Valid values:
For more information about WAF protection actions, see Description of the action field. |
block |
antifraud_test | The protection mode that is used for the request after a rule created for the data
risk control feature is triggered. Valid values:
|
false |
antiscan_action | The action that is performed on the request after a rule created for the scan protection
feature is triggered. The value is fixed as block, which indicates that the request is blocked.
For more information about WAF protection actions, see Description of the action field. |
block |
antiscan_rule_id | The ID of the rule that is triggered. The rule is created for the scan protection feature. | 151235 |
antiscan_rule_type | The type of the rule that is triggered. The rule is created for the scan protection
feature. Valid values:
|
highfreq |
antiscan_test | The protection mode that is used for the request after a rule created for the scan
protection feature is triggered. Valid values:
|
false |
block_action |
Notice This field is no longer valid due to WAF upgrades. This field is replaced with the
field final_plugin. If the block_action field is used in your services, replace the field with final_plugin at the earliest opportunity.
|
waf |
body_bytes_sent | The number of bytes in the response body that the server returns to the client. The number of bytes of the response header is not counted. Unit: bytes. | 1111 |
cc_action | The action that is performed on the request after a rule created for the HTTP flood
protection or custom protection policy (HTTP Flood Protection) feature is triggered.
Valid values:
For more information about WAF protection actions, see Description of the action field. |
block |
cc_rule_id | The ID of the rule that is triggered. The rule is created for the HTTP flood protection or custom protection policy (HTTP Flood Protection) feature. | 151234 |
cc_test | The protection mode that is used for the request after a rule created for the HTTP
flood protection or custom protection policy (HTTP Flood Protection) feature is triggered.
Valid values:
|
false |
deeplearning_action | The action that is performed on the request after a rule created for the deep learning
engine feature is triggered. The value is fixed as block, which indicates that the request is blocked.
For more information about WAF protection actions, see Description of the action field. |
block |
deeplearning_rule_id | The ID of the rule that is triggered. The rule is created for the deep learning engine feature. | 151238 |
deeplearning_rule_type | The type of the rule that is triggered. The rule is created for the deep learning
engine feature. Valid values:
|
xss |
deeplearning_test | The protection mode that is used for the request after a rule created for the deep
learning engine feature is triggered. Valid values:
|
false |
dlp_action | The action that is performed on the request after a rule created for the data leakage
prevention feature is triggered. Valid values:
For more information about WAF protection actions, see Description of the action field. |
mask |
dlp_rule_id | The ID of the rule that is triggered. The rule is created for the data leakage prevention feature. | 151245 |
dlp_test | The protection mode that is used for the request after a rule created for the data
leakage prevention feature is triggered. Valid values:
|
false |
intelligence_action | The action that is performed on the request after a rule created for the bot threat
intelligence feature is triggered. Valid values:
For more information about WAF protection actions, see Description of the action field. |
block |
intelligence_rule_id | The ID of the rule that is triggered. The rule is created for the bot threat intelligence feature. | 152234 |
intelligence_test | The protection mode that is used for the request after a rule created for the bot
threat intelligence feature is triggered. Valid values:
|
false |
normalized_action | The action that is performed on the request after a rule created for the positive
security model feature is triggered. Valid values:
For more information about WAF protection actions, see Description of the action field. |
block |
normalized_rule_id | The ID of the rule that is triggered. The rule is created for the positive security model feature. | 151266 |
normalized_rule_type | The type of the rule that is triggered. The rule is created for the positive security
model feature. Valid values:
|
User-Agent |
normalized_test | The protection mode that is used for the request after a rule created for the positive
security model feature is triggered. Valid values:
|
false |
region | The ID of the region where the WAF instance resides. Valid values:
|
cn |
request_body | The request body. | i am the request body, encrypted or not! |
scene_action | The action that is performed on the request after a rule created for scenario-specific
configuration is triggered. Valid values:
For more information about WAF protection actions, see Description of the action field. |
block |
scene_id | The scenario ID of the rule that is triggered. The rule is created for scenario-specific configuration. | 151235 |
scene_rule_id | The ID of the rule that is triggered. The rule is created for scenario-specific configuration. | 153678 |
scene_rule_type | The type of the rule that is triggered. The rule is created for scenario-specific
configuration. Valid values:
|
bot_aialgo |
sigchl_invalid_type | The reason why the request is considered abnormal by dynamic token authentication
rules. Valid values:
|
sigchl_invalid_sig |
scene_test | The protection mode that is used for the request after a rule created for scenario-specific
configuration is triggered. Valid values:
|
false |
server_port | The requested destination port. | 443 |
ssl_cipher | The cipher suite that is used in the request. | ECDHE-RSA-AES128-GCM-SHA256 |
ssl_protocol | The SSL or TLS protocol and version that are used in the request. | TLSv1.2 |
ua_browser | The name of the browser that initiates the request.
