Cloud Firewall automatically collects and stores logs of inbound and outbound traffic in real time. You can specify a log field to query the required log content. This facilitates log analysis and troubleshooting. This topic describes the log fields of Cloud Firewall and the log fields that support indexes.
Cloud Firewall log fields
Internet firewall
NAT firewall
VPC firewall
Fields that support indexes
Log field descriptions
Field | Description | Example |
__time__ | The time when the log is written to a Logstore. | 1703483369 |
__topic__ | The topic of the log. The value is fixed as cloudfirewall_access_log, which indicates a traffic log of Cloud Firewall. | cloudfirewall_access_log |
acl_rule_id | The ID of the access control policy that the traffic hits. If the value is 00000000-0000-0000-0000-000000000000, no access control policy is hit. | 073a1475-6e11-43e2-8b28-98cee9c6**** |
aliuid | The ID of the Alibaba Cloud account. | 1233333333**** |
app_dpi_state | The identification status of the application. Valid values:
| success |
app_name | The application type of the traffic. Valid values: HTTPS, NTP, SIP, SMB, NFS, DNS, and Unknown. | HTTPS |
attack_type_name | The Chinese name of the attack type included in the traffic. |
|
attack_type_name_en | The English name of the attack type included in the traffic. | Mining Behavior |
country_id | The country or region. The value uses the two-letter code in ISO 3166-1.
| CN |
city_id | The unique identifier of the city. The value is the six-digit administrative region code of a city in China. For example, the administrative region code of Beijing is 110000. | 110000 |
cloud_instance_id | The ID of the protected asset instance. | ngw-bp1d5bx2orlw1p2wn**** |
direction | The direction of the traffic. Valid values:
Note Virtual private cloud (VPC) firewalls do not differentiate between inbound traffic and outbound traffic. The value of the direction field is fixed as out for VPC firewalls. | in |
domain | The destination domain name of the traffic. Note The value of this field is displayed only if the traffic contains domain name information. | www.aliyundoc.com |
dst_ip | The destination IP address of the traffic. | 39.108.XX.XX |
dst_network_instance_id | The destination network instance of the traffic. | vpc-bp18ina819injc9zs**** |
dst_port | The destination port of the traffic. | 443 |
dst_region | The destination region of the traffic. | cn-beijing |
end_time | The time when the session ends. This value is a UNIX timestamp. Unit: seconds. | 1702367350 |
firewall_id | The ID of the VPC firewall. | cen-m9y9u2hgc0t9im**** |
in_bps | The rate of inbound traffic. Unit: bit/s. | 42 |
in_packet_bytes | The total number of bytes in inbound traffic. Unit: bytes. | 58 |
in_packet_count | The number of packets in inbound traffic. | 1 |
in_pps | The average data transmission rate of inbound traffic. Unit: packets per second. Note If the data transmission rate is less than 1, the value of this field is displayed as 0 and no decimal places are displayed. | 1 |
ip_protocol | The IP protocol of the traffic. Valid values:
| tcp |
ips_ai_rule_id | The ID of the recommended intelligent access control policy that the traffic hits. If the value is 00000000-0000-0000-0000-000000000000, no recommended intelligent access control policy is matched or hit. | 00000000-0000-0000-0000-000000000000 |
ips_rule_id | The ID of the intrusion prevention policy that the traffic hits. If the value is 00000000-0000-0000-0000-000000000000, no intrusion prevention policy is matched or hit. | 00000000-0000-0000-0000-000000000000 |
ips_rule_name | The Chinese name of the intrusion prevention policy that the traffic hits. |
|
ips_rule_name_en | The English name of the intrusion prevention policy that the traffic hits. | Mining behavior on the host |
log_type | The log type. Valid values:
| internet_log |
loose_allow_acl_id | The ID of the pre-match access control policy. Valid values:
| 00000000-0000-0000-0000-000000000000 |
new_conn | Indicates whether the connection is a new connection. Valid values:
| 1 |
out_bps | The rate of outbound traffic. Unit: bit/s. | 0 |
out_packet_bytes | The total number of bytes in outbound traffic. Unit: bytes. | 0 |
out_packet_count | The number of packets in outbound traffic. | 0 |
out_pps | The average data transmission rate of outbound traffic. Unit: packets per second. Note If the data transmission rate is less than 1, the value of this field is displayed as 0 and no decimal places are displayed. | 0 |
region_id | The region ID. For more information about region IDs, see Supported regions.
| cn-beijing |
rule_result | The action on the traffic that hits an access control policy. Valid values:
The action on the traffic that hits an intrusion prevention policy. Valid values:
| alert |
rule_source | The source of the policy that the traffic hits. Valid values:
| basic_acl |
src_ip | The source IP address of the traffic. | 167.94.XX.XX |
src_network_instance_id | The source network instance of the traffic. | vpc-bp18ina819injc9zs**** |
src_port | The source port of the traffic. The source port is the port of the host from which the traffic is sent. | 47915 |
src_region | The source region of the traffic. | cn-beijing |
src_vpc_id | The ID of the source VPC for the traffic. | vpc-bp18ina819injc9zs**** |
start_time | The time when the session starts. This value is a UNIX timestamp. Unit: seconds. | 1701759171 |
start_time_min | The start time of the session. The value is in minutes. This value is a UNIX timestamp. Unit: seconds. | 1701759120 |
tcp_seq | The TCP serial number. | 388367**** |
total_bps | The total data transmission rate of inbound and outbound traffic. Unit: bit/s. | 42 |
total_packet_bytes | The total packet throughput of inbound and outbound traffic. Unit: bytes | 58 |
total_packet_count | The total number of packets in inbound and outbound traffic. | 1 |
total_pps | The average data transmission rate of inbound and outbound traffic. Unit: packets per second. Note If the data transmission rate is less than 1, the value of this field is displayed as 0 and no decimal places are displayed. | 0 |
url | The URL of the website that the server accesses. Note The value of this field is displayed only when the value of app_name is HTTP. | http://aliyundoc.com/index.html |
vul_level | The risk level of the vulnerability exploited by malicious traffic. Valid values:
| 1 |
What to do next
You can enable the log analysis feature of Cloud Firewall. For more information, see Enable the log analysis feature.
You can query and analyze collected logs in real time to monitor traffic exceptions and protect your assets. For more information about how to query logs, see Query and analyze logs.
You can export log query and analysis results to your computer or deliver the results to Object Storage Service (OSS) for storage. For more information, see Export logs.