This topic describes the fields that are included in Web Application Firewall (WAF) logs.
Table for field retrieval
The following table describes the exclusive log fields that are supported by WAF. You can retrieve the fields by using the field names.
Initial | Field |
a |
|
b |
|
c |
|
d |
|
f | Fields related to the final actions that are performed by WAF on requests: final_action | final_plugin | final_rule_id | final_rule_type |
h |
|
m |
|
q | Field used to record the query string: querystring |
r |
|
s |
|
t | Field used to record the time when requests are sent: time |
u |
|
w |
|
Required fields
Required fields refer to fields that must be included in WAF logs.
Field | Description | Example |
bypass_matched_ids | The ID of the matched rule that allows the request. The rule can be a whitelist rule or a custom protection rule. If multiple rules that allow the request are matched at a time, this field records the IDs of all the rules. Multiple IDs are separated with commas (,). | 283531 |
content_type | The type of the requested content. | application/x-www-form-urlencoded |
dst_port | The destination port that is requested. Important This field is not supported for custom domain names bound to web applications in Function Compute. | 443 |
final_action | The final action that is performed by WAF on the request. Valid values:
For more information about WAF protection actions, see Description of the *_action field. If a request does not trigger a protection module, this field is not recorded. For example, if a request matches a rule that allows the request or a request is allowed after the client passes CAPTCHA verification or JavaScript validation, this field is not recorded. If a request triggers multiple protection modules at a time, this field is recorded and includes only the final action that is performed. The following actions are listed in descending order of priority: blocking (block, strict slider CAPTCHA verification (captcha_strict), common slider CAPTCHA verification captcha, and JavaScript validation (js). | block |
final_plugin | The protection module based on which the final action is performed on the request. The final_action field records the final action that is performed. Valid values:
If a request does not trigger a protection module, this field is not recorded. For example, if a request matches a rule that allows the request or a request is allowed after the client passes CAPTCHA verification or JavaScript validation, this field is not recorded. If a request triggers multiple protection modules at a time, this field records only the protection module based on which the final action is performed. The final_action field records the final action that is performed. | waf |
final_rule_id | The ID of the rule based on which the final action is performed. The final_action field records the final action that is performed. | 115341 |
final_rule_type | The subtype of the rule based on which the final action is performed. The final_rule_id field records the rule. For example, | xss/webShell |
host | The Host field in the request header that contains the requested domain name or IP address. The value of this field varies based on the service settings. | api.example.com |
http_cookie | The Cookie field in the request header that contains the cookie information of the client. | k1=v1;k2=v2 |
http_referer | The Referer field in the request header that contains information about the source URL of the request. If the request does not contain the source URL information, the value of this field is displayed as a hyphen ( | http://example.com |
http_user_agent | The User-Agent field in the request header that contains information about the browser and the operating system. | Dalvik/2.1.0 (Linux; U; Android 10; Android SDK built for x86 Build/QSR1.200715.002) |
http_x_forwarded_for | The X-Forwarded-For (XFF) field in the request header. This field is used to identify the originating IP address of the client that is connected to the web server by using an HTTP proxy or a load balancer. | 47.100.XX.XX |
https | Indicates whether the request is an HTTPS request.
