All Products
Search

This Product

    Cloud Firewall:Descriptions of log fields

    Document Center

    Cloud Firewall:Descriptions of log fields

    Last Updated:Oct 25, 2024

    Cloud Firewall automatically collects and stores logs of inbound and outbound traffic in real time. You can specify a log field to query the required log content. This facilitates log analysis and troubleshooting. This topic describes the log fields of Cloud Firewall and the log fields that support indexes.

    Cloud Firewall log fields

    Internet firewall

    NAT firewall

    VPC firewall

    Log field descriptions

    Field

    Description

    Example

    __time__

    The time when the log is written to a Logstore.

    1703483369

    __topic__

    The topic of the log. The value is fixed as cloudfirewall_access_log, which indicates a traffic log of Cloud Firewall.

    cloudfirewall_access_log

    acl_rule_id

    The ID of the access control policy that the traffic hits.

    If the value is 00000000-0000-0000-0000-000000000000, no access control policy is hit.

    073a1475-6e11-43e2-8b28-98cee9c6****

    aliuid

    The ID of the Alibaba Cloud account.

    1233333333****

    app_dpi_state

    The identification status of the application. Valid values:

    • success: The application is successfully identified.

    • policy_discard: The application is blocked by a policy.

    • tcp_not_establish: The TCP connection failed to be established.

    • analysing: The application is being analyzed.

    • no_payload: The payload is not received.

    • unknown_loose: The application is unidentified in Loose mode.

    • unknown_strict: The application is unidentified in Strict mode.

    • none: No identification status is recorded for the application.

    success

    app_name

    The application type of the traffic. Valid values: HTTPS, NTP, SIP, SMB, NFS, DNS, and Unknown.

    HTTPS

    attack_type_name

    The Chinese name of the attack type included in the traffic.

    attack_type_name_en

    The English name of the attack type included in the traffic.

    Mining Behavior

    country_id

    The country or region. The value uses the two-letter code in ISO 3166-1.

    • If the value of direction is in, the value of this field is the country or region from which the traffic is initiated.

    • If the value of direction is out, the value of this field is the country or region for which the traffic is destined.

    CN

    city_id

    The unique identifier of the city. The value is the six-digit administrative region code of a city in China. For example, the administrative region code of Beijing is 110000.

    110000

    cloud_instance_id

    The ID of the protected asset instance.

    ngw-bp1d5bx2orlw1p2wn****

    direction

    The direction of the traffic. Valid values:

    • in: inbound traffic to your Elastic Compute Service (ECS) instances from other ECS instances in the internal network or from servers on the Internet.

    • out: outbound traffic from your ECS instances to other ECS instances in the internal network or to servers on the Internet.

    Note

    Virtual private cloud (VPC) firewalls do not differentiate between inbound traffic and outbound traffic. The value of the direction field is fixed as out for VPC firewalls.

    in

    domain

    The destination domain name of the traffic.

    Note

    The value of this field is displayed only if the traffic contains domain name information.

    www.aliyundoc.com

    dst_ip

    The destination IP address of the traffic.

    39.108.XX.XX

    dst_network_instance_id

    The destination network instance of the traffic.

    vpc-bp18ina819injc9zs****

    dst_port

    The destination port of the traffic.

    443

    dst_region

    The destination region of the traffic.

    cn-beijing

    end_time

    The time when the session ends. This value is a UNIX timestamp. Unit: seconds.

    1702367350

    firewall_id

    The ID of the VPC firewall.

    cen-m9y9u2hgc0t9im****

    in_bps

    The rate of inbound traffic. Unit: bit/s.

    42

    in_packet_bytes

    The total number of bytes in inbound traffic. Unit: bytes.

    58

    in_packet_count

    The number of packets in inbound traffic.

    1

    in_pps

    The average data transmission rate of inbound traffic. Unit: packets per second.

    Note

    If the data transmission rate is less than 1, the value of this field is displayed as 0 and no decimal places are displayed.

    1

    ip_protocol

    The IP protocol of the traffic. Valid values:

    • tcp

    • udp

    • icmp

    tcp

    ips_ai_rule_id

    The ID of the recommended intelligent access control policy that the traffic hits.

    If the value is 00000000-0000-0000-0000-000000000000, no recommended intelligent access control policy is matched or hit.

    00000000-0000-0000-0000-000000000000

    ips_rule_id

    The ID of the intrusion prevention policy that the traffic hits.

    If the value is 00000000-0000-0000-0000-000000000000, no intrusion prevention policy is matched or hit.

