All Products
Search
Document Center

Cloud Firewall:Descriptions of log fields

Last Updated:Oct 25, 2024

Cloud Firewall automatically collects and stores logs of inbound and outbound traffic in real time. You can specify a log field to query the required log content. This facilitates log analysis and troubleshooting. This topic describes the log fields of Cloud Firewall and the log fields that support indexes.

Cloud Firewall log fields

Internet firewall

NAT firewall

VPC firewall

Log field descriptions

Field

Description

Example

__time__

The time when the log is written to a Logstore.

1703483369

__topic__

The topic of the log. The value is fixed as cloudfirewall_access_log, which indicates a traffic log of Cloud Firewall.

cloudfirewall_access_log

acl_rule_id

The ID of the access control policy that the traffic hits.

If the value is 00000000-0000-0000-0000-000000000000, no access control policy is hit.

073a1475-6e11-43e2-8b28-98cee9c6****

aliuid

The ID of the Alibaba Cloud account.

1233333333****

app_dpi_state

The identification status of the application. Valid values:

  • success: The application is successfully identified.

  • policy_discard: The application is blocked by a policy.

  • tcp_not_establish: The TCP connection failed to be established.

  • analysing: The application is being analyzed.

  • no_payload: The payload is not received.

  • unknown_loose: The application is unidentified in Loose mode.

  • unknown_strict: The application is unidentified in Strict mode.

  • none: No identification status is recorded for the application.

success

app_name

The application type of the traffic. Valid values: HTTPS, NTP, SIP, SMB, NFS, DNS, and Unknown.

HTTPS

attack_type_name

The Chinese name of the attack type included in the traffic.

attack_type_name_en

The English name of the attack type included in the traffic.

Mining Behavior

country_id

The country or region. The value uses the two-letter code in ISO 3166-1.

  • If the value of direction is in, the value of this field is the country or region from which the traffic is initiated.

  • If the value of direction is out, the value of this field is the country or region for which the traffic is destined.

CN

city_id

The unique identifier of the city. The value is the six-digit administrative region code of a city in China. For example, the administrative region code of Beijing is 110000.

110000

cloud_instance_id

The ID of the protected asset instance.

ngw-bp1d5bx2orlw1p2wn****

direction

The direction of the traffic. Valid values:

  • in: inbound traffic to your Elastic Compute Service (ECS) instances from other ECS instances in the internal network or from servers on the Internet.

  • out: outbound traffic from your ECS instances to other ECS instances in the internal network or to servers on the Internet.

Note

Virtual private cloud (VPC) firewalls do not differentiate between inbound traffic and outbound traffic. The value of the direction field is fixed as out for VPC firewalls.

in

domain

The destination domain name of the traffic.

Note

The value of this field is displayed only if the traffic contains domain name information.

www.aliyundoc.com

dst_ip

The destination IP address of the traffic.

39.108.XX.XX

dst_network_instance_id

The destination network instance of the traffic.

vpc-bp18ina819injc9zs****

dst_port

The destination port of the traffic.

443

dst_region

The destination region of the traffic.

cn-beijing

end_time

The time when the session ends. This value is a UNIX timestamp. Unit: seconds.

1702367350

firewall_id

The ID of the VPC firewall.

cen-m9y9u2hgc0t9im****

in_bps

The rate of inbound traffic. Unit: bit/s.

42

in_packet_bytes

The total number of bytes in inbound traffic. Unit: bytes.

58

in_packet_count

The number of packets in inbound traffic.

1

in_pps

The average data transmission rate of inbound traffic. Unit: packets per second.

Note

If the data transmission rate is less than 1, the value of this field is displayed as 0 and no decimal places are displayed.

1

ip_protocol

The IP protocol of the traffic. Valid values:

  • tcp

  • udp

  • icmp

tcp

ips_ai_rule_id

The ID of the recommended intelligent access control policy that the traffic hits.

If the value is 00000000-0000-0000-0000-000000000000, no recommended intelligent access control policy is matched or hit.

00000000-0000-0000-0000-000000000000

ips_rule_id

The ID of the intrusion prevention policy that the traffic hits.

If the value is 00000000-0000-0000-0000-000000000000, no intrusion prevention policy is matched or hit.

