All Products
Search
Document Center

Web Application Firewall:Log fields supported by WAF

Last Updated:Dec 04, 2024

This topic describes the log fields that are supported by Web Application Firewall (WAF).

Table for field retrieval

The following table describes the log fields that are supported by WAF. You can use the names of fields to retrieve the fields that you want to view.

Initial

Field

a

b

c

d

f

Fields related to final actions: final_action | final_plugin | final_rule_id | final_rule_type

h

i

Fields related to bot threat intelligence: intelligence_action | intelligence_rule_id | intelligence_test

m

Field used to record the matched domain names that are added to WAF: matched_host

n

Fields related to positive security models: normalized_action | normalized_rule_id | normalized_rule_type | normalized_test

q

Field used to record query strings: querystring

r

s

t

Field used to record the time when requests were initiated: time

u

w

Description of the action field

The following table describes all actions that are supported by WAF.

Value of the action field

Description

block

The request is blocked. WAF blocks the client request and returns HTTP error code 405 to the client.

captcha_strict

Strict slider CAPTCHA verification is performed. WAF returns the pages used for slider CAPTCHA verification to the client. If the client passes strict slider CAPTCHA verification, WAF allows the request. Otherwise, WAF blocks the request. The client must pass strict slider CAPTCHA verification each time the client sends a request.

captcha

Common slider CAPTCHA verification is performed. WAF returns the pages used for slider CAPTCHA verification to the client. If a client passes common slider CAPTCHA verification, WAF allows requests that are sent from the client in a specific time range. By default, the time range is set to 30 minutes. Otherwise, WAF blocks requests from the client.

sigchl

Dynamic token authentication is performed, and web requests are signed. When the client sends a request, the Web SDK that is issued by WAF generates a signature for the request. The signature is forwarded together with the request to the origin server. If the signature is generated and verified, the request is forwarded to the origin server. If the signature fails to be generated or verified, a code block that can be used to obtain a dynamic token is returned to the client and the request must be re-signed.

js

JavaScript validation is performed. WAF returns JavaScript code to the client. The JavaScript code is automatically executed by the client browsers. If the client passes JavaScript validation, WAF allows requests that are sent from the client in a specific time range. By default, the time range is set to 30 minutes. Otherwise, WAF blocks requests from the client.

pass

The request is allowed. WAF allows the client request, and forwards the request to the origin server.

captcha_strict_pass

The client passes strict slider CAPTCHA verification, and WAF allows the client request.

captcha_pass

The client passes common slider CAPTCHA verification, and WAF allows the client request.

sigchl_pass

The client passes dynamic token authentication, and WAF allows the client request.

js_pass

The client passes JavaScript validation, and WAF allows the client request.

mask

WAF masks the sensitive data that is returned from the origin server and returns the result to the client. Only the data leakage prevention module supports this action.

continue

The request is allowed. The meaning of the continue action varies based on the protection module. For more information, see the descriptions of the normalized_action and wxbb_action fields in this topic.

Required fields

Required fields refer to the fields that must be included in WAF logs.

Field

Description

Example

acl_rule_type

The type of the matched rule. The rule is created for the IP address blacklist or custom protection policy (ACL policy) module. Valid values:

  • custom: a rule that is created for the custom protection policy (ACL policy) module

  • blacklist: a rule that is created for the IP address blacklist module

custom

bypass_matched_ids

The ID of the matched rule that allows the client request. The rule is created for the whitelist or custom protection policy module.

If multiple rules that allow the request are matched at a time, this field records the IDs of all the rules. Multiple IDs are separated with commas (,).

283531

cc_rule_type

The type of the matched rule. The rule is created for the HTTP flood protection or custom protection policy (HTTP flood protection policy) module. Valid values:

  • custom: a rule that is created for the custom protection policy (HTTP flood protection policy) module

  • system: a rule that is created for the HTTP flood protection policy module

custom

content_type

The type of the request content.

application/x-www-form-urlencoded

dst_port

The destination port.

443

final_action

The final action that is performed by WAF on the request. Valid values:

  • block: The request is blocked.

  • captcha_strict: Strict slider CAPTCHA verification is performed.

  • captcha: Common slider CAPTCHA verification is performed.

  • sigchl: Dynamic token authentication is performed.

  • js: JavaScript validation is performed.

For more information about WAF protection actions, see the Description of the action field in this topic.

