Details of fields in website access, attack, and protection logs - Simple Log Service

This topic describes the fields of website access, attack, and protection logs in Web Application Firewall (WAF).

Log field	Description
__topic__	The topic of the log. The value is fixed as waf_access_log.
account_action	The action that is performed on the client request after an account security rule is triggered. The value is fixed as block, which indicates that the request is blocked. For more information, see Description of the action field.
account_rule_id	The ID of the account security rule that is triggered.
account_test	The protection mode that is used for the client request after an account security rule is triggered. Valid values: true: indicates the observation mode. In this mode, logs are recorded. However, protection actions, such as block, are not performed. false: indicates the prevention mode. In this mode, WAF performs protection actions, such as block, on the request that matches the protection rule.
acl_action	The action that is performed on the client request after a rule created for the blacklist or custom protection policy (ACL) feature is triggered. Valid values: block, captcha_strict, captcha, js, captcha_strict_pass, captcha_pass, and js_pass. For more information, see Description of the action field.
acl_rule_id	The ID of the rule that is triggered. The rule is created for the blacklist or ACL feature.
acl_rule_type	The type of the rule that is triggered. The rule is created for the blacklist or ACL feature. Valid values: custom: indicates a rule that is created for the ACL feature. blacklist: indicates a rule that is created for the blacklist feature.
acl_test	The protection mode that is used for the client request after a rule created for the blacklist or ACL feature is triggered. Valid values: true: indicates the observation mode. In this mode, logs are recorded. However, protection actions, such as block, are not performed. false: indicates the prevention mode. In this mode, WAF performs protection actions, such as block, on the request that matches the protection rule.
algorithm_rule_id	The ID of the rule that is triggered. The rule is created for the typical bot behavior identification feature.
antiscan_action	The action that is performed on the client request after a rule created for the scan protection feature is triggered. The value is fixed as block, which indicates that the request is blocked. For more information, see Description of the action field.
antiscan_rule_id	The ID of the rule that is triggered. The rule is created for the scan protection feature.
antiscan_rule_type	The type of the rule that is triggered. The rule is created for the scan protection feature. Valid values: highfreq: indicates a rule that blocks IP addresses from which web attacks are frequently initiated. dirscan: indicates a rule that defends against path traversals. scantools: indicates a rule that blocks the IP addresses of scanning tools. collaborative: indicates a collaborative defense rule.
antiscan_test	The protection mode that is used for the client request after a rule created for the scan protection feature is triggered. Valid values: true: indicates the observation mode. In this mode, logs are recorded. However, protection actions, such as block, are not performed. false: indicates the prevention mode. In this mode, WAF performs protection actions, such as block, on the request that matches the protection rule.
block_action	The WAF protection feature that is triggered to block the request. Valid values: Important This field is no longer valid due to WAF upgrades. The final_plugin field replaces this field. If the block_action field is used in your services, replace the field with final_plugin at the earliest opportunity. tmd: indicates the HTTP flood protection feature. waf: indicates the web attack protection feature. acl: indicates the custom protection policy feature. deeplearning: indicates the Deep Learning Engine. antiscan: indicates the scan protection feature. antifraud: indicates the data risk control feature. antibot: indicates the bot management feature.
body_bytes_sent	The number of bytes in the body of the client request
bypass_matched_ids	The ID of the rule that is triggered to allow the client request. The rule can be a whitelist rule or a custom protection rule that allows the request. If multiple rules are triggered at the same time to allow the request, this field records the IDs of all the rules. Multiple IDs are separated by commas (,).
cc_action	The action that is performed on the client request after a rule created for the HTTP flood protection or custom protection policy (HTTP Flood Protection) feature is triggered. Valid values: block, captcha, js, captcha_pass, and js_pass. For more information, see Description of the action field.
cc_blocks	Indicates whether the client request is blocked by the HTTP flood protection feature. Valid values: 1: The request is blocked. A different value: The request is allowed.
cc_rule_id	The ID of the rule that is triggered. The rule is created for the HTTP flood protection or custom protection policy (HTTP Flood Protection) feature.
cc_rule_type	The type of the rule that is triggered. The rule is created for the HTTP flood protection or custom protection policy (HTTP Flood Protection) feature. Valid values: custom: indicates a custom protection rule (HTTP Flood Protection). system: indicates an HTTP flood protection rule.
cc_test	The protection mode that is used for the client request after a rule created for the HTTP flood protection or custom protection policy (HTTP Flood Protection) feature is triggered. Valid values: true: indicates the observation mode. In this mode, logs are recorded. However, protection actions, such as block, are not performed. false: indicates the prevention mode. In this mode, WAF performs protection actions, such as block, on the request that matches the protection rule.
content_type	The type of the requested content.
deeplearning_action	The action that is performed on the client request after a rule created for the Deep Learning Engine is triggered. The value is fixed as block, which indicates that the request is blocked. For more information, see Description of the action field.
deeplearning_rule_id	The ID of the rule that is triggered. The rule is created for the Deep Learning Engine.
