This topic describes the log fields that are supported by Web Application Firewall (WAF).

Table for field retrieval

The following table describes the exclusive log fields that are supported by WAF. You can use the names of log fields to retrieve the log fields.

First letter of a field nameField
a
b
c
dData leakage prevention-related fields: dlp_action | dlp_rule_id | dlp_test
fFields for actions that are performed by WAF on requests: final_action | final_plugin | final_rule_id | final_rule_type
h
m
qQuery string field: querystring
r
s
tRequest time field: time
u
wBasic protection rule-related fields: waf_action | waf_rule_id | waf_rule_type | waf_test

Required fields

Required fields refer to the fields that must be included in WAF logs.

FieldDescriptionExample
bypass_matched_idsThe ID of the matched rule that allows the request. The rule can be a whitelist rule or a custom protection rule.

If multiple rules are matched at the same time to allow requests, the field records the IDs of the rules. Multiple IDs are separated with commas (,).

283531
content_typeThe type of the requested content. application/x-www-form-urlencoded
final_actionThe latest action that is performed by WAF on the request. Valid values:
  • block: The request is blocked.
  • captcha_strict: Strict slider CAPTCHA verification is performed.
  • captcha: Common slider CAPTCHA verification is performed.
  • js: JavaScript verification is performed.

For information about the actions that are performed by WAF on requests, see Description of the *_action field.

If a request does not match a protection module, the field is not recorded. For example, if a request matches a rule that allows the request or a client passes slider CAPTCHA verification or JavaScript verification, the field is not recorded.

If a request matches multiple protection modules at the same time, the field records only the latest action that is performed. The following actions are listed in descending order of priority: block (block), captcha_strict (strict slider CAPTCHA verification), captcha (common slider CAPTCHA verification), and js (JavaScript verification).

block
final_pluginThe protection module that performs the latest action on the request. The final_action field indicates the latest action that is performed. Valid values:
  • waf: the basic protection rule module.
  • acl: the IP address blacklist rule module or custom rule (access control) module.
  • cc: the custom rule (throttling) module.
  • antiscan: the scan protection module.

If a request does not match a protection module, the field is not recorded. For example, if a request matches a rule that allows the request or a client passes slider CAPTCHA verification or JavaScript verification, the field is not recorded.

If a request matches multiple protection modules at the same time, the field records only the latest action that is performed. The final_action field indicates the action that is performed.

waf
final_rule_idThe ID of the rule that performs the latest action on the request. The final_action field indicates the latest action that is performed. 115341
final_rule_typeThe subtype of the rule that is applied to the request. The final_rule_id field indicates the applied rule.

For example, final_plugin:waf supports final_rule_type:sqli and final_rule_type:xss.

xss/webshell
hostThe Host field of the request header that contains the domain name or the IP address that you want to access. The value of this field varies based on your service settings. api.example.com
http_refererThe Referer field of the request header. This field contains the source URL information about the request.

If the request does not contain the source URL information, the value of this field is displayed as a hyphen (-).

http://example.com
http_user_agentThe User-Agent field of the request header. This field contains information about the browser and operating system. Dalvik/2.1.0 (Linux; U; Android 10; Android SDK built for x86 Build/QSR1.200715.002)
http_x_forwarded_forThe X-Forwarded-For (XFF) field of the request header. This field is used to identify the originating IP address of the client that is connected to the web server by using an HTTP proxy or a load balancing device. 47.100.XX.XX
httpsIndicates whether the request is an HTTPS request. Valid values:
  • on: The request is an HTTPS request.
  • off: The request is an HTTP request.
on
matched_hostThe protected object that matches the request. The protected object can be an instance or a domain name.
Note Protected objects support wildcard domains, and WAF may match a wildcard domain. For example, if the domain name *.aliyundoc.com is added to WAF and www.aliyundoc.com is requested, WAF matches the domain name *.aliyundoc.com.
*.aliyundoc.com
querystringThe query string in the request. The query string is specified after the question mark (?) in the requested URL. title=tm_content%3Darticle&pid=123
real_client_ipThe originating IP address of the client that sends the request. WAF identifies the originating IP address based on the analysis of the request.

If WAF cannot identify the originating IP address of the client, the value of the field is displayed as a hyphen (-). For example, if a proxy server is used or the IP field in the request header is invalid, WAF cannot identify the originating IP address of the client.

