Fields in logs - Web Application Firewall - Alibaba Cloud Documentation Center

This topic describes the log fields that are supported by Web Application Firewall (WAF).

Table for field retrieval

The following table describes the exclusive log fields that are supported by WAF. You can use the names of log fields to retrieve the log fields.


First letter of a field name	Field
a	Custom rule-related fields: acl_action \| acl_rule_id \| acl_rule_type \| acl_test Scan protection-related fields: antiscan_action \| antiscan_rule_id \| antiscan_rule_type \| antiscan_test
b	Byte field for the response body that is returned by the server to the client: body_bytes_sent Field for the IDs of the rules that allow requests: bypass_matched_ids
c	HTTP flood protection-related fields: cc_action \| cc_rule_id \| cc_rule_type \| cc_test Requested content type field: content_type
d	Data leakage prevention-related fields: dlp_action \| dlp_rule_id \| dlp_test
f	Fields for actions that are performed by WAF on requests: final_action \| final_plugin \| final_rule_id \| final_rule_type
h	Request header-related fields: host \| http_cookie \| http_referer \| http_user_agent \| http_x_forwarded_for HTTPS field: https
m	Field for matched protected objects: matched_host Major event protection-related fields: major_protection_action \| major_protection_rule_id \| major_protection_rule_type \| major_protection_test
q	Query string field: querystring
r	Actual IP address field: real_client_ip Region ID field: region Response-related fields: response_set_cookie \| response_header \| response_info IP and port fields: remote_addr \| remote_port Request-related fields: request_body \| request_header \| request_length \| request_method \| request_path \| request_time_msec \| request_traceid
s	Requested port field: server_port Field for the protocol and version that are used by the origin server to respond to the requests forwarded by WAF: server_protocol Cipher suite field and Transport Layer Security (TLS) field: ssl_cipher \| ssl_protocol HTTP status code field: status Bot management-related fields: scene_action \| scene_id \| scene_rule_id \| scene_rule_type \| scene_test
t	Request time field: time
u	Back-to-origin request response-related fields: upstream_addr \| upstream_response_time \| upstream_status Account ID field: user_id
w	Basic protection rule-related fields: waf_action \| waf_rule_id \| waf_rule_type \| waf_test

Required fields

Required fields refer to the fields that must be included in WAF logs.


