All Products
Search
Document Center

Web Application Firewall:Log fields

Last Updated:Dec 24, 2024

This topic describes the fields that are included in Web Application Firewall (WAF) logs.

Table for field retrieval

The following table describes the exclusive log fields that are supported by WAF. You can retrieve the fields by using the field names.

Initial

Field

a

b

  • Field used to record the number of bytes that are returned to the client from the server: body_bytes_sent

    Important

    The body_bytes_sent field is not supported for custom domain names bound to web applications in Function Compute.

  • Field used to record the IDs of the rules that allow requests: bypass_matched_ids

c

d

  • Fields related to data leakage prevention: dlp_action | dlp_rule_id | dlp_test

  • Field used to record the destination port of the request: dst_port

    Important

    The dst_port field is not supported for custom domain names bound to web applications in Function Compute.

f

Fields related to the final actions that are performed by WAF on requests: final_action | final_plugin | final_rule_id | final_rule_type

h

m

q

Field used to record the query string: querystring

r

s

t

Field used to record the time when requests are sent: time

u

  • Fields related to responses to back-to-origin requests: upstream_addr | upstream_response_time | upstream_status

    Important

    The upstream_addr field is not supported for custom domain names bound to web applications in Function Compute.

  • Field used to record the ID of the Alibaba Cloud account: user_id

w

Required fields

Required fields refer to fields that must be included in WAF logs.

Field

Description

Example

bypass_matched_ids

The ID of the matched rule that allows the request. The rule can be a whitelist rule or a custom protection rule.

If multiple rules that allow the request are matched at a time, this field records the IDs of all the rules. Multiple IDs are separated with commas (,).

283531

content_type

The type of the requested content.

application/x-www-form-urlencoded

dst_port

The destination port that is requested.

Important

This field is not supported for custom domain names bound to web applications in Function Compute.

443

final_action

The final action that is performed by WAF on the request. Valid values:

  • block: The request is blocked.

  • captcha_strict: Strict slider CAPTCHA verification is performed.

  • captcha: Common slider CAPTCHA verification is performed.

  • sigchl: Dynamic token authentication is performed.

  • js: JavaScript validation is performed.

For more information about WAF protection actions, see Description of the *_action field.

If a request does not trigger a protection module, this field is not recorded. For example, if a request matches a rule that allows the request or a request is allowed after the client passes CAPTCHA verification or JavaScript validation, this field is not recorded.

If a request triggers multiple protection modules at a time, this field is recorded and includes only the final action that is performed. The following actions are listed in descending order of priority: blocking (block, strict slider CAPTCHA verification (captcha_strict), common slider CAPTCHA verification captcha, and JavaScript validation (js).

block

final_plugin

The protection module based on which the final action is performed on the request. The final_action field records the final action that is performed. Valid values:

  • waf: the core protection rule module

  • acl: the IP address blacklist module or custom (access control) rule module

  • cc: the HTTP flood protection module or a custom (HTTP flood protection) rule module

  • antiscan: the scan protection module

  • dlp: the data leakage prevention module

  • scene: the scenario-specific configuration module (supported for apps)

  • intelligence: the bot threat intelligence module

  • wxbb: the app protection module

  • sema: the semantic-based protection module

  • scc_gdrl: the rate limiting module

  • major_protection: the major event protection module

  • compliance: the protocol compliance module

If a request does not trigger a protection module, this field is not recorded. For example, if a request matches a rule that allows the request or a request is allowed after the client passes CAPTCHA verification or JavaScript validation, this field is not recorded.

If a request triggers multiple protection modules at a time, this field records only the protection module based on which the final action is performed. The final_action field records the final action that is performed.

waf

final_rule_id

The ID of the rule based on which the final action is performed. The final_action field records the final action that is performed.

115341

final_rule_type

The subtype of the rule based on which the final action is performed. The final_rule_id field records the rule.

For example, final_plugin:waf supports final_rule_type:sqli and final_rule_type:xss.

xss/webShell

host

The Host field in the request header that contains the requested domain name or IP address. The value of this field varies based on the service settings.

api.example.com

http_referer

The Referer field in the request header that contains information about the source URL of the request.

