This topic describes the fields that are included in Web Application Firewall (WAF) logs.
Table for field retrieval
The following table describes the log fields that are supported by WAF. You can query fields by field name.
Initial | Field |
a |
|
b |
|
c |
|
d | Fields related to data leakage prevention: dlp_action | dlp_rule_id | dlp_test |
f | Fields related to actions that are performed by WAF on requests: final_action | final_plugin | final_rule_id | final_rule_type |
h |
|
m |
|
q | Field used to record the query string: querystring |
r |
|
s |
|
t | Field used to record the time when requests are initiated: time |
u |
|
w |
|
Required fields
Required fields refer to fields that must be included in WAF logs.
Field | Description | Example |
bypass_matched_ids | The ID of the matched rule that allows the request. The rule can be a whitelist rule or a custom protection rule. If multiple rules are matched at the same time to allow requests, the field records all IDs of the rules. Multiple IDs are separated with commas (,). | 283531 |
content_type | The type of the requested content. | application/x-www-form-urlencoded |
final_action | The action that is performed by WAF on the request. Valid values:
For information about the actions that are performed by WAF on requests, see Description of the *_action field. If a request does not trigger a protection module, the field is not recorded. For example, if a request matches a rule that allows the request or a client passes slider CAPTCHA verification or JavaScript verification, the field is not recorded. If a request triggers multiple protection modules at the same time, the field is recorded. The field includes only the action that is performed. The following actions are listed in descending order of priority: blocking (block), strict slider CAPTCHA verification (captcha_strict), common slider CAPTCHA verification (captcha), and JavaScript validation (js). | block |
final_plugin | The protection module based on which the action is performed on the request. The final_action field records the action that is performed. Valid values:
If a request does not trigger a protection module, the field is not recorded. For example, if a request matches a rule that allows the request or a client passes slider CAPTCHA verification or JavaScript verification, the field is not recorded. If a request triggers multiple protection modules at the same time, the field records only the protection module based on which the final action is performed. The final_action field records the action that is performed. | waf |
final_rule_id | The ID of the rule based on which the final action is performed. The final_action field records the action that is performed. | 115341 |
final_rule_type | The subtype of the rule based on which the final action is performed. The final_rule_id field records the rule. For example, | xss/webShell |
host | The Host field of the request header that contains the requested domain name or the IP address. The value of this field varies based on your service settings. | api.example.com |
http_cookie | The Cookie field of the request header that contains information about the cookies associated with the request. | k1=v1;k2=v2 |
http_referer | The Referer field of the request header that contains information about the source URL of the request. If no source URL information is contained, the value of the field is displayed as a hyphen ( | http://example.com |
http_user_agent | The User-Agent field of the request header that contains information about the browser and operating system. | Dalvik/2.1.0 (Linux; U; Android 10; Android SDK built for x86 Build/QSR1.200715.002) |
http_x_forwarded_for | The X-Forwarded-For (XFF) field of the request header. This field is used to identify the originating IP address of the client that is connected to the web server by using an HTTP proxy or a load balancing device. | 47.100.XX.XX |
https | Indicates whether the request is an HTTPS request.
| on |
matched_host | The protected object that is requested. The protected object can be an instance or a domain name. Note The domain name can be an exact match domain name or a wildcard domain name. For example, if the domain name *.aliyundoc.com is added to WAF and www.aliyundoc.com is requested, the domain name *.aliyundoc.com is the protected object that is requested. | *.aliyundoc.com |
querystring | The query string in the request. The query string is a string of data that is appended to the end of the request URL. The query string is separated from the request URL by a question mark (?). | title=tm_content%3Darticle&pid=123 |
real_client_ip | The originating IP address of the client that sends the request. WAF identifies the IP address based on request analysis. If WAF cannot identify the originating IP address of the client, such as when a proxy server is used or the IP field in the request header is invalid, the value of the field is displayed as a hyphen ( | 192.0.XX.XX |
region | The ID of the region in which the WAF instance is deployed. Valid values:
| cn |
remote_addr | The IP address that is used to connect to WAF. If no Layer 7 proxies are deployed in front of WAF, this field records the IP address of the client. If a Layer 7 proxy, such as Alibaba Cloud CDN, is deployed in front of WAF, this field records the IP address of the Layer 7 proxy. | 198.51.XX.XX |
remote_port | The port that is used to connect to WAF. If no Layer 7 proxies are deployed in front of WAF, this field records the port of the client. If a Layer 7 proxy, such as Alibaba Cloud CDN, is deployed in front of WAF, this field records the port of the Layer 7 proxy. | 80 |
request_length | The number of bytes in the request, including the bytes in the request line, the request header, and request body. Unit: bytes. | 111111 |
request_method | The request method. | GET |