| on |
matched_host | The protected object that is requested. The protected object can be an instance or a domain name. Note The domain name can be an exact-match domain name or a wildcard domain name. For example, if the *.aliyundoc.com domain name is added to WAF and www.aliyundoc.com is requested, the *.aliyundoc.com domain name is the protected object that is requested. | *.aliyundoc.com |
request_uri | The path and parameters that are requested. | /news/search.php?id=1 |
real_client_ip | The originating IP address of the client that sends the request. WAF analyzes the request to identify the IP address. If WAF cannot identify the originating IP address of the client, the value of this field is displayed as a hyphen ( | 192.0.XX.XX |
region | The ID of the region in which the WAF instance is deployed. Valid values:
| cn |
src_port | The port that is connected to WAF. If no Layer 7 proxies are deployed in front of WAF, this field records the port of the client. If a Layer 7 proxy, such as Alibaba Cloud CDN, is deployed in front of WAF, this field records the port of the Layer 7 proxy. | 80 |
src_ip | The IP address that is connected to WAF. If no Layer 7 proxies are deployed in front of WAF, this field records the IP address of the client. If a Layer 7 proxy, such as Alibaba Cloud CDN, is deployed in front of WAF, this field records the IP address of the Layer 7 proxy. | 198.51.XX.XX |
start_time | The time when the request is initiated. Unit: seconds. | 1696534058 |
request_length | The number of bytes in the request, including the bytes in the request line, request header, and request body. Unit: bytes. | 111111 |
request_method | The request method. | GET |
request_time_msec | The amount of time that WAF takes to process the request. Unit: milliseconds. | 44 |
request_traceid | The unique identifier that WAF generates for the client request. | 7837b11715410386943437009ea1f0 |
request_traceid_origin | The original ID of the request. | 7ce319151*****18890e |
remote_region_id | The ID of the province to which the IP address belongs. | 410000 |
server_protocol | The protocol used for connections between the client and WAF. Important This field is not supported for custom domain names bound to web applications in Function Compute. | HTTP/1.1 |
ssl_cipher | The cipher suite that is used by the client. | ECDHE-RSA-AES128-GCM-SHA256 |
ssl_protocol | The SSL or TLS protocol version that is used by the client. | TLSv1.2 |
status | The HTTP status code that is included in the response from WAF to the client. Example: 200, which indicates that the request is received and accepted. | 200 |
time | The time when the request was sent. The time follows the ISO 8601 standard in the | 2018-05-02T16:03:59+08:00 |
upstream_addr | The IP address and port of the origin server. The format is Important This field is not supported for custom domain names bound to web applications in Function Compute. | 198.51.XX.XX:443 |
upstream_response_time | The amount of time that the origin server takes to respond to the request forwarded by WAF. Unit: seconds. | 0.044 |
upstream_status | The HTTP status code that is sent by the origin server in response to the request forwarded by WAF. Example: 200, which indicates that the request is received and accepted. | 200 |
user_id | The ID of the Alibaba Cloud account to which the WAF instance belongs. | 17045741******** |
Optional fields
You can enable optional fields in WAF logs based on your business requirements. WAF logs record only the optional fields that you enabled.
If you enable optional fields, WAF logs occupy more storage space. If you have sufficient log storage capacity, we recommend that you enable additional optional fields. This way, you can perform log analysis in a more comprehensive manner. For more information about how to configure optional fields, see Log fields.
Field | Description | Example |
acl_action | The action that is performed on the request based on an IP address blacklist rule or custom (access control) rule. Valid values:
For more information about WAF protection actions, see Description of the *_action field. | block |
acl_rule_id | The ID of the IP address blacklist rule or custom (access control) rule that is matched. | 151235 |
acl_rule_type | The type of the IP address blacklist rule or custom (access control) rule that is matched. Valid values:
| custom |
acl_test | The protection mode that is used for the request based on an IP address blacklist rule or custom (access control) rule. Valid values:
| false |
antiscan_action | The action that is performed on the request based on a scan protection rule. The value of this field is fixed as block, which indicates that the request is blocked. For more information about WAF protection actions, see Description of the *_action field. | block |
antiscan_rule_id | The ID of the scan protection rule that is matched. | 151235 |
antiscan_rule_type | The type of the scan protection rule that is matched. Valid values:
| highfreq |
antiscan_test | The protection mode that is used for the request based on a scan protection rule. Valid values:
| false |