If a request does not trigger a protection module, this field is not recorded. For example, if a request matches a rule that allows the request or a request is allowed after the client passes CAPTCHA verification or JavaScript validation, this field is not recorded.

If a request triggers multiple protection modules at a time, this field is recorded and includes only the final action that is performed. The following actions are listed in descending order of priority: block (block), strict slider CAPTCHA verification (captcha_strict), common slider CAPTCHA verification (captcha), dynamic token authentication (sigchl), and JavaScript validation (js).

block

final_plugin

The protection module based on which the final action is performed on the request. The final_action field records the final action that is performed. Valid values:

  • waf: the protection rules engine module

  • deeplearning: the deep learning engine module

  • dlp: the data leakage prevention module

  • account: the account security module

  • normalized: the positive security model module

  • acl: the IP address blacklist or custom protection policy (ACL policy) module

  • cc: the HTTP flood protection or custom protection policy (HTTP flood protection policy) module

  • antiscan: the scan protection module

  • scene: the scenario-specific configuration module

  • antifraud: the data risk control module

  • intelligence: the bot threat intelligence module

  • algorithm: the typical bot behavior identification module

  • wxbb: the app protection module

To configure the preceding protection modules, log on to the WAF console and choose Protection Configurations > Website Protection in the left-side navigation pane. For more information about the protection modules of WAF, see Overview.

If a request does not trigger a protection module, this field is not recorded. For example, if a request matches a rule that allows the request or a request is allowed after the client passes CAPTCHA verification or JavaScript validation, this field is not recorded.

If a request triggers multiple protection modules at a time, this field is recorded and includes only the final action that is performed. The final_action field records the final action that is performed.

waf

final_rule_id

The ID of the rule based on which the final action is performed. The final_action field records the final action that is performed.

115341

final_rule_type

The subtype of the rule based on which the final action is performed. The final_rule_id field records the rule.

For example, final_plugin:waf supports final_rule_type:sqli and final_rule_type:xss.

xss/webshell

host

The Host field in the request header that contains the requested domain name or IP address.

api.example.com

http_referer

The Referer field in the request header that contains information about the source URL of the request.

If the request does not contain the source URL information, the value of this field is displayed as a hyphen (-).

http://example.com

http_user_agent

The User-Agent field in the request header that contains information about the browser and the operating system.

Dalvik/2.1.0 (Linux; U; Android 10; Android SDK built for x86 Build/QSR1.200715.002)

http_x_forwarded_for

The X-Forwarded-For (XFF) field in the request header. This field is used to identify the originating IP address of the client that is connected to the web server by using an HTTP proxy or a load balancer.

47.100.XX.XX

https

Indicates whether the request is an HTTPS request.

  • The value on indicates that the request is an HTTPS request.

  • If the field is empty, the request is an HTTP request.

on

matched_host

The matched domain name that is added to WAF.

Note

The domain name can be an exact-match domain name or a wildcard domain name. For example, if the *.aliyun.com domain name is added to WAF and www.aliyun.com is requested, the *.aliyun.com domain name may be matched.

*.aliyun.com

real_client_ip

The originating IP address of the client that sends the request. WAF analyzes the request to identify the IP address.

If WAF cannot identify the originating IP address of the client, the value of this field is displayed as a hyphen (-). For example, when a proxy server is used or the IP field in the request header is invalid, WAF cannot identify the originating IP address of the client.

192.0.XX.XX

request_length

The number of bytes in the request, including the bytes in the request line, request header, and request body. Unit: bytes.

111111

request_method

The request method.

GET

request_time_msec

The amount of time that WAF takes to process the request. Unit: milliseconds.

44

request_traceid

The unique identifier that WAF generates for the client request.

7837b11715410386943437009ea1f0

request_uri

The request path and request parameters.

/news/search.php?id=1

server_protocol

The protocol used for connections between the client and WAF.

HTTP/1.1

status

The HTTP status code that is included in the response from WAF to the client. Example: 200, which indicates that the request is received and accepted.

200

src_port

The port that is used to connect to WAF.

If no Layer 7 proxies are deployed in front of WAF, this field records the port of the client. If a Layer 7 proxy, such as Alibaba Cloud CDN, is deployed in front of WAF, this field records the port of the Layer 7 proxy.

80

src_ip

The IP address that is used to connect to WAF.