If the request does not contain the source URL information, the value of this field is displayed as a hyphen (-).

http://example.com

http_user_agent

The User-Agent field in the request header that contains information about the browser and the operating system.

Dalvik/2.1.0 (Linux; U; Android 10; Android SDK built for x86 Build/QSR1.200715.002)

http_x_forwarded_for

The X-Forwarded-For (XFF) field in the request header. This field is used to identify the originating IP address of the client that is connected to the web server by using an HTTP proxy or a load balancer.

47.100.XX.XX

https

Indicates whether the request is an HTTPS request.

  • The value on indicates that the request is an HTTPS request.

  • If the field is empty, the request is an HTTP request.

on

matched_host

The protected object that is requested. The protected object can be an instance or a domain name.

Note

The domain name can be an exact-match domain name or a wildcard domain name. For example, if the *.aliyundoc.com domain name is added to WAF and www.aliyundoc.com is requested, the *.aliyundoc.com domain name is the protected object that is requested.

*.aliyundoc.com

request_uri

The path and parameters that are requested.

/news/search.php?id=1

real_client_ip

The originating IP address of the client that sends the request. WAF analyzes the request to identify the IP address.

If WAF cannot identify the originating IP address of the client, the value of this field is displayed as a hyphen (-). For example, when a proxy server is used or the IP field in the request header is invalid, WAF cannot identify the originating IP address of the client.

192.0.XX.XX

region

The ID of the region in which the WAF instance is deployed. Valid values:

  • cn: The WAF instance resides in the Chinese mainland.

  • int: The WAF instance resides outside the Chinese mainland.

cn

src_port

The port that is connected to WAF.

If no Layer 7 proxies are deployed in front of WAF, this field records the port of the client. If a Layer 7 proxy, such as Alibaba Cloud CDN, is deployed in front of WAF, this field records the port of the Layer 7 proxy.

80

src_ip

The IP address that is connected to WAF.

If no Layer 7 proxies are deployed in front of WAF, this field records the IP address of the client. If a Layer 7 proxy, such as Alibaba Cloud CDN, is deployed in front of WAF, this field records the IP address of the Layer 7 proxy.

198.51.XX.XX

start_time

The time when the request is initiated. Unit: seconds.

1696534058

request_length

The number of bytes in the request, including the bytes in the request line, request header, and request body. Unit: bytes.

111111

request_method

The request method.

GET

request_time_msec

The amount of time that WAF takes to process the request. Unit: milliseconds.

44

request_traceid

The unique identifier that WAF generates for the client request.

7837b11715410386943437009ea1f0

request_traceid_origin 

The original ID of the request.

7ce319151*****18890e

remote_region_id

The ID of the province to which the IP address belongs.

410000

server_protocol

The protocol used for connections between the client and WAF.

Important

This field is not supported for custom domain names bound to web applications in Function Compute.

HTTP/1.1

ssl_cipher

The cipher suite that is used by the client.

ECDHE-RSA-AES128-GCM-SHA256

ssl_protocol

The SSL or TLS protocol version that is used by the client.

TLSv1.2

status

The HTTP status code that is included in the response from WAF to the client. Example: 200, which indicates that the request is received and accepted.

200

time

The time when the request was sent. The time follows the ISO 8601 standard in the yyyy-MM-ddTHH:mm:ss+08:00 format. The time is displayed in UTC.

2018-05-02T16:03:59+08:00

upstream_addr

The IP address and port of the origin server. The format is IP:Port. Multiple pairs of IP addresses and port numbers are separated with commas (,).

Important

This field is not supported for custom domain names bound to web applications in Function Compute.

198.51.XX.XX:443

upstream_response_time

The amount of time that the origin server takes to respond to the request forwarded by WAF. Unit: seconds.

0.044

upstream_status

The HTTP status code that is sent by the origin server in response to the request forwarded by WAF. Example: 200, which indicates that the request is received and accepted.

200

user_id

The ID of the Alibaba Cloud account to which the WAF instance belongs.

