This topic describes the log fields that are supported by Web Application Firewall (WAF).
Table for field retrieval
The following table describes the log fields that are supported by WAF. You can use the names of fields to retrieve the fields that you want to view.
Initial | Field |
a |
|
b |
|
c |
|
d |
|
f | Fields related to final actions: final_action | final_plugin | final_rule_id | final_rule_type |
h |
|
i | Fields related to bot threat intelligence: intelligence_action | intelligence_rule_id | intelligence_test |
m | Field used to record the matched domain names that are added to WAF: matched_host |
n | Fields related to positive security models: normalized_action | normalized_rule_id | normalized_rule_type | normalized_test |
q | Field used to record query strings: querystring |
r |
|
s |
|
t | Field used to record the time when requests were initiated: time |
u |
|
w |
|
Required fields
Required fields refer to the fields that must be included in WAF logs.
Field | Description | Example |
acl_rule_type | The type of the matched rule. The rule is created for the IP address blacklist or custom protection policy (ACL policy) module. Valid values:
| custom |
bypass_matched_ids | The ID of the matched rule that allows the client request. The rule is created for the whitelist or custom protection policy module. If multiple rules that allow the request are matched at a time, this field records the IDs of all the rules. Multiple IDs are separated with commas (,). | 283531 |
cc_rule_type | The type of the matched rule. The rule is created for the HTTP flood protection or custom protection policy (HTTP flood protection policy) module. Valid values:
| custom |
content_type | The type of the request content. | application/x-www-form-urlencoded |
dst_port | The destination port. | 443 |
final_action | The final action that is performed by WAF on the request. Valid values:
For more information about WAF protection actions, see the Description of the action field in this topic. If a request does not trigger a protection module, this field is not recorded. For example, if a request matches a rule that allows the request or a request is allowed after the client passes CAPTCHA verification or JavaScript validation, this field is not recorded. If a request triggers multiple protection modules at a time, this field is recorded and includes only the final action that is performed. The following actions are listed in descending order of priority: block (block), strict slider CAPTCHA verification (captcha_strict), common slider CAPTCHA verification (captcha), dynamic token authentication (sigchl), and JavaScript validation (js). | block |
final_plugin | The protection module based on which the final action is performed on the request. The final_action field records the final action that is performed. Valid values:
To configure the preceding protection modules, log on to the WAF console and choose in the left-side navigation pane. For more information about the protection modules of WAF, see Overview. If a request does not trigger a protection module, this field is not recorded. For example, if a request matches a rule that allows the request or a request is allowed after the client passes CAPTCHA verification or JavaScript validation, this field is not recorded. If a request triggers multiple protection modules at a time, this field is recorded and includes only the final action that is performed. The final_action field records the final action that is performed. | waf |
final_rule_id | The ID of the rule based on which the final action is performed. The final_action field records the final action that is performed. | 115341 |
final_rule_type | The subtype of the rule based on which the final action is performed. The final_rule_id field records the rule. For example, | xss/webshell |
host | The Host field in the request header that contains the requested domain name or IP address. | api.example.com |
http_cookie | The Cookie field in the request header that contains the cookie information of the client. | k1=v1;k2=v2 |
http_referer | The Referer field in the request header that contains information about the source URL of the request. If the request does not contain the source URL information, the value of this field is displayed as a hyphen ( | http://example.com |
http_user_agent | The User-Agent field in the request header that contains information about the browser and the operating system. | Dalvik/2.1.0 (Linux; U; Android 10; Android SDK built for x86 Build/QSR1.200715.002) |
http_x_forwarded_for | The X-Forwarded-For (XFF) field in the request header. This field is used to identify the originating IP address of the client that is connected to the web server by using an HTTP proxy or a load balancer. | 47.100.XX.XX |
https | Indicates whether the request is an HTTPS request.