    00000000-0000-0000-0000-000000000000

    ips_rule_name

    The Chinese name of the intrusion prevention policy that the traffic hits.

    ips_rule_name_en

    The English name of the intrusion prevention policy that the traffic hits.

    Mining behavior on the host

    log_type

    The log type. Valid values:

    • internet_log: logs of the Internet firewall

    • vpc_firewall_log: logs of VPC firewalls

    • nat_firewall_log: logs of NAT firewalls

    • dns_firewall_log: logs of Domain Name System (DNS) firewalls

    • ipv6_firewall_log: traffic protection logs of IPv6 addresses

    internet_log

    loose_allow_acl_id

    The ID of the pre-match access control policy. Valid values:

    • 00000000-0000-0000-0000-000000000000: indicates that no unidentified traffic is allowed.

    • Others: indicates that unidentified traffic is allowed. The value is the ID of the access control policy that allows the unidentified traffic.

    00000000-0000-0000-0000-000000000000

    new_conn

    Indicates whether the connection is a new connection. Valid values:

    • 1: yes

    • 0: no

    1

    out_bps

    The rate of outbound traffic. Unit: bit/s.

    0

    out_packet_bytes

    The total number of bytes in outbound traffic. Unit: bytes.

    0

    out_packet_count

    The number of packets in outbound traffic.

    0

    out_pps

    The average data transmission rate of outbound traffic. Unit: packets per second.

    Note

    If the data transmission rate is less than 1, the value of this field is displayed as 0 and no decimal places are displayed.

    0

    region_id

    The region ID. For more information about region IDs, see Supported regions.

    • If the value of direction is in, the value of this field is the ID of the region for which the traffic is destined.

    • If the value of direction is out, the value of this field is the ID of the region from which the traffic is initiated.

    cn-beijing

    rule_result

    The action on the traffic that hits an access control policy. Valid values:

    • pass: allow

    • alert: monitor

    • drop: deny

    The action on the traffic that hits an intrusion prevention policy. Valid values:

    • alert: generates alerts for the traffic.

    • drop: blocks the traffic.

    alert

    rule_source

    The source of the policy that the traffic hits. Valid values:

    • basic_acl: access control

    • dns_acl_rule: an access control policy configured for a DNS firewall

    • intelligence: threat intelligence

    • ips_basic_rule: basic protection

    • virtual_patch: virtual patching

    • unknown

    basic_acl

    src_ip

    The source IP address of the traffic.

    167.94.XX.XX

    src_network_instance_id

    The source network instance of the traffic.

    vpc-bp18ina819injc9zs****

    src_port

    The source port of the traffic. The source port is the port of the host from which the traffic is sent.

    47915

    src_region

    The source region of the traffic.

    cn-beijing

    src_vpc_id

    The ID of the source VPC for the traffic.

    vpc-bp18ina819injc9zs****

    start_time

    The time when the session starts. This value is a UNIX timestamp. Unit: seconds.

    1701759171

    start_time_min

    The start time of the session. The value is in minutes. This value is a UNIX timestamp. Unit: seconds.

    1701759120

    tcp_seq

    The TCP serial number.

    388367****

    total_bps

    The total data transmission rate of inbound and outbound traffic. Unit: bit/s.

    42

    total_packet_bytes

    The total packet throughput of inbound and outbound traffic. Unit: bytes

    58

    total_packet_count

    The total number of packets in inbound and outbound traffic.

    1

    total_pps

    The average data transmission rate of inbound and outbound traffic. Unit: packets per second.

    Note

    If the data transmission rate is less than 1, the value of this field is displayed as 0 and no decimal places are displayed.

    0

    url

    The URL of the website that the server accesses.

    Note

    The value of this field is displayed only when the value of app_name is HTTP.

    http://aliyundoc.com/index.html

    vul_level

    The risk level of the vulnerability exploited by malicious traffic. Valid values:

    • 0: No vulnerability is exploited.

    • 1: low-risk vulnerabilities.

    • 2: medium-risk vulnerabilities.

    • 3: high-risk vulnerabilities.

    1

    What to do next

    • You can enable the log analysis feature of Cloud Firewall. For more information, see Enable the log analysis feature.

    • You can query and analyze collected logs in real time to monitor traffic exceptions and protect your assets. For more information about how to query logs, see Query and analyze logs.

    • You can export log query and analysis results to your computer or deliver the results to Object Storage Service (OSS) for storage. For more information, see Export logs.