Field	Description	Example
bypass_matched_ids	The ID of the matched rule that allows the request. The rule can be a whitelist rule or a custom protection rule. If multiple rules are matched at the same time to allow requests, the field records the IDs of the rules. Multiple IDs are separated with commas (,).	283531
content_type	The type of the requested content.	application/x-www-form-urlencoded
final_action	The latest action that is performed by WAF on the request. Valid values: block: The request is blocked. captcha_strict: Strict slider CAPTCHA verification is performed. captcha: Common slider CAPTCHA verification is performed. js: JavaScript verification is performed. For information about the actions that are performed by WAF on requests, see Description of the *_action field. If a request does not match a protection module, the field is not recorded. For example, if a request matches a rule that allows the request or a client passes slider CAPTCHA verification or JavaScript verification, the field is not recorded. If a request matches multiple protection modules at the same time, the field records only the latest action that is performed. The following actions are listed in descending order of priority: block (block), captcha_strict (strict slider CAPTCHA verification), captcha (common slider CAPTCHA verification), and js (JavaScript verification).	block
final_plugin	The protection module that performs the latest action on the request. The final_action field indicates the latest action that is performed. Valid values: waf: the basic protection rule module. acl: the IP address blacklist rule module or custom rule (access control) module. cc: the custom rule (throttling) module. antiscan: the scan protection module. If a request does not match a protection module, the field is not recorded. For example, if a request matches a rule that allows the request or a client passes slider CAPTCHA verification or JavaScript verification, the field is not recorded. If a request matches multiple protection modules at the same time, the field records only the latest action that is performed. The final_action field indicates the action that is performed.	waf
final_rule_id	The ID of the rule that performs the latest action on the request. The final_action field indicates the latest action that is performed.	115341
final_rule_type	The subtype of the rule that is applied to the request. The final_rule_id field indicates the applied rule. For example, `final_plugin:waf` supports `final_rule_type:sqli` and `final_rule_type:xss`.	xss/webshell
host	The Host field of the request header that contains the domain name or the IP address that you want to access. The value of this field varies based on your service settings.	api.example.com
http_cookie	The cookie field of the request header. This field contains the cookie information about the client.	k1=v1;k2=v2
http_referer	The Referer field of the request header. This field contains the source URL information about the request. If the request does not contain the source URL information, the value of this field is displayed as a hyphen `(-)`.	http://example.com
http_user_agent	The User-Agent field of the request header. This field contains information about the browser and operating system.	Dalvik/2.1.0 (Linux; U; Android 10; Android SDK built for x86 Build/QSR1.200715.002)
http_x_forwarded_for	The X-Forwarded-For (XFF) field of the request header. This field is used to identify the originating IP address of the client that is connected to the web server by using an HTTP proxy or a load balancing device.	47.100.XX.XX
https	Indicates whether the request is an HTTPS request. Valid values: on: The request is an HTTPS request. off: The request is an HTTP request.	on
matched_host	The protected object that matches the request. The protected object can be an instance or a domain name. Note Protected objects support wildcard domains, and WAF may match a wildcard domain. For example, if the domain name .aliyundoc.com is added to WAF and www.aliyundoc.com is requested, WAF matches the domain name .aliyundoc.com.	*.aliyundoc.com
querystring	The query string in the request. The query string is specified after the question mark (?) in the requested URL.	title=tm_content%3Darticle&pid=123
real_client_ip	The originating IP address of the client that sends the request. WAF identifies the originating IP address based on the analysis of the request. If WAF cannot identify the originating IP address of the client, the value of the field is displayed as a hyphen (`-`). For example, if a proxy server is used or the IP field in the request header is invalid, WAF cannot identify the originating IP address of the client.	192.0.XX.XX
region	The ID of the region where the WAF instance resides. Valid values: cn: The WAF instance resides in the Chinese mainland. int: The WAF instance resides outside the Chinese mainland.	cn
remote_addr	The IP address that is used to connect to WAF. If WAF is directly connected to a client, this field records the originating IP address of the client. If a Layer 7 proxy, such as Alibaba Cloud CDN, is deployed in front of WAF, this field records the IP address of the proxy.	198.51.XX.XX
remote_port	The port that is used to connect to WAF. If WAF is directly connected to a client, this field records the port of the client. If a Layer 7 proxy, such as Alibaba Cloud CDN, is deployed in front of WAF, this field records the port of the proxy.	80
request_length	The number of bytes in the request, including the request line, the request headers, and the request body. Unit: bytes.	111111
request_method	The request method.	GET
request_path	The relative path that is requested. The relative path is the part between the domain name and the question mark (?) in the requested URL. The relative path does not include the query string.	/news/search.php
request_time_msec	The time period that is required by WAF to process the request. Unit: milliseconds.	44
request_traceid	The unique identifier that is generated by WAF for each request.	7837b11715410386943437009ea1f0
server_protocol	The protocol and version that are used by the origin server to respond to the request that is forwarded by WAF.	HTTP/1.1
ssl_cipher	The cipher suite that is used in the request.	ECDHE-RSA-AES128-GCM-SHA256
ssl_protocol	The SSL protocol or TLS protocol and version that are used in the request.	TLSv1.2
status	The HTTP status code that is included by WAF in the response of the request that is sent from the client. Example: the HTTP status code 200 that indicates that the request is received and accepted.	200
time	The point in time when the request is sent. The time follows the ISO 8601 standard in the `yyyy-MM-ddTHH:mm:ss+08:00` format. The time is displayed in UTC.	2018-05-02T16:03:59+08:00
upstream_addr	The IP address and port number of the origin server. The format is `IP address:Port`. Multiple pairs of IP addresses and port numbers are separated with commas (,).	198.51.XX.XX:443
upstream_response_time	The time period that is required by the origin server to respond to the request that is forwarded by WAF. Unit: seconds.	0.044
upstream_status	The HTTP status code that is included by the origin server in the response of the request that is sent from WAF. Example: the HTTP status code 200 that indicates that the request is received and accepted.	200
user_id	The ID of the Alibaba Cloud account to which the WAF instance belongs.	17045741********

Optional fields

You can enable optional fields in WAF logs based on your business requirements. WAF logs record only the optional fields that you enabled.