192.0.XX.XX
regionThe ID of the region where the WAF instance resides. Valid values:
  • cn: The WAF instance resides in the Chinese mainland.
  • int: The WAF instance resides outside the Chinese mainland.
cn
remote_addrThe IP address that is used to connect to WAF.

If WAF is directly connected to a client, this field records the originating IP address of the client. If a Layer 7 proxy, such as Alibaba Cloud CDN, is deployed in front of WAF, this field records the IP address of the proxy.

198.51.XX.XX
remote_portThe port that is used to connect to WAF.

If WAF is directly connected to a client, this field records the port of the client. If a Layer 7 proxy, such as Alibaba Cloud CDN, is deployed in front of WAF, this field records the port of the proxy.

80
request_lengthThe number of bytes in the request, including the request line, the request headers, and the request body. Unit: bytes. 111111
request_methodThe request method. GET
request_pathThe relative path that is requested. The relative path is the part between the domain name and the question mark (?) in the requested URL. The relative path does not include the query string. /news/search.php
request_time_msecThe time period that is required by WAF to process the request. Unit: milliseconds. 44
request_traceidThe unique identifier that is generated by WAF for each request. 7837b11715410386943437009ea1f0
server_protocolThe protocol and version that are used by the origin server to respond to the request that is forwarded by WAF. HTTP/1.1
ssl_cipherThe cipher suite that is used in the request. ECDHE-RSA-AES128-GCM-SHA256
ssl_protocolThe SSL protocol or TLS protocol and version that are used in the request. TLSv1.2
statusThe HTTP status code that is included by WAF in the response of the request that is sent from the client. Example: the HTTP status code 200 that indicates that the request is received and accepted. 200
timeThe point in time when the request is sent. The time follows the ISO 8601 standard in the yyyy-MM-ddTHH:mm:ss+08:00 format. The time is displayed in UTC. 2018-05-02T16:03:59+08:00
upstream_addrThe IP address and port number of the origin server. The format is IP address:Port. Multiple pairs of IP addresses and port numbers are separated with commas (,). 198.51.XX.XX:443
upstream_response_timeThe time period that is required by the origin server to respond to the request that is forwarded by WAF. Unit: seconds. 0.044
upstream_statusThe HTTP status code that is included by the origin server in the response of the request that is sent from WAF. Example: the HTTP status code 200 that indicates that the request is received and accepted. 200
user_idThe ID of the Alibaba Cloud account to which the WAF instance belongs. 17045741********

Optional fields

You can enable optional fields in WAF logs based on your business requirements. WAF logs record only the optional fields that you enabled.

If you enable optional fields, WAF logs occupy more storage space. If you have sufficient log storage capacity, we recommend that you enable additional optional fields. This way, you can analyze logs in a more comprehensive manner. For information about how to configure optional fields, see Configure log settings.

FieldDescriptionExample
acl_actionThe action that is performed on the request after an IP address blacklist rule or custom access control rule is matched. Valid values:
  • block: The request is blocked.
  • js: JavaScript verification is performed.
  • js_pass: The client passes JavaScript verification, and WAF allowed the request that is sent from the client.

For information about the actions that are performed by WAF on requests, see Description of the *_action field.

block
acl_rule_idThe ID of the IP address blacklist rule or custom access control rule that is matched. 151235
acl_rule_typeThe type of the IP address blacklist rule or custom access control rule that is matched. Valid values:
  • custom: A custom access control rule is matched.
  • blacklist: An IP address blacklist rule is matched.
custom
acl_testThe protection mode that is used for the request after an IP address blacklist rule or custom access control rule is matched. Valid values:
  • true: the monitoring mode. In this mode, logs are recorded. Protection actions, such as block, are not triggered.
  • false: the prevention mode. In this mode, WAF performs protection actions, such as block, on the request that matches the protection rule.
false
antiscan_actionThe action that is performed on the request after a scan protection rule is matched. The value is set to block. The value indicates that the request is blocked.