00000000-0000-0000-0000-000000000000

ips_rule_name

The Chinese name of the intrusion prevention policy that the traffic hits.

ips_rule_name_en

The English name of the intrusion prevention policy that the traffic hits.

Mining behavior on the host

log_type

The log type. Valid values:

  • internet_log: logs of the Internet firewall

  • vpc_firewall_log: logs of VPC firewalls

  • nat_firewall_log: logs of NAT firewalls

  • dns_firewall_log: logs of Domain Name System (DNS) firewalls

  • ipv6_firewall_log: traffic protection logs of IPv6 addresses

internet_log

loose_allow_acl_id

The ID of the pre-match access control policy. Valid values:

  • 00000000-0000-0000-0000-000000000000: indicates that no unidentified traffic is allowed.

  • Others: indicates that unidentified traffic is allowed. The value is the ID of the access control policy that allows the unidentified traffic.

00000000-0000-0000-0000-000000000000

new_conn

Indicates whether the connection is a new connection. Valid values:

  • 1: yes

  • 0: no

1

out_bps

The rate of outbound traffic. Unit: bit/s.

0

out_packet_bytes

The total number of bytes in outbound traffic. Unit: bytes.

0

out_packet_count

The number of packets in outbound traffic.

0

out_pps

The average data transmission rate of outbound traffic. Unit: packets per second.

Note

If the data transmission rate is less than 1, the value of this field is displayed as 0 and no decimal places are displayed.

0

region_id

The region ID. For more information about region IDs, see Supported regions.

  • If the value of direction is in, the value of this field is the ID of the region for which the traffic is destined.

  • If the value of direction is out, the value of this field is the ID of the region from which the traffic is initiated.

cn-beijing

rule_result

The action on the traffic that hits an access control policy. Valid values:

  • pass: allow

  • alert: monitor

  • drop: deny

The action on the traffic that hits an intrusion prevention policy. Valid values:

  • alert: generates alerts for the traffic.

  • drop: blocks the traffic.

alert

rule_source

The source of the policy that the traffic hits. Valid values:

  • basic_acl: access control

  • dns_acl_rule: an access control policy configured for a DNS firewall

  • intelligence: threat intelligence

  • ips_basic_rule: basic protection

  • virtual_patch: virtual patching

  • unknown

basic_acl

src_ip

The source IP address of the traffic.

167.94.XX.XX

src_network_instance_id

The source network instance of the traffic.

vpc-bp18ina819injc9zs****

src_port

The source port of the traffic. The source port is the port of the host from which the traffic is sent.

47915

src_region

The source region of the traffic.

cn-beijing

src_vpc_id

The ID of the source VPC for the traffic.

vpc-bp18ina819injc9zs****

start_time

The time when the session starts. This value is a UNIX timestamp. Unit: seconds.

1701759171

start_time_min

The start time of the session. The value is in minutes. This value is a UNIX timestamp. Unit: seconds.

1701759120

tcp_seq

The TCP serial number.

388367****

total_bps

The total data transmission rate of inbound and outbound traffic. Unit: bit/s.

42

total_packet_bytes

The total packet throughput of inbound and outbound traffic. Unit: bytes

58

total_packet_count

The total number of packets in inbound and outbound traffic.

1

total_pps

The average data transmission rate of inbound and outbound traffic. Unit: packets per second.

Note

If the data transmission rate is less than 1, the value of this field is displayed as 0 and no decimal places are displayed.

0

url

The URL of the website that the server accesses.

Note

The value of this field is displayed only when the value of app_name is HTTP.

http://aliyundoc.com/index.html

vul_level

The risk level of the vulnerability exploited by malicious traffic. Valid values:

  • 0: No vulnerability is exploited.

  • 1: low-risk vulnerabilities.

  • 2: medium-risk vulnerabilities.

  • 3: high-risk vulnerabilities.

1

What to do next

  • You can enable the log analysis feature of Cloud Firewall. For more information, see Enable the log analysis feature.

  • You can query and analyze collected logs in real time to monitor traffic exceptions and protect your assets. For more information about how to query logs, see Query and analyze logs.

  • You can export log query and analysis results to your computer or deliver the results to Object Storage Service (OSS) for storage. For more information, see Export logs.