If you enable optional fields, WAF logs occupy more storage space. If you have sufficient log storage capacity, we recommend that you enable additional optional fields. This way, you can analyze logs in a more comprehensive manner. For information about how to configure optional fields, see Configure log settings.


Field	Description	Example
acl_action	The action that is performed on the request after an IP address blacklist rule or custom access control rule is matched. Valid values: block: The request is blocked. js: JavaScript verification is performed. js_pass: The client passes JavaScript verification, and WAF allowed the request that is sent from the client. For information about the actions that are performed by WAF on requests, see Description of the *_action field.	block
acl_rule_id	The ID of the IP address blacklist rule or custom access control rule that is matched.	151235
acl_rule_type	The type of the IP address blacklist rule or custom access control rule that is matched. Valid values: custom: A custom access control rule is matched. blacklist: An IP address blacklist rule is matched.	custom
acl_test	The protection mode that is used for the request after an IP address blacklist rule or custom access control rule is matched. Valid values: true: the monitoring mode. In this mode, logs are recorded. Protection actions, such as block, are not triggered. false: the prevention mode. In this mode, WAF performs protection actions, such as block, on the request that matches the protection rule.	false
antiscan_action	The action that is performed on the request after a scan protection rule is matched. The value is set to block. The value indicates that the request is blocked. For information about the actions that are performed by WAF on requests, see Description of the *_action field.	block
antiscan_rule_id	The ID of the scan protection rule that is matched.	151235
antiscan_rule_type	The type of the scan protection rule that is matched. Valid values: highfreq: a rule that blocks IP addresses from which scanning attacks are frequently initiated. dirscan: a rule that is used to defend against directory traversal attacks. scantools: a rule that blocks the IP addresses of scanners.	highfreq
antiscan_test	The protection mode that is used for the request after a scan protection rule is matched. Valid values: true: the monitoring mode. In this mode, logs are recorded. Protection actions, such as block, are not triggered. false: the prevention mode. In this mode, WAF performs protection actions, such as block, on the request that matches the protection rule.	false
body_bytes_sent	The number of bytes in the response body that the server returns to the client. The number of bytes of the response header is not counted. Unit: bytes.	1111
cc_action	The action that is performed on the client request after a custom throttling rule is matched. Valid values: block: The request is blocked. js: JavaScript verification is performed. js_pass: The client passes JavaScript verification, and WAF allowed the request that is sent from the client. For information about the actions that are performed by WAF on requests, see Description of the *_action field.	block
cc_rule_id	The ID of the custom throttling rule that is matched.	151234
cc_rule_type	The type of the rule that is matched. The value is set to custom. The value indicates that a custom throttling rule is matched.	custom
cc_test	The protection mode that is used for the client request after a custom throttling rule is matched. Valid values: true: the monitoring mode. In this mode, logs are recorded. Protection actions, such as block, are not triggered. false: the prevention mode. In this mode, WAF performs protection actions, such as block, on the request that matches the protection rule.	false
request_body	The request body that can be up to 8 KB in size.	test123curl -ki https://automated-acltest02.*.top/ --resolve automated-acltest02.*.top:443:39.107.XX.XX
request_header	The custom request headers. If you enable this field, you must specify the request headers. Separate multiple request headers with commas (,).	{"ttt":"abcd"}
server_port	The destination port that is requested.	443
waf_action	The action that is performed on the request after a basic protection rule is matched. The value is set to block. The value indicates that the request is blocked. For information about the actions that are performed by WAF on requests, see Description of the *_action field.	block
waf_rule_id	The ID of the basic protection rule that is matched. Note The rule ID is displayed on the Basic Protection Rule tab of the Security Reports page. For more information, see Basic protection rule module.	113406
waf_rule_type	The type of the basic protection rule that is matched. Valid values: xss: a rule that defends against XSS attacks. code_exec: a rule that defends against specific attacks. The attacks exploit code execution vulnerabilities. webshell: a rule that defends against webshell uploads. sqli: a rule that defends against Structured Query Language (SQL) injection. lfilei: a rule that defends against local file inclusion. rfilei: a rule that defends against remote file inclusion. other: other protection rules.	xss