If no Layer 7 proxies are deployed in front of WAF, this field records the IP address of the client. If a Layer 7 proxy, such as Alibaba Cloud CDN, is deployed in front of WAF, this field records the IP address of the Layer 7 proxy.

198.51.XX.XX

start_time

The time when the request was sent. Unit: seconds.

1696534058

time

The time when the request was sent. The time follows the ISO 8601 standard in the yyyy-MM-ddTHH:mm:ss+08:00 format. The time is displayed in UTC.

2018-05-02T16:03:59+08:00

upstream_addr

The IP address and port of the origin server. The format is IP:Port. Multiple pairs of IP addresses and port numbers are separated with commas (,).

198.51.XX.XX:443

upstream_response_time

The total amount of time required for the origin server to respond to the request forwarded by WAF and for WAF to forward the response to the client. Unit: seconds.

0.044

upstream_status

The HTTP status code that is sent by the origin server in response to the request forwarded by WAF. Example: 200, which indicates that the request is received and accepted.

200

Optional fields

You can include optional fields in WAF logs based on your business requirements. WAF logs record only the optional fields that you enable.

If you enable optional fields, WAF logs occupy more storage space. If you have sufficient log storage capacity, we recommend that you enable additional optional fields. This way, you can perform log analysis in a more comprehensive manner. For more information about how to configure optional fields, see Modify log settings.

Field

Description

Example

account_action

The action that is performed on the client request based on an account security rule. This field is fixed as block, which indicates that the request is blocked.

For more information about WAF protection actions, see the Description of the action field in this topic.

block

account_rule_id

The ID of the matched account security rule.

151235

account_test

The protection mode that is used for the client request based on a account security rule. Valid values:

  • true: monitoring mode. In this mode, logs are recorded but protection actions, such as blocking, are not performed.

  • false: prevention mode. In this mode, WAF performs protection actions, such as blocking, on requests that match the protection rule.

false

acl_action

The action that is performed on the client request based on a rule created for the IP address blacklist or custom protection policy (ACL policy) module. Valid values:

  • block: The request is blocked.

  • captcha_strict: Strict slider CAPTCHA verification is performed.

  • captcha: Common slider CAPTCHA verification is performed.

  • js: JavaScript validation is performed.

  • captcha_strict_pass: The client passes strict slider CAPTCHA verification, and WAF allows the request from the client.

  • captcha_pass: The client passes common slider CAPTCHA verification, and WAF allows the request from the client.

  • js_pass: The client passes JavaScript validation, and WAF allows the request from the client.

For more information about WAF protection actions, see the Description of the action field in this topic.

block

acl_rule_id

The ID of the matched rule. The rule is created for the IP address blacklist or custom protection policy (ACL policy) module.

151235

acl_test

The protection mode that is used for the client request based on a rule created for the IP address blacklist or custom protection policy (ACL policy) module. Valid values:

  • true: monitoring mode. In this mode, logs are recorded but protection actions, such as blocking, are not performed.

  • false: prevention mode. In this mode, WAF performs protection actions, such as blocking, on requests that match the protection rule.

false

algorithm_action

The action that is performed on the client request based on a rule created for the typical bot behavior identification module. Valid values:

  • block: The request is blocked.

  • captcha: Common slider CAPTCHA verification is performed.

  • js: JavaScript validation is performed.

  • captcha_pass: The client passes common slider CAPTCHA verification, and WAF allows the request from the client.

  • js_pass: The client passes JavaScript validation, and WAF allows the request from the client.

For more information about WAF protection actions, see the Description of the action field in this topic.

block

algorithm_rule_id

The ID of the matched rule. The rule is created for the typical bot behavior identification module.

151235

algorithm_test

The protection mode that is used for the client request based on a rule created for the typical bot behavior identification module. Valid values:

  • true: monitoring mode. In this mode, logs are recorded but protection actions, such as blocking, are not performed.

  • false: prevention mode. In this mode, WAF performs protection actions, such as blocking, on requests that match the protection rule.

false

antifraud_action

The action that is performed on the client request based on a rule created for the data risk control module. Valid values:

  • pass: The request is allowed.

  • block: The request is blocked.

  • captcha: Common slider CAPTCHA verification is performed.