17045741********

Optional fields

You can enable optional fields in WAF logs based on your business requirements. WAF logs record only the optional fields that you enabled.

If you enable optional fields, WAF logs occupy more storage space. If you have sufficient log storage capacity, we recommend that you enable additional optional fields. This way, you can perform log analysis in a more comprehensive manner. For more information about how to configure optional fields, see Log fields.

Field

Description

Example

acl_action

The action that is performed on the request based on an IP address blacklist rule or custom (access control) rule. Valid values:

  • block: The request is blocked.

  • captcha_strict: Strict slider CAPTCHA verification is performed.

  • captcha: Common slider CAPTCHA verification is performed.

  • js: JavaScript validation is performed.

  • captcha_strict_pass: The client passes strict slider CAPTCHA verification, and WAF allows the request from the client.

  • captcha_pass: The client passes common slider CAPTCHA verification, and WAF allows the request from the client.

  • js_pass: The client passes JavaScript validation, and WAF allows the request from the client.

For more information about WAF protection actions, see Description of the *_action field.

block

acl_rule_id

The ID of the IP address blacklist rule or custom (access control) rule that is matched.

151235

acl_rule_type

The type of the IP address blacklist rule or custom (access control) rule that is matched. Valid values:

  • custom: A custom (access control) rule is matched.

  • blacklist: An IP address blacklist rule is matched.

  • scene/basic: A basic protection rule of the bot management feature is matched.

  • region_block: A region blacklist rule is matched.

  • scene/appsdk_custom: An app protection rule of the bot management feature is matched.

custom

acl_test

The protection mode that is used for the request based on an IP address blacklist rule or custom (access control) rule. Valid values:

  • true: monitoring mode. In this mode, logs are recorded but protection actions, such as blocking, are not performed.

  • false: prevention mode. In this mode, WAF performs protection actions, such as blocking, on requests that match the protection rule.

false

antiscan_action

The action that is performed on the request based on a scan protection rule. The value of this field is fixed as block, which indicates that the request is blocked.

For more information about WAF protection actions, see Description of the *_action field.

block

antiscan_rule_id

The ID of the scan protection rule that is matched.

151235

antiscan_rule_type

The type of the scan protection rule that is matched. Valid values:

  • highfreq: a rule used to block IP addresses from which scanning attacks are frequently initiated.

  • dirscan: a rule used to defend against directory traversal attacks.

  • scantools: a rule used to block the IP addresses of scanners.

highfreq

antiscan_test

The protection mode that is used for the request based on a scan protection rule. Valid values:

  • true: monitoring mode. In this mode, logs are recorded but protection actions, such as blocking, are not performed.

  • false: prevention mode. In this mode, WAF performs protection actions, such as blocking, on requests that match the protection rule.

false

body_bytes_sent

The number of bytes returned to the client from the server. The number of bytes in the response header is not included. Unit: bytes.

Important

This field is not supported for custom domain names bound to web applications in Function Compute.

1111

cc_action

The action that is performed on the request based on a custom (throttling) rule. Valid values:

  • block: The request is blocked.

  • captcha: Common slider CAPTCHA verification is performed.

  • js: JavaScript validation is performed.

  • captcha_pass: The client passes common slider CAPTCHA verification, and WAF allows the request from the client.

  • js_pass: The client passes JavaScript validation, and WAF allows the request from the client.

For more information about WAF protection actions, see Description of the *_action field.

block

cc_rule_id

The ID of the custom (throttling) rule that is matched.

151234

cc_rule_type

The type of the rule that is matched. Valid values:

  • custom: a custom (throttling) rule

  • system: an HTTP flood protection rule

custom

cc_test

The protection mode that is used for the request based on a custom (throttling) rule. Valid values:

  • true: monitoring mode. In this mode, logs are recorded but protection actions, such as blocking, are not performed.

  • false: prevention mode. In this mode, WAF performs protection actions, such as blocking, on requests that match the protection rule.

false

request_body

The request body. The value can be up to 8 KB in size.

test123curl -ki https://automated-acltest02.***.top/ --resolve automated-acltest02.***.top:443:39.107.XX.XX

request_headers_all

All request headers.