For information about the actions that are performed by WAF on requests, see Description of the *_action field.

block
antiscan_rule_idThe ID of the scan protection rule that is matched. 151235
antiscan_rule_typeThe type of the scan protection rule that is matched. Valid values:
  • highfreq: a rule that blocks IP addresses from which scanning attacks are frequently initiated.
  • dirscan: a rule that is used to defend against directory traversal attacks.
  • scantools: a rule that blocks the IP addresses of scanners.
highfreq
antiscan_testThe protection mode that is used for the request after a scan protection rule is matched. Valid values:
  • true: the monitoring mode. In this mode, logs are recorded. Protection actions, such as block, are not triggered.
  • false: the prevention mode. In this mode, WAF performs protection actions, such as block, on the request that matches the protection rule.
false
body_bytes_sentThe number of bytes in the response body that the server returns to the client. The number of bytes of the response header is not counted. Unit: bytes. 1111
cc_actionThe action that is performed on the client request after a custom throttling rule is matched. Valid values:
  • block: The request is blocked.
  • js: JavaScript verification is performed.
  • js_pass: The client passes JavaScript verification, and WAF allowed the request that is sent from the client.

For information about the actions that are performed by WAF on requests, see Description of the *_action field.

block
cc_rule_idThe ID of the custom throttling rule that is matched. 151234
cc_rule_typeThe type of the rule that is matched. The value is set to custom. The value indicates that a custom throttling rule is matched.custom
cc_testThe protection mode that is used for the client request after a custom throttling rule is matched. Valid values:
  • true: the monitoring mode. In this mode, logs are recorded. Protection actions, such as block, are not triggered.
  • false: the prevention mode. In this mode, WAF performs protection actions, such as block, on the request that matches the protection rule.
false
request_bodyThe request body that can be up to 8 KB in size. test123curl -ki https://automated-acltest02.***.top/ --resolve automated-acltest02.***.top:443:39.107.XX.XX
request_headerThe custom request headers. If you enable this field, you must specify the request headers. Separate multiple request headers with commas (,). {"ttt":"abcd"}
server_portThe destination port that is requested. 443
waf_actionThe action that is performed on the request after a basic protection rule is matched. The value is set to block. The value indicates that the request is blocked.

For information about the actions that are performed by WAF on requests, see Description of the *_action field.

block
waf_rule_idThe ID of the basic protection rule that is matched.
Note The rule ID is displayed on the Basic Protection Rule tab of the Security Reports page. For more information, see Basic protection rule module.
113406
waf_rule_typeThe type of the basic protection rule that is matched. Valid values:
  • xss: a rule that defends against XSS attacks.
  • code_exec: a rule that defends against specific attacks. The attacks exploit code execution vulnerabilities.
  • webshell: a rule that defends against webshell uploads.
  • sqli: a rule that defends against Structured Query Language (SQL) injection.
  • lfilei: a rule that defends against local file inclusion.
  • rfilei: a rule that defends against remote file inclusion.
  • other: other protection rules.
xss
waf_testThe protection mode that is used for the request after a basic protection rule is matched. Valid values:
  • true: the monitoring mode. In this mode, logs are recorded. Protection actions, such as block, are not triggered.
  • false: the prevention mode. In this mode, WAF performs protection actions, such as block, on the request that matches the protection rule.
false
major_protection_actionThe action that is performed on the request after a major event protection rule is matched. For information about the actions that are performed by WAF on requests, see Description of the *_action field. block
major_protection_rule_idThe ID of the major event protection rule that is matched. 2221
major_protection_rule_typeThe type of the major event protection rule that is matched. Valid values:
  • waf_blocks: a rule in the rule group for major event protection.
  • threat_intelligence: a threat intelligence rule for major event protection.
  • blacklist: an IP address blacklist rule for major event protection.
  • shiro: a shiro deserialization vulnerability prevention rule.
waf_blocks
major_protection_testThe protection mode that is used after a major event protection rule is matched. Valid values:
  • true: the monitoring mode. In this mode, logs are recorded. Protection actions, such as block, are not triggered.
  • false: the prevention mode. In this mode, WAF performs protection actions, such as block, on the request that matches the protection rule.
true
response_set_cookieThe cookie that is sent from the server to the client. acw_tc=781bad3616674790875002820e2cebbc55b6e0dfd9579302762b1dece40e0a;path=\/;HttpOnly;Max-Age=1800
response_headerAll response headers. {"transfer-encoding":"chunked","set-cookie":"acw_tc=***;path=\/;HttpOnly;Max-Age=1800","content-type":"text\/html;charset=utf-8","x-powered-by":"PHP\/7.2.24","server":"nginx\/1.18.0","connection":"close"}
response_infoThe response body that can be up to 16 KB in size. If the content-encoding header is gzip, the response body is encoded in Base64. $_POST Received:<br/>Array ( [***] => ) <hr/> $GLOBALS['HTTP_RAW_POST_DATA'] Received:<br/> <hr/> php://input Received: ***
dlp_actionThe action that is performed on the request after a data leakage prevention rule is matched. Valid values:
  • monitor: The request is monitored.
  • block: The request is blocked.
  • filter: The request is masked.