deeplearning_rule_type	The type of the rule that is triggered. The rule is created for the Deep Learning Engine. Valid values: xss: indicates a rule that defends against cross-site scripting (XSS) attacks. code_exec: indicates a rule that defends against specific attacks. The attacks exploit code execution vulnerabilities. webshell: indicates a rule that defends against webshell uploads. sqli: indicates a rule that defends against SQL injection. lfilei: indicates a rule that defends against local file inclusion. rfilei: indicates a rule that defends against remote file inclusion. crlf: indicates a rule that defends against carriage return line feed (CRLF) injection. other: indicates other protection rules.
deeplearning_test	The protection mode that is used for the client request after a rule created for the Deep Learning Engine is triggered. Valid values: true: indicates the observation mode. In this mode, logs are recorded. However, protection actions, such as block, are not performed. false: indicates the prevention mode. In this mode, WAF performs protection actions, such as block, on the request that matches the protection rule.
dlp_rule_id	The ID of the rule that is triggered. The rule is created for the data leakage prevention feature.
dlp_test	The protection mode that is used for the client request after a rule created for the data leakage prevention feature is triggered. Valid values: true: indicates the observation mode. In this mode, logs are recorded. However, protection actions, such as block, are not performed. false: indicates the prevention mode. In this mode, WAF performs protection actions, such as block, on the request that matches the protection rule.
final_rule_type	The subtype of the rule that is applied to the client request. The rule is indicated by final_rule_id. For example, `final_plugin:waf` supports `final_rule_type:sqli` and `final_rule_type:xss`.
final_rule_id	The ID of the rule that is applied to the client request. The rule defines the action recorded in the final_action field.
final_action	The action that WAF performs on the client request. Valid values: block, captcha_strict, captcha, and js. For more information, see Description of the action field. If a request does not trigger a protection feature, the field is not recorded. For example, if a request matches a rule that allows the request or a client passes slider CAPTCHA verification or JavaScript verification, the field is not recorded. If a request triggers multiple protection features at the same time, the field is recorded, and the field includes only the action that is performed. The following actions are listed in descending order of priority: block (block), captcha_strict (strict slider CAPTCHA verification), captcha (common slider CAPTCHA verification), andjs (JavaScript verification).
final_plugin	The protection feature that performs the action specified by final_action on the client request. Valid values: waf: indicates the Protection Rules Engine. deeplearning: indicates the Deep Learning Engine. dlp: indicates the data leakage prevention feature. account: indicates the account security feature. normalized: indicates the positive security model feature. acl: indicates the blacklist or ACL feature. cc: indicates the HTTP flood protection or custom protection policy (HTTP Flood Protection) feature. antiscan: indicates the scan protection feature. scene: indicates the scenario-specific configuration feature. antifraud: indicates the data risk control feature. intelligence: indicates the bot threat intelligence feature. algorithm: indicates the typical bot behavior identification feature. wxbb: indicates the app protection feature. If a request does not trigger a protection feature, the field is not recorded. For example, if a request matches a rule that allows the request or a client passes slider CAPTCHA verification or JavaScript verification, the field is not recorded. If a request triggers multiple protection features at the same time, the field is recorded, and the field includes only the protection feature that performs the action specified by final_action.
host	The Host field of the request header. This field contains the domain name or IP address to access. The value of this field varies based on your service settings.
http_cookie	The Cookie field of the request header. This field contains the cookie information about the client.
http_referer	The Referer field of the request header. This field contains the source URL information about the request. If the request does not contain source URL information, the value of this field is a hyphen (-).
http_user_agent	The User-Agent field of the request header. This field contains information such as the identifier of the client browser or operating system.
http_x_forwarded_for	The X-Forwarded-For (XFF) field of the request header. This field is used to identify the actual IP address of the client that is connected to the web server by using an HTTP proxy or a load balancing device.
https	Indicates whether the request is an HTTPS request. Valid values: true: The request is an HTTPS request. false: The request is an HTTP request.
matched_host	The domain name of the origin server that is matched by WAF for the request. A wildcard domain name may be matched. If no domain names are matched, the value of this field is a hyphen (-). If the value is default, the traffic generated after the domain name is added to WAF in transparent proxy mode hits the default protection policies that are provided by WAF.
normalized_action	The action that is performed on the client request after a rule created for the positive security model feature is triggered. Valid values: block and continue. For more information, see Description of the action field.
normalized_rule_id	The ID of the rule that is triggered. The rule is created for the positive security model feature.
normalized_rule_type	The type of the rule that is triggered. The rule is created for the positive security model feature. Valid values: User-Agent: indicates a User-Agent-based baseline rule. If the User-Agent field of a request header does not conform to the baseline, an attack may occur. This description applies to other rule types. Referer: indicates a Referer-based baseline rule. URL: indicates a URL-based baseline rule. Cookie: indicates a cookie-based baseline rule. Bod: indicates a request body-based baseline rule.
normalized_test	The protection mode that is used for the client request after a rule created for the positive security model feature is triggered. Valid values: true: indicates the observation mode. In this mode, logs are recorded. However, protection actions, such as block, are not performed. false: indicates the prevention mode. In this mode, WAF performs protection actions, such as block, on the request that matches the protection rule.