{

"Accept": "*/*",

"Accept-Encoding": "gz**, de**te, **r",

"Accept-Language": "zh-Hans-CN;q=1",

"Connection": "keep-***ve",

"Content-Length": "1**6",

"Content-Type": "application/json",

"Cookie": "cookie_key=***; acw_tc=0abc****opqrstuvwxyz0***7890;",

"Host": "1.****.****.1",

...

}

request_header

The custom request headers. If you enable this field, you must specify the request headers. You can add up to five custom request headers. Separate multiple request headers with commas (,).

Important

This field is not supported for MSE instances or custom domain names bound to web applications in Function Compute.

{"ttt":"abcd"}

server_port

The WAF port that is requested.

Important
  • This field is selected by default.

  • This field is not supported for custom domain names bound to web applications in Function Compute.

443

waf_action

The action that is performed on the request based on a core protection rule. The value of this field is fixed as block, which indicates that the request is blocked.

For more information about WAF protection actions, see Description of the *_action field.

block

waf_rule_id

The ID of the core protection rule that is matched.

Note

The rule ID is displayed on the Core Protection Rule tab of the Security Reports page. For more information, see Core protection rule module.

113406

waf_rule_type

The type of the core protection rule that is matched. Valid values:

  • sqli: a rule used to defend against SQL injection attacks

  • xss: a rule used to defend against cross-site scripting (XSS) attacks

  • code_exec: a rule used to defend against code execution attacks

  • crlf: a rule used to defend against Carriage Return Line Feed (CRLF) injection attacks

  • lfilei: a rule used to defend against local file inclusion (LFI) attacks

  • rfilei: a rule used to defend against remote file inclusion (RFI) attacks

  • webshell: a rule used to defend against attacks that exploit webshell vulnerabilities

  • csrf: a rule used to defend against Cross-Site Request Forgery (CSRF) injection attacks

  • other: other rules

  • cmdi: a rule used to defend against operating system (OS) command injection attacks

  • expression_injection: a rule used to defend against expression language (EL) injection attacks

  • java_deserialization: a rule used to defend against attacks that exploit Java deserialization vulnerabilities

  • php_deserialization: a rule used to defend against attacks that exploit PHP deserialization vulnerabilities

  • ssrf: a rule used to defend against Server-Side Request Forgery (SSRF) attacks

  • path_traversal: a rule used to defend against path traversal attacks

  • protocol_violation: a rule used to defend against protocol violation attacks

  • arbitrary_file_uploading: a rule used to defend against attacks that exploit arbitrary file upload vulnerabilities

  • dot_net_deserialization: a rule used to defend against attacks that exploit .NET deserialization vulnerabilities

  • scanner_behavior: a rule used to defend against attacks that exploit scanner behavior vulnerabilities

  • logic_flaw: a rule used to defend against attacks that exploit business logic vulnerabilities

  • arbitrary_file_reading: a rule used to defend against attacks that exploit arbitrary file read vulnerabilities

  • arbitrary_file_download: a rule used to defend against attacks that exploit arbitrary file download vulnerabilities

  • xxe: a rule used to defend against XML External Entity (XXE) injection attacks

xss

waf_test

The protection mode that is used for the request based on a core protection rule. Valid values:

  • true: monitoring mode. In this mode, logs are recorded but protection actions, such as blocking, are not performed.

  • false: prevention mode. In this mode, WAF performs protection actions, such as blocking, on requests that match the protection rule.

false

major_protection_action

The action that is performed on the request based on a major event protection template. For more information about WAF protection actions, see Description of the *_action field.

block

major_protection_rule_id

The ID of the major event protection rule that is matched.

2221

major_protection_rule_type

The type of the major event protection rule that is matched. Valid values:

  • waf_blocks: a rule in the rule group for major event protection

  • threat_intelligence: a threat intelligence rule for major event protection

  • blacklist: an IP address blacklist rule for major event protection

  • shiro: a rule used to defend against attacks that exploit shiro deserialization vulnerabilities

waf_blocks

major_protection_test

The protection mode that is used based on a major event protection rule. Valid values:

  • true: monitoring mode. In this mode, logs are recorded but protection actions, such as blocking, are not performed.