| on |
matched_host | The matched domain name that is added to WAF. Note The domain name can be an exact-match domain name or a wildcard domain name. For example, if the *.aliyun.com domain name is added to WAF and www.aliyun.com is requested, the *.aliyun.com domain name may be matched. | *.aliyun.com |
real_client_ip | The originating IP address of the client that sends the request. WAF analyzes the request to identify the IP address. If WAF cannot identify the originating IP address of the client, the value of this field is displayed as a hyphen ( | 192.0.XX.XX |
request_length | The number of bytes in the request, including the bytes in the request line, request header, and request body. Unit: bytes. | 111111 |
request_method | The request method. | GET |
request_time_msec | The amount of time that WAF takes to process the request. Unit: milliseconds. | 44 |
request_traceid | The unique identifier that WAF generates for the client request. | 7837b11715410386943437009ea1f0 |
request_uri | The request path and request parameters. | /news/search.php?id=1 |
server_protocol | The protocol used for connections between the client and WAF. | HTTP/1.1 |
status | The HTTP status code that is included in the response from WAF to the client. Example: 200, which indicates that the request is received and accepted. | 200 |
src_port | The port that is used to connect to WAF. If no Layer 7 proxies are deployed in front of WAF, this field records the port of the client. If a Layer 7 proxy, such as Alibaba Cloud CDN, is deployed in front of WAF, this field records the port of the Layer 7 proxy. | 80 |
src_ip | The IP address that is used to connect to WAF. If no Layer 7 proxies are deployed in front of WAF, this field records the IP address of the client. If a Layer 7 proxy, such as Alibaba Cloud CDN, is deployed in front of WAF, this field records the IP address of the Layer 7 proxy. | 198.51.XX.XX |
start_time | The time when the request was sent. Unit: seconds. | 1696534058 |
time | The time when the request was sent. The time follows the ISO 8601 standard in the | 2018-05-02T16:03:59+08:00 |
upstream_addr | The IP address and port of the origin server. The format is | 198.51.XX.XX:443 |
upstream_response_time | The total amount of time required for the origin server to respond to the request forwarded by WAF and for WAF to forward the response to the client. Unit: seconds. | 0.044 |
upstream_status | The HTTP status code that is sent by the origin server in response to the request forwarded by WAF. Example: 200, which indicates that the request is received and accepted. | 200 |
Optional fields
You can include optional fields in WAF logs based on your business requirements. WAF logs record only the optional fields that you enable.
If you enable optional fields, WAF logs occupy more storage space. If you have sufficient log storage capacity, we recommend that you enable additional optional fields. This way, you can perform log analysis in a more comprehensive manner. For more information about how to configure optional fields, see Modify log settings.
Field | Description | Example |
account_action | The action that is performed on the client request based on an account security rule. This field is fixed as block, which indicates that the request is blocked. For more information about WAF protection actions, see the Description of the action field in this topic. | block |
account_rule_id | The ID of the matched account security rule. | 151235 |
account_test | The protection mode that is used for the client request based on a account security rule. Valid values:
| false |
acl_action | The action that is performed on the client request based on a rule created for the IP address blacklist or custom protection policy (ACL policy) module. Valid values:
For more information about WAF protection actions, see the Description of the action field in this topic. | block |
acl_rule_id | The ID of the matched rule. The rule is created for the IP address blacklist or custom protection policy (ACL policy) module. | 151235 |
acl_test | The protection mode that is used for the client request based on a rule created for the IP address blacklist or custom protection policy (ACL policy) module. Valid values:
| false |
algorithm_action | The action that is performed on the client request based on a rule created for the typical bot behavior identification module. Valid values:
For more information about WAF protection actions, see the Description of the action field in this topic. | block |
algorithm_rule_id | The ID of the matched rule. The rule is created for the typical bot behavior identification module. | 151235 |
algorithm_test | The protection mode that is used for the client request based on a rule created for the typical bot behavior identification module. Valid values:
| false |
antifraud_action | The action that is performed on the client request based on a rule created for the data risk control module. Valid values:
For more information about WAF protection actions, see the Description of the action field in this topic. | block |
antifraud_test | The protection mode that is used for the client request based on a rule created for the data risk control module. Valid values:
| false |
antiscan_action | The action that is performed on the client request based on a rule created for the scan protection module. This field is fixed as block, which indicates that the request is blocked. For more information about WAF protection actions, see the Description of the action field in this topic. | block |