For information about the actions that are performed by WAF on requests, see Description of the *_action field.

block
dlp_rule_idThe ID of the data leakage prevention rule that is matched. 20031483
dlp_testThe protection mode that is used for the request after a data leakage prevention rule is matched. Valid values:
  • true: the monitoring mode. In this mode, logs are recorded. Protection actions, such as block, are not triggered.
  • false: the prevention mode. In this mode, WAF performs protection actions, such as block, on the request that matches the protection rule.
true
scene_actionThe action that is performed on the request after a bot management rule is matched. Valid values:
  • js: JavaScript verification is performed.
  • sigchl: Dynamic token authentication is performed.
  • block: The request is blocked.
  • monitor: The request is monitored.
  • bypass: The request is allowed.
  • captcha: Common slider CAPTCHA verification is performed.
  • captcha_strict: Strict slider CAPTCHA verification is performed.

For information about the actions that are performed by WAF on requests, see Description of the *_action field.

js
scene_idThe scenario ID of the bot management rule that is matched. a82d992b_bc8c_47f0_87ce_******
scene_rule_idThe ID of the bot management rule that is matched. js-a82d992b_bc8c_47f0_87ce_******
scene_rule_typeThe type of the bot management rule that is matched. Valid values:
  • bot_aialgo: an intelligent protection rule.
  • cc: a custom throttling rule.
  • intelligence: the threat intelligence rule.
  • js: a simple JavaScript rule.
  • sigchl: a dynamic token authentication rule.
  • sdk: a rule for SDK signature and device data collection or a rule for secondary packaging detection.
bot_aialgo
scene_testThe protection mode that is used for the request after a bot management rule is matched. Valid values:
  • true: the monitoring mode. In this mode, logs are recorded. Protection actions, such as block, are not triggered.
  • false: the prevention mode. In this mode, WAF performs protection actions, such as block, on the request that matches the protection rule.
true

Description of the *_action field

Note *_action indicates the protection actions of different protection rules. For example, final_action indicates the protection action that is performed by WAF, and waf_action indicates the protection action of a basic protection rule. The protection actions vary based on the protection rule. For information about the protection actions, see the parameter description.

The following table describes the protection actions that are supported by WAF.

Protection actionDescription
blockThe request is blocked. WAF blocks the client request and returns HTTP error code 405 to the client.
captcha_strictStrict slider CAPTCHA verification is performed. WAF returns the pages that are used for slider CAPTCHA verification to the client. If the client passes strict slider CAPTCHA verification, WAF allows the request that is sent from the client. If the client fails strict slider CAPTCHA verification, WAF blocks the request. A client must pass strict slider CAPTCHA verification each time the client sends a request.
captchaCommon slider CAPTCHA verification is performed. WAF returns the pages that are used for slider CAPTCHA verification to the client. If a client passes common slider CAPTCHA verification, WAF allows requests that are sent from the client in a specified time range. By default, the time range is 30 minutes. If a client fails common slider CAPTCHA verification, WAF blocks requests from the client.
jsJavaScript verification is performed. WAF returns JavaScript code to the client. The JavaScript code is automatically run by the browsers that are used by the client. If the client passes JavaScript verification, WAF allows requests that are sent from the client in a specified time range. By default, the time range is 30 minutes. If the client fails JavaScript verification, WAF blocks requests from the client.
pass and bypassThe request is allowed. WAF allows the request that is sent from the client and forwards the request to the origin server.
js_passThe client passes JavaScript verification and WAF allows the request from the client.
sigchlDynamic token authentication is performed and web requests are signed. When the client sends a request, the Web SDK that is issued by WAF generates a signature for the request. The signature is forwarded together with the request to the origin server. If the signature is generated and verified, the request is forwarded to the origin server. If the signature fails to be generated or verified, a code block that can be used to obtain a dynamic token is returned to the client and the request must be resigned.
monitorThe request is monitored. WAF records the request that matches the rule in logs but does not block the request.