Notice Since December 15, 2021, this field is no longer supported by WAF. This field is not
recorded even if you select the field on the Log Settings page. We recommend that you use the required field http_user_agent to obtain the
information about the User-Agent field of the request. For more information, see http_user_agent.
|
ie9 |
ua_browser_family | The family to which the browser belongs.
Notice From December 15, 2021, this field is no longer supported by WAF. This field is not
recorded even if you select the field on the Log Settings page. We recommend that you use the required field http_user_agent to obtain the
information about the User-Agent field of the request. For more information, see http_user_agent.
|
internet explorer |
ua_browser_type | The type of the browser that initiates the request.
Notice From December 15, 2021, this field is no longer supported by WAF. This field is not
recorded even if you select the field on the Log Settings page. We recommend that you use the required field http_user_agent to obtain the
information about the User-Agent field of the request. For more information, see http_user_agent.
|
web_browser |
ua_browser_version | The version of the browser that initiates the request.
Notice From December 15, 2021, this field is no longer supported by WAF. This field is not
recorded even if you select the field on the Log Settings page. We recommend that you use the required field http_user_agent to obtain the
information about the User-Agent field of the request. For more information, see http_user_agent.
|
9.0 |
ua_device_type | The device type of the client that initiates the request.
Notice From December 15, 2021, this field is no longer supported by WAF. This field is not
recorded even if you select the field on the Log Settings page. We recommend that you use the required field http_user_agent to obtain the
information about the User-Agent field of the request. For more information, see http_user_agent.
|
computer |
ua_os | The operating system of the client that initiates the request.
Notice From December 15, 2021, this field is no longer supported by WAF. This field is not
recorded even if you select the field on the Log Settings page. We recommend that you use the required field http_user_agent to obtain the
information about the User-Agent field of the request. For more information, see http_user_agent.
|
windows_7 |
ua_os_family | The family to which the operating system of the client belongs.
Notice From December 15, 2021, this field is no longer supported by WAF. This field is not
recorded even if you select the field on the Log Settings page. We recommend that you use the required field http_user_agent to obtain the
information about the User-Agent field of the request. For more information, see http_user_agent.
|
windows |
user_id | The ID of the Alibaba Cloud account to which the WAF instance belongs. | 17045741******** |
waf_action | The action that is performed on the request after a rule created for the protection
rules engine feature is triggered. The value is fixed as block, which indicates that the request is blocked.
For more information about WAF protection actions, see Description of the action field. |
block |
waf_rule_id | The ID of the rule that is triggered. The rule is created for the protection rules engine feature. | 113406 |
waf_rule_type | The type of the rule that is triggered. The rule is created for the protection rules
engine feature. Valid values:
|
xss |
waf_test | The protection mode that is used for the request after a rule created for the protection
rules engine feature is triggered. Valid values:
|
false |
wxbb_action | The action that is performed on the request after a rule created for the app protection
feature is triggered. Valid values:
For more information about WAF protection actions, see Description of the action field. |
block |
wxbb_invalid_wua | The reason why requests are considered abnormal based on the rule created for the
app protection feature. Valid values:
|
wxbb_invalid_sign |
wxbb_rule_id | The ID of the rule that is triggered. The rule is created for the app protection feature. | 156789 |
wxbb_test | The protection mode that is used for the request after a rule created for the app
protection feature is triggered. Valid values:
|
false |