waf_test	The protection mode that is used for the request after a basic protection rule is matched. Valid values: true: the monitoring mode. In this mode, logs are recorded. Protection actions, such as block, are not triggered. false: the prevention mode. In this mode, WAF performs protection actions, such as block, on the request that matches the protection rule.	false
major_protection_action	The action that is performed on the request after a major event protection rule is matched. For information about the actions that are performed by WAF on requests, see Description of the *_action field.	block
major_protection_rule_id	The ID of the major event protection rule that is matched.	2221
major_protection_rule_type	The type of the major event protection rule that is matched. Valid values: waf_blocks: a rule in the rule group for major event protection. threat_intelligence: a threat intelligence rule for major event protection. blacklist: an IP address blacklist rule for major event protection. shiro: a shiro deserialization vulnerability prevention rule.	waf_blocks
major_protection_test	The protection mode that is used after a major event protection rule is matched. Valid values: true: the monitoring mode. In this mode, logs are recorded. Protection actions, such as block, are not triggered. false: the prevention mode. In this mode, WAF performs protection actions, such as block, on the request that matches the protection rule.	true
response_set_cookie	The cookie that is sent from the server to the client.	acw_tc=781bad3616674790875002820e2cebbc55b6e0dfd9579302762b1dece40e0a;path=\/;HttpOnly;Max-Age=1800
response_header	All response headers.	{"transfer-encoding":"chunked","set-cookie":"acw_tc=***;path=\/;HttpOnly;Max-Age=1800","content-type":"text\/html;charset=utf-8","x-powered-by":"PHP\/7.2.24","server":"nginx\/1.18.0","connection":"close"}
response_info	The response body that can be up to 16 KB in size. If the content-encoding header is gzip, the response body is encoded in Base64.	$_POST Received:<br/>Array ( [*] => ) <hr/> $GLOBALS['HTTP_RAW_POST_DATA'] Received:<br/> <hr/> php://input Received: *
dlp_action	The action that is performed on the request after a data leakage prevention rule is matched. Valid values: monitor: The request is monitored. block: The request is blocked. filter: The request is masked. For information about the actions that are performed by WAF on requests, see Description of the *_action field.	block
dlp_rule_id	The ID of the data leakage prevention rule that is matched.	20031483
dlp_test	The protection mode that is used for the request after a data leakage prevention rule is matched. Valid values: true: the monitoring mode. In this mode, logs are recorded. Protection actions, such as block, are not triggered. false: the prevention mode. In this mode, WAF performs protection actions, such as block, on the request that matches the protection rule.	true
scene_action	The action that is performed on the request after a bot management rule is matched. Valid values: js: JavaScript verification is performed. sigchl: Dynamic token authentication is performed. block: The request is blocked. monitor: The request is monitored. bypass: The request is allowed. captcha: Common slider CAPTCHA verification is performed. captcha_strict: Strict slider CAPTCHA verification is performed. For information about the actions that are performed by WAF on requests, see Description of the *_action field.	js
scene_id	The scenario ID of the bot management rule that is matched.	a82d992b_bc8c_47f0_87ce_******
scene_rule_id	The ID of the bot management rule that is matched.	js-a82d992b_bc8c_47f0_87ce_******
scene_rule_type	The type of the bot management rule that is matched. Valid values: bot_aialgo: an intelligent protection rule. cc: a custom throttling rule. intelligence: the threat intelligence rule. js: a simple JavaScript rule. sigchl: a dynamic token authentication rule. sdk: a rule for SDK signature and device data collection or a rule for secondary packaging detection.	bot_aialgo
scene_test	The protection mode that is used for the request after a bot management rule is matched. Valid values: true: the monitoring mode. In this mode, logs are recorded. Protection actions, such as block, are not triggered. false: the prevention mode. In this mode, WAF performs protection actions, such as block, on the request that matches the protection rule.	true

Description of the `*_action` field

Note *_action indicates the protection actions of different protection rules. For example, final_action indicates the protection action that is performed by WAF, and waf_action indicates the protection action of a basic protection rule. The protection actions vary based on the protection rule. For information about the protection actions, see the parameter description.