antiscan_rule_id | The ID of the matched rule. The rule is created for the scan protection module. | 151235 |
antiscan_rule_type | The type of the matched rule. The rule is created for the scan protection module. Valid values:
| highfreq |
antiscan_test | The protection mode that is used for the client request based on a rule created for the scan protection module. Valid values:
| false |
block_action | Important This field is no longer valid due to WAF upgrades. This field is replaced with the final_plugin field. If the block_action field is used in your services, replace the field with the final_plugin field at the earliest opportunity. The WAF protection module that is triggered to block the request. Valid values:
| waf |
body_bytes_sent | The number of bytes returned to the client from the server, excluding the number of bytes in the response header. Unit: bytes. | 1111 |
cc_action | The action that is performed on the client request based on a rule created for the HTTP flood protection or custom protection policy (HTTP flood protection policy) module. Valid values:
For more information about WAF protection actions, see the Description of the action field in this topic. | block |
cc_rule_id | The ID of the matched rule. The rule is created for the HTTP flood protection or custom protection policy (HTTP flood protection policy) module. | 151234 |
cc_test | The protection mode that is used for the client request based on a rule created for the HTTP flood protection or custom protection policy (HTTP flood protection policy) module. Valid values:
| false |
deeplearning_action | The action that is performed on the client request based on a rule created for the deep learning engine module. This field is fixed as block, which indicates that the request is blocked. For more information about WAF protection actions, see the Description of the action field in this topic. | block |
deeplearning_rule_id | The ID of the matched rule. The rule is created for the deep learning engine module. | 151238 |
deeplearning_rule_type | The type of the matched rule. The rule is created for the deep learning engine module. Valid values:
| xss |
deeplearning_test | The protection mode that is used for the client request based on a rule created for the deep learning engine module. Valid values:
| false |
dlp_action | The action that is performed on the client request based on a rule created for the data leakage prevention module. Valid values:
For more information about WAF protection actions, see the Description of the action field in this topic. | mask |
dlp_rule_id | The ID of the matched rule. The rule is created for the data leakage prevention module. | 151245 |
dlp_test | The protection mode that is used for the client request based on a rule created for the data leakage prevention module. Valid values:
| false |
intelligence_action | The action that is performed on the client request based on a rule created for the bot threat intelligence module. Valid values:
For more information about WAF protection actions, see the Description of the action field in this topic. | block |
intelligence_rule_id | The ID of the matched rule. The rule is created for the bot threat intelligence module. | 152234 |
intelligence_test | The protection mode that is used for the client request based on a rule created for the bot threat intelligence module. Valid values:
| false |
normalized_action | The action that is performed on the client request based on a rule created for the positive security model module. Valid values:
For more information about WAF protection actions, see the Description of the action field in this topic. | block |
normalized_rule_id | The ID of the matched rule. The rule is created for the positive security model module. | 151266 |
normalized_rule_type | The type of the matched rule. The rule is created for the positive security model module. Valid values:
| User-Agent |
normalized_test | The action that is performed on the client request based on a rule created for the positive security model module. Valid values:
| false |
querystring | The query string in the request. The query string follows a question mark (?) in the request URL. | title=tm_content%3Darticle&pid=123 |
region | The region where the WAF instance resides. Valid values:
| cn |
remote_addr | The IP address that is used to connect to WAF. If no Layer 7 proxies are deployed in front of WAF, this field records the IP address of the client. If a Layer 7 proxy, such as Alibaba Cloud CDN, is deployed in front of WAF, this field records the IP address of the Layer 7 proxy. | 198.51.XX.XX |
remote_port | The port that is used to connect to WAF. If no Layer 7 proxies are deployed in front of WAF, this field records the port of the client. If a Layer 7 proxy, such as Alibaba Cloud CDN, is deployed in front of WAF, this field records the port of the Layer 7 proxy. | 80 |
request_body | The request body. | i am the request body, encrypted or not! |
request_path | The relative path that is requested. The relative path is the part between the domain name and the question mark (?) in the request URL. The relative path does not include the query string. | /news/search.php |
scene_action | The action that is performed on the client request based on a rule created for the scenario-specific configuration module. Valid values:
For more information about WAF protection actions, see the Description of the action field in this topic. | block |