body_bytes_sent | The number of bytes returned to the client from the server. The number of bytes in the response header is not included. Unit: bytes. Important This field is not supported for custom domain names bound to web applications in Function Compute. | 1111 |
cc_action | The action that is performed on the request based on a custom (throttling) rule. Valid values:
For more information about WAF protection actions, see Description of the *_action field. | block |
cc_rule_id | The ID of the custom (throttling) rule that is matched. | 151234 |
cc_rule_type | The type of the rule that is matched. Valid values:
| custom |
cc_test | The protection mode that is used for the request based on a custom (throttling) rule. Valid values:
| false |
request_body | The request body. The value can be up to 8 KB in size. | test123curl -ki https://automated-acltest02.***.top/ --resolve automated-acltest02.***.top:443:39.107.XX.XX |
request_headers_all | All request headers. | { "Accept": "*/*", "Accept-Encoding": "gz**, de**te, **r", "Accept-Language": "zh-Hans-CN;q=1", "Connection": "keep-***ve", "Content-Length": "1**6", "Content-Type": "application/json", "Cookie": "cookie_key=***; acw_tc=0abc****opqrstuvwxyz0***7890;", "Host": "1.****.****.1", ... } |
request_header | The custom request headers. If you enable this field, you must specify the request headers. You can add up to five custom request headers. Separate multiple request headers with commas (,). Important This field is not supported for MSE instances or custom domain names bound to web applications in Function Compute. | {"ttt":"abcd"} |
server_port | The WAF port that is requested. Important
| 443 |
waf_action | The action that is performed on the request based on a core protection rule. The value of this field is fixed as block, which indicates that the request is blocked. For more information about WAF protection actions, see Description of the *_action field. | block |
waf_rule_id | The ID of the core protection rule that is matched. Note The rule ID is displayed on the Core Protection Rule tab of the Security Reports page. For more information, see Core protection rule module. | 113406 |
waf_rule_type | The type of the core protection rule that is matched. Valid values:
| xss |
waf_test | The protection mode that is used for the request based on a core protection rule. Valid values:
| false |
major_protection_action | The action that is performed on the request based on a major event protection template. For more information about WAF protection actions, see Description of the *_action field. | block |
major_protection_rule_id | The ID of the major event protection rule that is matched. | 2221 |
major_protection_rule_type | The type of the major event protection rule that is matched. Valid values:
| waf_blocks |
major_protection_test | The protection mode that is used based on a major event protection rule. Valid values:
| true |
response_set_cookie | The cookie that is sent from the server to the client. Important This field is not supported for MSE instances or custom domain names bound to web applications in Function Compute. | acw_tc=781bad3616674790875002820e2cebbc55b6e0dfd9579302762b1dece40e0a;path=\/;HttpOnly;Max-Age=1800 |
response_header | All response headers. Important This field is not supported for MSE instances or custom domain names bound to web applications in Function Compute. | {"transfer-encoding":"chunked","set-cookie":"acw_tc=***;path=\/;HttpOnly;Max-Age=1800","content-type":"text\/html;charset=utf-8","x-powered-by":"PHP\/7.2.24","server":"nginx\/1.18.0","connection":"close"} |
response_info | The response body. The value can be up to 16 KB in size. If the value of the content-encoding header is gzip, the response body is encoded in Base64. Important This field is not supported for ALB instances, MSE instances or custom domain names bound to web applications in Function Compute. | $_POST Received:<br/>Array ( [***] => ) <hr/> $GLOBALS['HTTP_RAW_POST_DATA'] Received:<br/> <hr/> php://input Received:*** |
request_path | The relative path of the request. The relative path is the part of the requested URL that comes after the domain name and before the question mark (?), excluding the query string. Note This field is selected by default. | /news/search.php |
dlp_action | The action that is performed on the request based on a data leakage prevention rule. Valid values:
For more information about WAF protection actions, see Description of the *_action field. | block |
dlp_rule_id | The ID of the data leakage prevention rule that is matched. | 20031483 |
dlp_test | The protection mode that is used for the request based on a data leakage prevention rule. Valid values:
| true |
querystring | The query string of the client request. The query string is the part of the requested URL that follows the question mark (?). Note This field is selected by default. | title=tm_content%3Darticle&pid=123 |
scene_action | The action that is performed on the request based on a bot management scenario-specific rule. Valid values:
For more information about WAF protection actions, see Description of the *_action field. | js |
scene_id | The scenario ID of the bot management scenario-specific rule that is matched. | a82d992b_bc8c_47f0_87ce_****** |