  • false: prevention mode. In this mode, WAF performs protection actions, such as blocking, on requests that match the protection rule.

true

response_set_cookie

The cookie that is sent from the server to the client.

Important

This field is not supported for MSE instances or custom domain names bound to web applications in Function Compute.

acw_tc=781bad3616674790875002820e2cebbc55b6e0dfd9579302762b1dece40e0a;path=\/;HttpOnly;Max-Age=1800

response_header

All response headers.

Important

This field is not supported for MSE instances or custom domain names bound to web applications in Function Compute.

{"transfer-encoding":"chunked","set-cookie":"acw_tc=***;path=\/;HttpOnly;Max-Age=1800","content-type":"text\/html;charset=utf-8","x-powered-by":"PHP\/7.2.24","server":"nginx\/1.18.0","connection":"close"}

response_info

The response body. The value can be up to 16 KB in size. If the value of the content-encoding header is gzip, the response body is encoded in Base64.

Important

This field is not supported for ALB instances, MSE instances or custom domain names bound to web applications in Function Compute.

$_POST Received:<br/>Array ( [***] => ) <hr/> $GLOBALS['HTTP_RAW_POST_DATA'] Received:<br/> <hr/> php://input Received:***

request_path

The relative path of the request. The relative path is the part of the requested URL that comes after the domain name and before the question mark (?), excluding the query string.

Note

This field is selected by default.

/news/search.php

dlp_action

The action that is performed on the request based on a data leakage prevention rule. Valid values:

  • monitor: The request is monitored.

  • block: The request is blocked.

  • filter: The request is masked.

For more information about WAF protection actions, see Description of the *_action field.

block

dlp_rule_id

The ID of the data leakage prevention rule that is matched.

20031483

dlp_test

The protection mode that is used for the request based on a data leakage prevention rule. Valid values:

  • true: monitoring mode. In this mode, logs are recorded but protection actions, such as blocking, are not performed.

  • false: prevention mode. In this mode, WAF performs protection actions, such as blocking, on requests that match the protection rule.

true

querystring

The query string of the client request. The query string is the part of the requested URL that follows the question mark (?).

Note

This field is selected by default.

title=tm_content%3Darticle&pid=123

scene_action

The action that is performed on the request based on a bot management scenario-specific rule. Valid values:

  • js: JavaScript validation is performed.

  • sigchl: Dynamic token authentication is performed.

  • block: The request is blocked.

  • monitor: The request is monitored.

  • bypass: The request is allowed.

  • captcha: Common slider CAPTCHA verification is performed.

  • captcha_strict: Strict slider CAPTCHA verification is performed.

For more information about WAF protection actions, see Description of the *_action field.

js

scene_id

The scenario ID of the bot management scenario-specific rule that is matched.

a82d992b_bc8c_47f0_87ce_******

scene_rule_id

The ID of the bot management scenario-specific rule and the ID of the basic protection rule.

js-a82d992b_bc8c_47f0_87ce_******

scene_rule_type

The type of the bot management scenario-specific rule that is matched. Valid values:

  • bot_aialgo: an intelligent protection rule

  • cc: a custom throttling rule

  • intelligence: a threat intelligence rule

  • js: a JavaScript validation rule

  • sigchl: a dynamic token authentication rule

  • sdk: a rule for SDK signature and device data collection or a rule for secondary packaging detection

bot_aialgo

scene_test

The protection mode that is used for the request based on a bot management scenario-specific rule. Valid values:

  • true: monitoring mode. In this mode, logs are recorded but protection actions, such as blocking, are not performed.

  • false: prevention mode. In this mode, WAF performs protection actions, such as blocking, on requests that match the protection rule.

true

remote_addr

The IP address that is connected to WAF.

If no Layer 7 proxies are deployed in front of WAF, this field records the IP address of the client. If a Layer 7 proxy, such as Alibaba Cloud CDN, is deployed in front of WAF, this field records the IP address of the Layer 7 proxy.

Note

This field is selected by default.

198.51.XX.XX

remote_port

The port that is connected to WAF.