request_path | The requested relative path. The relative path refers to the part between the domain name and the question mark (?) in the request URL. The relative path does not include the query string. | /news/search.php |
request_time_msec | The time that is taken by WAF to process the request. Unit: milliseconds. | 44 |
request_traceid | The unique identifier that is generated by WAF for the client request. | 7837b11715410386943437009ea1f0 |
server_protocol | The protocol and version that are used by the origin server to respond to the request forwarded by WAF. Important This field is not supported for custom domain names bound to web applications in Function Compute. | HTTP/1.1 |
ssl_cipher | The cipher suites that are used by the client. | ECDHE-RSA-AES128-GCM-SHA256 |
ssl_protocol | The SSL or TLS protocol and version that are used in the request. | TLSv1.2 |
status | The HTTP status code that is included in the response from WAF to the client. Example: The HTTP status code 200 indicates that the request is received and accepted. | 200 |
time | The point in time when the request is initiated. The time follows the ISO 8601 standard in the | 2018-05-02T16:03:59+08:00 |
upstream_addr | The IP address and port number of the origin server. The format is Important This field is not supported for custom domain names bound to web applications in Function Compute. | 198.51.XX.XX:443 |
upstream_response_time | The time that is required by the origin server to respond to the request that is forwarded by WAF. Unit: seconds. | 0.044 |
upstream_status | The HTTP status code that is sent by the origin server in response to the request that is forwarded by WAF. Example: The HTTP status code 200 indicates that the request is received and accepted. | 200 |
user_id | The ID of the Alibaba Cloud account to which the WAF instance belongs. | 17045741******** |
Optional fields
You can enable optional fields in WAF logs based on your business requirements. WAF logs record only the optional fields that you enabled.
If you enable optional fields, WAF logs occupy more storage space. If you have sufficient log storage capacity, we recommend that you enable additional optional fields to analyze logs in a more comprehensive manner. For more information about how to configure optional fields, see Configure log settings.
Field | Description | Example |
acl_action | The action that is performed on the request based on an IP address blacklist rule or a custom access control rule. Valid values:
For more information about WAF protection actions, see Description of the *_action field. | block |
acl_rule_id | The ID of the IP address blacklist rule or custom access control rule that is matched. | 151235 |
acl_rule_type | The type of the IP address blacklist rule or custom access control rule that is matched. Valid values:
| custom |
acl_test | The protection mode that is used for the request based on an IP address blacklist rule or a custom access control rule. Valid values:
| false |
antiscan_action | The action that is performed on the request based on a scan protection rule. The value of the field is fixed to block, which indicates that the request is blocked. For more information about WAF protection actions, see Description of the *_action field. | block |
antiscan_rule_id | The ID of the scan protection rule that is matched. | 151235 |
antiscan_rule_type | The type of the scan protection rule that is matched. Valid values:
| highfreq |
antiscan_test | The protection mode that is used for the request based on a scan protection rule. Valid values:
| false |
body_bytes_sent | The number of bytes in the response body that the server returns to the client. The number of bytes of the response header is not counted. Unit: bytes. Important This field is not supported for custom domain names bound to web applications in Function Compute. | 1111 |
cc_action | The action that is performed on the request based on a custom throttling rule. Valid values:
For more information about WAF protection actions, see Description of the *_action field. | block |
cc_rule_id | The ID of the custom throttling rule that is matched. | 151234 |
cc_rule_type | The type of the rule that is matched. The value of the field is fixed to custom, which indicates that a custom throttling rule is matched. | custom |
cc_test | The protection mode that is used for the request based on a custom throttling rule. Valid values:
| false |
request_body | The request body. The value can be up to 8 KB in size. | test123curl -ki https://automated-acltest02.***.top/ --resolve automated-acltest02.***.top:443:39.107.XX.XX |
request_header | The custom request headers. If you enable this field, you must specify the request headers. You can add up to five custom request headers. Separate multiple request headers with commas (,). Important This field is not supported for ALB instances, MSE instances, and custom domain names bound to web applications in Function Compute. | {"ttt":"abcd"} |
server_port | The requested destination port. Important This field is not supported for custom domain names bound to web applications in Function Compute. | 443 |
waf_action | The action that is performed on the request based on a basic protection rule. The value of the field is fixed to block, which indicates that the request is blocked. For more information about WAF protection actions, see Description of the *_action field. | block |
waf_rule_id | The ID of the basic protection rule that is matched. Note The rule ID is displayed on the Basic Protection Rule tab of the Security Reports page. For more information, see the "Basic protection rule module" section in the Security reports topic. | 113406 |
waf_rule_type | The type of the basic protection rule that is matched. Valid values:
| xss |