querystring	The query string in the client request. The query string refers to the part that follows the question mark (?) in the requested URL.
real_client_ip	The actual IP address of the client that initiates the request. WAF identifies the actual IP address based on the analysis of the request. If WAF cannot identify the actual IP address of the client, the value of this field is a hyphen (-). For example, if a proxy server is used or the IP field in the request header is invalid, WAF cannot identify the actual IP address of the client.
region	The ID of the region where the WAF instance resides. Valid values: cn: Chinese mainland int: outside the Chinese mainland
remote_addr	The IP address that is used to connect to WAF. If WAF is directly connected to a client, this field records the actual IP address of the client. If a Layer 7 proxy, such as Alibaba Cloud CDN (CDN), is deployed in front of WAF, this field records the IP address of the proxy.
remote_port	The port that is used to connect to WAF. If WAF is directly connected to a client, this field records the port of the client. If a Layer 7 proxy, such as CDN, is deployed in front of WAF, this field records the port of the proxy.
request_length	The number of bytes in the client request. The request includes the request line, request headers, and request body. Unit: bytes.
request_method	The request method.
request_path	The requested relative path. The relative path refers to the part between the domain name and the question mark (?) in the requested URL. The relative path does not include the query string.
request_time_msec	The time that is taken by WAF to process the client request. Unit: milliseconds.
request_traceid	The unique identifier that is generated by WAF for the client request.
scene_action	The action that is performed on the client request after a rule created for scenario-specific configuration is triggered. Valid values: block, captcha, js, captcha_pass, and js_pass. For more information, see Description of the action field.
scene_id	The scenario ID of the rule that is triggered. The rule is created for scenario-specific configuration.
scene_rule_id	The ID of the rule that is triggered. The rule is created for scenario-specific configuration.
scene_rule_type	The type of the rule that is triggered. The rule is created for scenario-specific configuration. Valid values: bot_aialgo: indicates an intelligent protection rule. js: indicates a rule that blocks script-based bots. intelligence: indicates a rule that blocks attacks based on bot threat intelligence or data center blacklists. sdk: indicates a rule that checks for abnormal signatures of SDK-integrated apps and abnormal device behaviors. cc: indicates an IP address-based throttling rule or a custom session-based throttling rule.
scene_test	The protection mode that is used for the client request after a rule created for scenario-specific configuration is triggered. Valid values: true: indicates the observation mode. In this mode, logs are recorded. However, protection actions, such as block, are not performed. false: indicates the prevention mode. In this mode, WAF performs protection actions, such as block, on the request that matches the protection rule.
server_port	The requested destination port.
server_protocol	The protocol and version that is used by the origin server to respond to the request forwarded by WAF.
ssl_cipher	The cipher suite that is used in the client request.
ssl_protocol	The SSL or TLS protocol and version that are used in the client request.
status	The HTTP status code that is returned by WAF to the client.
time	The point in time at which the client request is initiated.
ua_browser	The name of the browser that initiates the request.
ua_browser_family	The family to which the browser belongs.
ua_browser_type	The type of the browser that initiates the request.
ua_browser_version	The version of the browser that initiates the request.
ua_device_type	The device type of the client that initiates the request.
ua_os	The operating system of the client that initiates the request.
ua_os_family	The family to which the operating system of the client belongs.
upstream_addr	The back-to-origin addresses used by WAF. Each address is in the IP:Port format. Multiple addresses are separated by commas (,).
upstream_response_time	The time that is taken by the origin server to respond to the request. The request is forwarded by WAF. Unit: seconds. If a hyphen (-) is returned, the response timed out.
upstream_status	The status code that is returned by the origin server to WAF. If a hyphen (-) is returned, the request is not responded. For example, the request is blocked by WAF.
user_id	The ID of the Alibaba Cloud account to which the WAF instance belongs.
waf_action	The action that is performed on the client request after a rule created for the Protection Rules Engine is triggered. The value is fixed as block, which indicates that the request is blocked. For more information, see Description of the action field.
waf_test	The protection mode that is used for the client request after a rule created for the Protection Rules Engine is triggered. Valid values: true: indicates the observation mode. In this mode, logs are recorded. However, protection actions, such as block, are not performed. false: indicates the prevention mode. In this mode, WAF performs protection actions, such as block, on the request that matches the protection rule.
waf_rule_id	The ID of the rule that is triggered. The rule is created for the Protection Rules Engine.
waf_rule_type	The type of the rule that is triggered. The rule is created for the Protection Rules Engine. Valid values: xss: indicates a rule that defends against XSS attacks. code_exec: indicates a rule that defends against specific attacks. The attacks exploit code execution vulnerabilities. webshell: indicates a rule that defends against webshell uploads. sqli: indicates a rule that defends against SQL injection. lfilei: indicates a rule that defends against local file inclusion. rfilei: indicates a rule that defends against remote file inclusion. crlf: indicates a rule that defends against CRLF injection. other: indicates other protection rules.