For more information about WAF protection actions, see the Description of the action field in this topic.

block

antifraud_test

The protection mode that is used for the client request based on a rule created for the data risk control module. Valid values:

  • true: monitoring mode. In this mode, logs are recorded but protection actions, such as blocking, are not performed.

  • false: prevention mode. In this mode, WAF performs protection actions, such as blocking, on requests that match the protection rule.

false

antiscan_action

The action that is performed on the client request based on a rule created for the scan protection module. This field is fixed as block, which indicates that the request is blocked.

For more information about WAF protection actions, see the Description of the action field in this topic.

block

antiscan_rule_id

The ID of the matched rule. The rule is created for the scan protection module.

151235

antiscan_rule_type

The type of the matched rule. The rule is created for the scan protection module. Valid values:

  • highfreq: a rule that blocks IP addresses from which web attacks are frequently initiated

  • dirscan: a rule that defends against directory traversal attacks

  • scantools: a rule that blocks the IP addresses of scanners

  • collaborative: a collaborative defense rule

highfreq

antiscan_test

The protection mode that is used for the client request based on a rule created for the scan protection module. Valid values:

  • true: monitoring mode. In this mode, logs are recorded but protection actions, such as blocking, are not performed.

  • false: prevention mode. In this mode, WAF performs protection actions, such as blocking, on requests that match the protection rule.

false

block_action

Important

This field is no longer valid due to WAF upgrades. This field is replaced with the final_plugin field. If the block_action field is used in your services, replace the field with the final_plugin field at the earliest opportunity.

The WAF protection module that is triggered to block the request. Valid values:

  • tmd: the HTTP flood protection module. The value is equivalent to the cc value of the final_plugin field.

  • waf: the web attack protection module. The value is equivalent to the waf value of the final_plugin field.

  • acl: the custom protection policy module. The value is equivalent to the acl value of the final_plugin field.

  • deeplearning: the deep learning engine module. The value is equivalent to the deeplearning value of the final_plugin field.

  • antiscan: the scan protection module. The value is equivalent to the antiscan value of the final_plugin field.

  • antifraud: the data risk control module. The value is equivalent to the antifraud value of the final_plugin field.

  • antibot: the bot management module. The value is equivalent to the intelligence, algorithm, wxbb, and scene values of the final_plugin field.

waf

body_bytes_sent

The number of bytes returned to the client from the server, excluding the number of bytes in the response header. Unit: bytes.

1111

cc_action

The action that is performed on the client request based on a rule created for the HTTP flood protection or custom protection policy (HTTP flood protection policy) module. Valid values:

  • block: The request is blocked.

  • captcha: Common slider CAPTCHA verification is performed.

  • js: JavaScript validation is performed.

  • captcha_pass: The client passes common slider CAPTCHA verification, and WAF allows the client request.

  • js_pass: The client passes JavaScript validation, and WAF allows the client request.

For more information about WAF protection actions, see the Description of the action field in this topic.

block

cc_rule_id

The ID of the matched rule. The rule is created for the HTTP flood protection or custom protection policy (HTTP flood protection policy) module.

151234

cc_test

The protection mode that is used for the client request based on a rule created for the HTTP flood protection or custom protection policy (HTTP flood protection policy) module. Valid values:

  • true: monitoring mode. In this mode, logs are recorded but protection actions, such as blocking, are not performed.

  • false: prevention mode. In this mode, WAF performs protection actions, such as blocking, on requests that match the protection rule.

false

deeplearning_action

The action that is performed on the client request based on a rule created for the deep learning engine module. This field is fixed as block, which indicates that the request is blocked.

For more information about WAF protection actions, see the Description of the action field in this topic.

block

deeplearning_rule_id

The ID of the matched rule. The rule is created for the deep learning engine module.

151238

deeplearning_rule_type

The type of the matched rule. The rule is created for the deep learning engine module. Valid values:

  • xss: a rule used to defend against cross-site scripting (XSS) attacks

  • code_exec: a rule used to defend against code execution attacks

  • webshell: a rule used to defend against attacks that exploit webshell vulnerabilities

  • sqli: a rule used to defend against SQL injection attacks

  • lfilei: a rule used to defend against local file inclusion (LFI) attacks

  • rfilei: a rule used to defend against remote file inclusion (RFI) attacks

  • other: other protection rules

xss

deeplearning_test

The protection mode that is used for the client request based on a rule created for the deep learning engine module. Valid values:

  • true: monitoring mode. In this mode, logs are recorded but protection actions, such as blocking, are not performed.