waf_test | The protection mode that is used for the request based on a basic protection rule. Valid values:
| false |
major_protection_action | The action that is performed on the request based on a major event protection template. For more information about WAF protection actions, see Description of the *_action field. | block |
major_protection_rule_id | The ID of the major event protection rule that is matched. | 2221 |
major_protection_rule_type | The type of the major event protection rule that is matched. Valid values:
| waf_blocks |
major_protection_test | The protection mode that is used based on a major event protection rule. Valid values:
| true |
response_set_cookie | The cookie that is sent from the server to the client. Important This field is not supported for ALB instances, MSE instances, and custom domain names bound to web applications in Function Compute. | acw_tc=781bad3616674790875002820e2cebbc55b6e0dfd9579302762b1dece40e0a;path=\/;HttpOnly;Max-Age=1800 |
response_header | All response headers. Important This field is not supported for ALB instances, MSE instances, and custom domain names bound to web applications in Function Compute. | {"transfer-encoding":"chunked","set-cookie":"acw_tc=***;path=\/;HttpOnly;Max-Age=1800","content-type":"text\/html;charset=utf-8","x-powered-by":"PHP\/7.2.24","server":"nginx\/1.18.0","connection":"close"} |
response_info | The response body. The value can be up to 16 KB in size. If the content-encoding header is gzip, the response body is encoded in Base64. Important This field is not supported for ALB instances, MSE instances, and custom domain names bound to web applications in Function Compute. | $_POST Received:<br/>Array ( [***] => ) <hr/> $GLOBALS['HTTP_RAW_POST_DATA] Received:<br/> <hr/> php://input Received: *** |
dlp_action | The action that is performed on the request based on a data leakage prevention rule. Valid values:
For more information about WAF protection actions, see Description of the *_action field. | block |
dlp_rule_id | The ID of the data leakage prevention rule that is matched. | 20031483 |
dlp_test | The protection mode that is used for the request based on a data leakage prevention rule. Valid values:
| true |
scene_action | The action that is performed on the request based on a bot management rule. Valid values:
For more information about WAF protection actions, see Description of the *_action field. | js |
scene_id | The scenario ID of the bot management rule that is matched. | a82d992b_bc8c_47f0_87ce_****** |
scene_rule_id | The ID of the bot management rule that is matched. | js-a82d992b_bc8c_47f0_87ce_****** |
scene_rule_type | The type of the bot management rule that is matched. Valid values:
| bot_aialgo |
scene_test | The protection mode that is used for the request based on a bot management rule. Valid values:
| true |
waf_hit | The content that matches basic protection rules. | {"postarg_values":{"hit":["${jndi:ldap://"],"raw":"postarg.log4j=${jndi:ldap://"}} |
compliance_hit | The content that matches protocol compliance violation attacks. | **********7df271da040a |
sema_hit | The content that matches semantic analysis attacks. | {"queryarg_values":{"hit":["\" from mysql.user"],"raw":"queryarg.y=\" from mysql.user"}} |
Description of the *_action field
*_action indicates the protection actions of different protection rules. For example, final_action indicates the protection action that is performed by WAF, and waf_action indicates the protection action of a basic protection rule. The protection actions vary based on the protection rule. For information about the protection actions, see the parameter description.
The following table describes the protection actions that are supported by WAF.
Protection action | Description |
block | The request is blocked. WAF blocks the client request and returns HTTP error code 405 to the client. |
captcha_strict | Strict slider CAPTCHA verification is performed. WAF returns the pages used for slider CAPTCHA verification to the client. If the client passes strict slider CAPTCHA verification, WAF allows the request from the client. Otherwise, WAF blocks the request. The client must pass strict slider CAPTCHA verification each time the client sends a request. |
captcha | Common slider CAPTCHA verification is performed. WAF returns the pages used for slider CAPTCHA verification to the client. If a client passes common slider CAPTCHA verification, WAF allows requests that are sent from the client in a specific time range. By default, the time range is set to 30 minutes. Otherwise, WAF blocks requests from the client. |
js | JavaScript validation is performed. WAF returns JavaScript code to the client. The JavaScript code is automatically run by the browsers that are used by the client. If the client passes JavaScript validation, WAF allows requests that are sent from the client in a specific time range. By default, the time range is set to 30 minutes. Otherwise, WAF blocks requests from the client. |
pass and bypass | The request is allowed. WAF allows the request that is sent from the client and forwards the request to the origin server. |
js_pass | The client passes JavaScript validation and WAF allows the request from the client. |
sigchl | Dynamic token authentication is performed and web requests are signed. When the client sends a request, the Web SDK that is issued by WAF generates a signature for the request. The signature is forwarded together with the request to the origin server. If the signature is generated and verified, the request is forwarded to the origin server. If the signature fails to be generated or verified, a code block that can be used to obtain a dynamic token is returned to the client and the request must be re-signed. |
monitor | The request is monitored. WAF records the request that matches the rule in logs but does not block the request. |