scene_id | The scenario ID of the matched rule. The rule is created for the scenario-specific configuration module. | 151235 |
scene_rule_id | The ID of the matched rule. The rule is created for the scenario-specific configuration module. | 153678 |
scene_rule_type | The type of the matched rule. The rule is created for the scenario-specific configuration module. Valid values:
| bot_aialgo |
sigchl_invalid_type | The reason why the request is considered abnormal based on a dynamic token authentication rule. Valid values:
| sigchl_invalid_sig |
scene_test | The action that is performed on the client request based on a rule created for the scenario-specific configuration module. Valid values:
| false |
server_port | The WAF port that is requested. | 443 |
ssl_cipher | The cipher suite that is used by the client. | ECDHE-RSA-AES128-GCM-SHA256 |
ssl_protocol | The SSL or TLS protocol version that is used by the client. | TLSv1.2 |
ua_browser | The name of the browser that initiates the request. Important Starting December 15, 2021, this field is no longer included in WAF logs even if you enable this field in your log settings. To obtain information about the User-Agent field in the request header, we recommend that you enable the http_user_agent required field. For more information, see the description of the http_user_agent field in this topic. | ie9 |
ua_browser_family | The family to which the browser belongs. Important Starting December 15, 2021, this field is no longer included in WAF logs even if you enable this field in your log settings. To obtain information about the User-Agent field in the request header, we recommend that you enable the http_user_agent required field. For more information, see the description of the http_user_agent field in this topic. | internet explorer |
ua_browser_type | The type of the browser that initiates the request. Important Starting December 15, 2021, this field is no longer included in WAF logs even if you enable this field in your log settings. To obtain information about the User-Agent field in the request header, we recommend that you enable the http_user_agent required field. For more information, see the description of the http_user_agent field in this topic. | web_browser |
ua_browser_version | The version of the browser that initiates the request. Important Starting December 15, 2021, this field is no longer included in WAF logs even if you enable this field in your log settings. To obtain information about the User-Agent field in the request header, we recommend that you enable the http_user_agent required field. For more information, see the description of the http_user_agent field in this topic. | 9.0 |
ua_device_type | The device type of the client that initiates the request. Important Starting December 15, 2021, this field is no longer included in WAF logs even if you enable this field in your log settings. To obtain information about the User-Agent field in the request header, we recommend that you enable the http_user_agent required field. For more information, see the description of the http_user_agent field in this topic. | computer |
ua_os | The operating system of the client that initiates the request. Important Starting December 15, 2021, this field is no longer included in WAF logs even if you enable this field in your log settings. To obtain information about the User-Agent field in the request header, we recommend that you enable the http_user_agent required field. For more information, see the description of the http_user_agent field in this topic. | windows_7 |
ua_os_family | The family to which the operating system of the client belongs. Important Starting December 15, 2021, this field is no longer included in WAF logs even if you enable this field in your log settings. To obtain information about the User-Agent field in the request header, we recommend that you enable the http_user_agent required field. For more information, see the description of the http_user_agent field in this topic. | windows |
user_id | The ID of the Alibaba Cloud account to which the WAF instance belongs. | 17045741******** |
waf_action | The action that is performed on the client request based on a rule created for the protection rules engine module. This field is fixed as block, which indicates that the request is blocked. For more information about WAF protection actions, see the Description of the action field in this topic. | block |
waf_rule_id | The ID of the matched rule. The rule is created for the protection rules engine module. | 113406 |
waf_rule_type | The type of the matched rule. The rule is created for the protection rules engine module. Valid values:
| xss |
waf_test | The protection mode that is used for the client request based on a rule created for the protection rules engine module. Valid values:
| false |
wxbb_action | The action that is performed on the client request based on a rule created for the app protection module. Valid values:
For more information about WAF protection actions, see the Description of the action field in this topic. | block |
wxbb_invalid_wua | The reason why the request is considered abnormal based on a rule created for the app protection module. Valid values:
| wxbb_invalid_sign |
wxbb_rule_id | The ID of the matched rule. The rule is created for the app protection module. | 156789 |
wxbb_test | The protection mode that is used for the client request based on a rule created for the app protection module. Valid values:
| false |