  • false: prevention mode. In this mode, WAF performs protection actions, such as blocking, on requests that match the protection rule.

false

dlp_action

The action that is performed on the client request based on a rule created for the data leakage prevention module. Valid values:

  • block: The request is blocked.

  • mask: Sensitive data is masked.

For more information about WAF protection actions, see the Description of the action field in this topic.

mask

dlp_rule_id

The ID of the matched rule. The rule is created for the data leakage prevention module.

151245

dlp_test

The protection mode that is used for the client request based on a rule created for the data leakage prevention module. Valid values:

  • true: monitoring mode. In this mode, logs are recorded but protection actions, such as blocking, are not performed.

  • false: prevention mode. In this mode, WAF performs protection actions, such as blocking, on requests that match the protection rule.

false

intelligence_action

The action that is performed on the client request based on a rule created for the bot threat intelligence module. Valid values:

  • block: The request is blocked.

  • captcha_strict: Strict slider CAPTCHA verification is performed.

  • captcha: Common slider CAPTCHA verification is performed.

  • js: JavaScript validation is performed.

  • captcha_strict_pass: The client passes strict slider CAPTCHA verification, and WAF allows the client request.

  • captcha_pass: The client passes common slider CAPTCHA verification, and WAF allows the client request.

  • js_pass: The client passes JavaScript validation, and WAF allows the client request.

For more information about WAF protection actions, see the Description of the action field in this topic.

block

intelligence_rule_id

The ID of the matched rule. The rule is created for the bot threat intelligence module.

152234

intelligence_test

The protection mode that is used for the client request based on a rule created for the bot threat intelligence module. Valid values:

  • true: monitoring mode. In this mode, logs are recorded but protection actions, such as blocking, are not performed.

  • false: prevention mode. In this mode, WAF performs protection actions, such as blocking, on requests that match the protection rule.

false

normalized_action

The action that is performed on the client request based on a rule created for the positive security model module. Valid values:

  • block: The request is blocked.

  • continue: The request is allowed.

For more information about WAF protection actions, see the Description of the action field in this topic.

block

normalized_rule_id

The ID of the matched rule. The rule is created for the positive security model module.

151266

normalized_rule_type

The type of the matched rule. The rule is created for the positive security model module. Valid values:

  • User-Agent: a User-Agent-based baseline rule. If the User-Agent field of a request header does not conform to the baseline, an attack may occur. This description applies to other rule types.

  • Referer: a Referer-based baseline rule.

  • URL: a URL-based baseline rule.

  • Cookie: a cookie-based baseline rule.

  • Body: a request body-based baseline rule.

User-Agent

normalized_test

The action that is performed on the client request based on a rule created for the positive security model module. Valid values:

  • true: monitoring mode. In this mode, logs are recorded but protection actions, such as blocking, are not performed.

  • false: prevention mode. In this mode, WAF performs protection actions, such as blocking, on requests that match the protection rule.

false

querystring

The query string in the request. The query string follows a question mark (?) in the request URL.

title=tm_content%3Darticle&pid=123

region

The region where the WAF instance resides. Valid values:

  • cn: The WAF instance resides in the Chinese mainland.

  • int: The WAF instance resides outside the Chinese mainland.

cn

remote_addr

The IP address that is used to connect to WAF.

If no Layer 7 proxies are deployed in front of WAF, this field records the IP address of the client. If a Layer 7 proxy, such as Alibaba Cloud CDN, is deployed in front of WAF, this field records the IP address of the Layer 7 proxy.

198.51.XX.XX

remote_port

The port that is used to connect to WAF.

If no Layer 7 proxies are deployed in front of WAF, this field records the port of the client. If a Layer 7 proxy, such as Alibaba Cloud CDN, is deployed in front of WAF, this field records the port of the Layer 7 proxy.

80

request_body

The request body.

i am the request body, encrypted or not!

request_path

The relative path that is requested. The relative path is the part between the domain name and the question mark (?) in the request URL. The relative path does not include the query string.

/news/search.php

scene_action

The action that is performed on the client request based on a rule created for the scenario-specific configuration module. Valid values:

  • block: The request is blocked.

  • captcha: Common slider CAPTCHA verification is performed.

  • sigchl: Dynamic token authentication is performed.