scene_rule_id | The ID of the bot management scenario-specific rule and the ID of the basic protection rule. | js-a82d992b_bc8c_47f0_87ce_****** |
scene_rule_type | The type of the bot management scenario-specific rule that is matched. Valid values:
| bot_aialgo |
scene_test | The protection mode that is used for the request based on a bot management scenario-specific rule. Valid values:
| true |
remote_addr | The IP address that is connected to WAF. If no Layer 7 proxies are deployed in front of WAF, this field records the IP address of the client. If a Layer 7 proxy, such as Alibaba Cloud CDN, is deployed in front of WAF, this field records the IP address of the Layer 7 proxy. Note This field is selected by default. | 198.51.XX.XX |
remote_port | The port that is connected to WAF. If no Layer 7 proxies are deployed in front of WAF, this field records the port of the client. If a Layer 7 proxy, such as Alibaba Cloud CDN, is deployed in front of WAF, this field records the port of the Layer 7 proxy. Note This field is selected by default. | 80 |
waf_hit | The content that matches the core protection rule. | {"postarg_values":{"hit":["${jndi:ldap://"],"raw":"postarg.log4j=${jndi:ldap://"}} |
compliance_hit | The content that matches protocol compliance violation attacks. | **********7df271da040a |
compliance_action | The action that is performed on the request based on a protocol compliance rule. The value of this field is fixed as block, which indicates that the request is blocked. For more information about WAF protection actions, see Description of the action field. | block |
compliance_rule_id | The ID of the protocol compliance rule that is matched. | 300033 |
compliance_rule_type | The type of the protocol compliance rule that is matched. The value is fixed as protocol_violation. | protocol_violation |
compliance_test | The protection mode that is used for the request based on a protocol compliance rule. Valid values:
| false |
sema_hit | The content that matches semantic analysis attacks. | {"queryarg_values":{"hit":["\" from mysql.user"],"raw":"queryarg.y=\" from mysql.user"}} |
sema_action | The action that is performed on the request based on a semantic analysis rule. The value of this field is fixed as block, which indicates that the request is blocked. For more information about WAF protection actions, see Description of the action field. | block |
sema_rule_id | The ID of the semantic analysis rule that is matched. | 810015 |
sema_rule_type | The type of the semantic analysis rule that is matched. The value is fixed as sqli, which indicates an SQL injection prevention rule. | sqli |
sema_test | The protection mode that is used for the request based on a semantic analysis rule. Valid values:
| false |
wxbb_info_tbl | The device information of the request that matches the bot management for app protection rule. | { "abnormal_imei": "0", "abnormal_time": "1", ***** "appversion": "9.4.3", "brand": "Android", ***** } |
Description of the *_action field
*_action indicates the protection actions of different protection rules. For example, final_action indicates the final action that is performed by WAF, and waf_action indicates the protection action of a core protection rule. The protection actions vary based on the protection rule. For more information about the protection actions, see the parameter description.
The following table describes the protection actions that are supported by WAF.
Protection action | Description |
block | The request is blocked. WAF blocks the client request and returns HTTP error code 405 to the client. |
captcha_strict | Strict slider CAPTCHA verification is performed. WAF returns the pages used for slider CAPTCHA verification to the client. If the client passes strict slider CAPTCHA verification, WAF allows the request. Otherwise, WAF blocks the request. The client must pass strict slider CAPTCHA verification each time the client sends a request. |
captcha | Common slider CAPTCHA verification is performed. WAF returns the pages used for slider CAPTCHA verification to the client. If a client passes common slider CAPTCHA verification, WAF allows requests that are sent from the client in a specific time range. By default, the time range is set to 30 minutes. Otherwise, WAF blocks requests from the client. |
js | JavaScript validation is performed. WAF returns JavaScript code to the client. The JavaScript code is automatically executed by the client browsers. If the client passes JavaScript validation, WAF allows requests that are sent from the client in a specific time range. By default, the time range is set to 30 minutes. Otherwise, WAF blocks requests from the client. |
js_pass | JavaScript validation is passed. WAF allows the request. |
sigchl | Dynamic token authentication is performed and web requests are signed. When the client sends a request, the Web SDK that is issued by WAF generates a signature for the request. The signature is forwarded together with the request to the origin server. If the signature is generated and verified, the request is forwarded to the origin server. If the signature fails to be generated or verified, a code block that can be used to obtain a dynamic token is returned to the client and the request must be re-signed. |