The following table describes the protection actions that are supported by WAF.


Protection action	Description
block	The request is blocked. WAF blocks the client request and returns HTTP error code 405 to the client.
captcha_strict	Strict slider CAPTCHA verification is performed. WAF returns the pages that are used for slider CAPTCHA verification to the client. If the client passes strict slider CAPTCHA verification, WAF allows the request that is sent from the client. If the client fails strict slider CAPTCHA verification, WAF blocks the request. A client must pass strict slider CAPTCHA verification each time the client sends a request.
captcha	Common slider CAPTCHA verification is performed. WAF returns the pages that are used for slider CAPTCHA verification to the client. If a client passes common slider CAPTCHA verification, WAF allows requests that are sent from the client in a specified time range. By default, the time range is 30 minutes. If a client fails common slider CAPTCHA verification, WAF blocks requests from the client.
js	JavaScript verification is performed. WAF returns JavaScript code to the client. The JavaScript code is automatically run by the browsers that are used by the client. If the client passes JavaScript verification, WAF allows requests that are sent from the client in a specified time range. By default, the time range is 30 minutes. If the client fails JavaScript verification, WAF blocks requests from the client.
pass and bypass	The request is allowed. WAF allows the request that is sent from the client and forwards the request to the origin server.
js_pass	The client passes JavaScript verification and WAF allows the request from the client.
sigchl	Dynamic token authentication is performed and web requests are signed. When the client sends a request, the Web SDK that is issued by WAF generates a signature for the request. The signature is forwarded together with the request to the origin server. If the signature is generated and verified, the request is forwarded to the origin server. If the signature fails to be generated or verified, a code block that can be used to obtain a dynamic token is returned to the client and the request must be resigned.
monitor	The request is monitored. WAF records the request that matches the rule in logs but does not block the request.

First letter of a field name	Field
a	Custom rule-related fields: acl_action \| acl_rule_id \| acl_rule_type \| acl_test Scan protection-related fields: antiscan_action \| antiscan_rule_id \| antiscan_rule_type \| antiscan_test
b	Byte field for the response body that is returned by the server to the client: body_bytes_sent Field for the IDs of the rules that allow requests: bypass_matched_ids
c	HTTP flood protection-related fields: cc_action \| cc_rule_id \| cc_rule_type \| cc_test Requested content type field: content_type
d	Data leakage prevention-related fields: dlp_action \| dlp_rule_id \| dlp_test
f	Fields for actions that are performed by WAF on requests: final_action \| final_plugin \| final_rule_id \| final_rule_type
h	Request header-related fields: host \| http_cookie \| http_referer \| http_user_agent \| http_x_forwarded_for HTTPS field: https
m	Field for matched protected objects: matched_host Major event protection-related fields: major_protection_action \| major_protection_rule_id \| major_protection_rule_type \| major_protection_test
q	Query string field: querystring
r	Actual IP address field: real_client_ip Region ID field: region Response-related fields: response_set_cookie \| response_header \| response_info IP and port fields: remote_addr \| remote_port Request-related fields: request_body \| request_header \| request_length \| request_method \| request_path \| request_time_msec \| request_traceid
s	Requested port field: server_port Field for the protocol and version that are used by the origin server to respond to the requests forwarded by WAF: server_protocol Cipher suite field and Transport Layer Security (TLS) field: ssl_cipher \| ssl_protocol HTTP status code field: status Bot management-related fields: scene_action \| scene_id \| scene_rule_id \| scene_rule_type \| scene_test
t	Request time field: time
u	Back-to-origin request response-related fields: upstream_addr \| upstream_response_time \| upstream_status Account ID field: user_id
w	Basic protection rule-related fields: waf_action \| waf_rule_id \| waf_rule_type \| waf_test

Table for field retrieval

Required fields

Optional fields

Description of the *_action field

Description of the `*_action` field