  • js: JavaScript validation is performed.

  • captcha_pass: The client passes common slider CAPTCHA verification, and WAF allows the client request.

  • sigchl_pass: The client passes dynamic token authentication, and WAF allows the client request.

  • js_pass: The client passes JavaScript validation, and WAF allows the client request.

For more information about WAF protection actions, see the Description of the action field in this topic.

block

scene_id

The scenario ID of the matched rule. The rule is created for the scenario-specific configuration module.

151235

scene_rule_id

The ID of the matched rule. The rule is created for the scenario-specific configuration module.

153678

scene_rule_type

The type of the matched rule. The rule is created for the scenario-specific configuration module. Valid values:

  • bot_aialgo: an intelligent protection rule

  • js: a rule that blocks script-based bots

  • intelligence: a rule that blocks attacks based on bot threat intelligence or data center blacklists

  • sdk: a rule that checks for abnormal signatures of SDK-integrated apps and abnormal device behavior

  • cc: an IP address-based throttling rule or a custom session-based throttling rule

  • sigchl: a dynamic token authentication rule

bot_aialgo

sigchl_invalid_type

The reason why the request is considered abnormal based on a dynamic token authentication rule. Valid values:

  • sigchl_invalid_sig: The signature verification failed. The following list describes the common causes of this error:

    • The request does not carry a signature.

    • The parameter that is passed to add a signature is different from the parameter received by WAF.

  • sigchl_is_replay: The signature timestamp is abnormal. A replay attack may occur.

  • sigchl_is_driver: The request is considered a WebDriver attack request.

sigchl_invalid_sig

scene_test

The action that is performed on the client request based on a rule created for the scenario-specific configuration module. Valid values:

  • true: monitoring mode. In this mode, logs are recorded but protection actions, such as blocking, are not performed.

  • false: prevention mode. In this mode, WAF performs protection actions, such as blocking, on requests that match the protection rule.

false

server_port

The WAF port that is requested.

443

ssl_cipher

The cipher suite that is used by the client.

ECDHE-RSA-AES128-GCM-SHA256

ssl_protocol

The SSL or TLS protocol version that is used by the client.

TLSv1.2

ua_browser

The name of the browser that initiates the request.

Important

Starting December 15, 2021, this field is no longer included in WAF logs even if you enable this field in your log settings. To obtain information about the User-Agent field in the request header, we recommend that you enable the http_user_agent required field. For more information, see the description of the http_user_agent field in this topic.

ie9

ua_browser_family

The family to which the browser belongs.

Important

Starting December 15, 2021, this field is no longer included in WAF logs even if you enable this field in your log settings. To obtain information about the User-Agent field in the request header, we recommend that you enable the http_user_agent required field. For more information, see the description of the http_user_agent field in this topic.

internet explorer

ua_browser_type

The type of the browser that initiates the request.

Important

Starting December 15, 2021, this field is no longer included in WAF logs even if you enable this field in your log settings. To obtain information about the User-Agent field in the request header, we recommend that you enable the http_user_agent required field. For more information, see the description of the http_user_agent field in this topic.

web_browser

ua_browser_version

The version of the browser that initiates the request.

Important

Starting December 15, 2021, this field is no longer included in WAF logs even if you enable this field in your log settings. To obtain information about the User-Agent field in the request header, we recommend that you enable the http_user_agent required field. For more information, see the description of the http_user_agent field in this topic.

9.0

ua_device_type

The device type of the client that initiates the request.

Important

Starting December 15, 2021, this field is no longer included in WAF logs even if you enable this field in your log settings. To obtain information about the User-Agent field in the request header, we recommend that you enable the http_user_agent required field. For more information, see the description of the http_user_agent field in this topic.

computer

ua_os

The operating system of the client that initiates the request.

Important

Starting December 15, 2021, this field is no longer included in WAF logs even if you enable this field in your log settings. To obtain information about the User-Agent field in the request header, we recommend that you enable the http_user_agent required field. For more information, see the description of the http_user_agent field in this topic.

windows_7

ua_os_family

The family to which the operating system of the client belongs.

Important

Starting December 15, 2021, this field is no longer included in WAF logs even if you enable this field in your log settings. To obtain information about the User-Agent field in the request header, we recommend that you enable the http_user_agent required field. For more information, see the description of the http_user_agent field in this topic.

windows

user_id

The ID of the Alibaba Cloud account to which the WAF instance belongs.