If no Layer 7 proxies are deployed in front of WAF, this field records the port of the client. If a Layer 7 proxy, such as Alibaba Cloud CDN, is deployed in front of WAF, this field records the port of the Layer 7 proxy.

Note

This field is selected by default.

80

waf_hit

The content that matches the core protection rule.

{"postarg_values":{"hit":["${jndi:ldap://"],"raw":"postarg.log4j=${jndi:ldap://"}}

compliance_hit

The content that matches protocol compliance violation attacks.

**********7df271da040a

compliance_action

The action that is performed on the request based on a protocol compliance rule. The value of this field is fixed as block, which indicates that the request is blocked.

For more information about WAF protection actions, see Description of the action field.

block

compliance_rule_id

The ID of the protocol compliance rule that is matched.

300033

compliance_rule_type

The type of the protocol compliance rule that is matched. The value is fixed as protocol_violation.

protocol_violation

compliance_test

The protection mode that is used for the request based on a protocol compliance rule. Valid values:

  • true: monitoring mode. In this mode, logs are recorded but protection actions, such as blocking, are not performed.

  • false: prevention mode. In this mode, WAF performs protection actions, such as blocking, on requests that match the protection rule.

false

sema_hit

The content that matches semantic analysis attacks.

{"queryarg_values":{"hit":["\" from mysql.user"],"raw":"queryarg.y=\" from mysql.user"}}

sema_action

The action that is performed on the request based on a semantic analysis rule. The value of this field is fixed as block, which indicates that the request is blocked.

For more information about WAF protection actions, see Description of the action field.

block

sema_rule_id

The ID of the semantic analysis rule that is matched.

810015

sema_rule_type

The type of the semantic analysis rule that is matched. The value is fixed as sqli, which indicates an SQL injection prevention rule.

sqli

sema_test

The protection mode that is used for the request based on a semantic analysis rule. Valid values:

  • true: monitoring mode. In this mode, logs are recorded but protection actions, such as blocking, are not performed.

  • false: prevention mode. In this mode, WAF performs protection actions, such as blocking, on requests that match the protection rule.

false

wxbb_info_tbl

The device information of the request that matches the bot management for app protection rule.

{

"abnormal_imei": "0",

"abnormal_time": "1",

*****

"appversion": "9.4.3",

"brand": "Android",

*****

}

Description of the *_action field

Note

*_action indicates the protection actions of different protection rules. For example, final_action indicates the final action that is performed by WAF, and waf_action indicates the protection action of a core protection rule. The protection actions vary based on the protection rule. For more information about the protection actions, see the parameter description.

The following table describes the protection actions that are supported by WAF.

Protection action

Description

block

The request is blocked. WAF blocks the client request and returns HTTP error code 405 to the client.

captcha_strict

Strict slider CAPTCHA verification is performed. WAF returns the pages used for slider CAPTCHA verification to the client. If the client passes strict slider CAPTCHA verification, WAF allows the request. Otherwise, WAF blocks the request. The client must pass strict slider CAPTCHA verification each time the client sends a request.

captcha

Common slider CAPTCHA verification is performed. WAF returns the pages used for slider CAPTCHA verification to the client. If a client passes common slider CAPTCHA verification, WAF allows requests that are sent from the client in a specific time range. By default, the time range is set to 30 minutes. Otherwise, WAF blocks requests from the client.

js

JavaScript validation is performed. WAF returns JavaScript code to the client. The JavaScript code is automatically executed by the client browsers. If the client passes JavaScript validation, WAF allows requests that are sent from the client in a specific time range. By default, the time range is set to 30 minutes. Otherwise, WAF blocks requests from the client.

js_pass

JavaScript validation is passed. WAF allows the request.

sigchl

Dynamic token authentication is performed and web requests are signed. When the client sends a request, the Web SDK that is issued by WAF generates a signature for the request. The signature is forwarded together with the request to the origin server. If the signature is generated and verified, the request is forwarded to the origin server. If the signature fails to be generated or verified, a code block that can be used to obtain a dynamic token is returned to the client and the request must be re-signed.