17045741********

waf_action

The action that is performed on the client request based on a rule created for the protection rules engine module. This field is fixed as block, which indicates that the request is blocked.

For more information about WAF protection actions, see the Description of the action field in this topic.

block

waf_rule_id

The ID of the matched rule. The rule is created for the protection rules engine module.

113406

waf_rule_type

The type of the matched rule. The rule is created for the protection rules engine module. Valid values:

  • sqli: a rule used to defend against SQL injection attacks

  • xss: a rule used to defend against (XSS attacks

  • code_exec: a rule used to defend against code execution attacks

  • crlf: a rule used to defend against Carriage Return Line Feed (CRLF) injection attacks

  • lfilei: a rule used to defend against LFI attacks

  • rfilei: a rule used to defend against RFI attacks

  • webshell: a rule used to defend against attacks that exploit webshell vulnerabilities

  • csrf: a rule used to defend against Cross-Site Request Forgery (CSRF) injection attacks

  • other: other protection rules

  • cmdi: a rule used to defend against operating system (OS) command injection attacks

  • expression_injection: a rule used to defend against expression language (EL) injection attacks

  • java_deserialization: a rule used to defend against attacks that exploit Java deserialization vulnerabilities

  • php_deserialization: a rule used to defend against attacks that exploit PHP deserialization vulnerabilities

  • ssrf: a rule used to defend against Server-Side Request Forgery (SSRF) attacks

  • path_traversal: a rule used to defend against path traversal attacks

  • protocol_violation: a rule used to defend against protocol violation attacks

  • arbitrary_file_uploading: a rule used to defend against attacks that exploit arbitrary file upload vulnerabilities

  • dot_net_deserialization: a rule used to defend against attacks that exploit .NET deserialization vulnerabilities

  • scanner_behavior: a rule used to defend against attacks that exploit scanner behavior vulnerabilities

  • logic_flaw: a rule used to defend against attacks that exploit business logic vulnerabilities

  • arbitrary_file_reading: a rule used to defend against attacks that exploit arbitrary file read vulnerabilities

  • arbitrary_file_download: a rule used to defend against attacks that exploit arbitrary file download vulnerabilities

  • xxe: a rule used to defend against XML External Entity (XXE) injection attacks

xss

waf_test

The protection mode that is used for the client request based on a rule created for the protection rules engine module. Valid values:

  • true: monitoring mode. In this mode, logs are recorded but protection actions, such as blocking, are not performed.

  • false: prevention mode. In this mode, WAF performs protection actions, such as blocking, on requests that match the protection rule.

false

wxbb_action

The action that is performed on the client request based on a rule created for the app protection module. Valid values:

  • block: The request is blocked because the signature verification failed.

  • captcha: Common slider CAPTCHA verification is performed.

  • js: JavaScript validation is performed.

  • continue: The request is allowed because the signature verification passed.

For more information about WAF protection actions, see the Description of the action field in this topic.

block

wxbb_invalid_wua

The reason why the request is considered abnormal based on a rule created for the app protection module. Valid values:

  • wxbb_simulator: A simulator is used.

  • wxbb_proxy: A proxy is used.

  • wxbb_root: A rooted device is used.

  • wxbb_hook: Hooking is used.

  • wxbb_antireplay: The wToken signature string is used. A replay attack may occur.

  • wxbb_virtual: Multi-boxing is configured for WAF SDK-integrated apps.

  • wxbb_debugged: The device is in debug mode.

  • wxbb_invalid_sign: The signature verification failed.

    The following list describes common causes of this error:

    • The request does not carry a signature.

    • The parameter that is passed to add a signature is different from the parameter received by WAF. For example, the a= 1&b=2 parameter is passed, but the parameter received by WAF is b= 2&a=1. The content of the passed parameter is not encoded, but the content received by WAF is Base64-encoded.

wxbb_invalid_sign

wxbb_rule_id

The ID of the matched rule. The rule is created for the app protection module.

156789

wxbb_test

The protection mode that is used for the client request based on a rule created for the app protection module. Valid values:

  • true: monitoring mode. In this mode, logs are recorded but protection actions, such as blocking, are not performed.

  • false: prevention mode. In this mode, WAF performs protection actions, such as blocking, on requests that match the protection rule.

false