Cloud Firewall automatically collects and stores traffic logs in real time. Use log fields to filter log entries and find the data you need — this speeds up log analysis and troubleshooting.
This page covers:
Which fields each firewall type logs
Which fields support indexes (for efficient querying)
The data type, meaning, valid values, and example for each field
Firewall log fields
Each firewall type logs a different set of fields. The tables below show the fields available per firewall type.
Internet firewall
acl_rule_id, aliuid, app_dpi_state, app_name, attack_type_name, attack_type_name_en, country_id, city_id, direction, domain, dst_ip, dst_port, end_time, in_bps, in_packet_bytes, in_packet_count, in_pps, ip_protocol, ips_ai_rule_id, ips_rule_id, ips_rule_name, ips_rule_name_en, log_type, loose_allow_acl_id, new_conn, out_bps, out_packet_bytes, out_packet_count, out_pps, region_id, rule_result, rule_source, src_ip, src_port, start_time, start_time_min, tcp_seq, total_bps, total_packet_bytes, total_packet_count, total_pps, url, vul_level
NAT firewalls
acl_rule_id, aliuid, app_dpi_state, app_name, cloud_instance_id, direction, domain, dst_ip, dst_port, end_time, in_bps, in_packet_bytes, in_packet_count, in_pps, ip_protocol, log_type, loose_allow_acl_id, new_conn, out_bps, out_packet_bytes, out_packet_count, out_pps, rule_result, rule_source, src_ip, src_port, src_region, src_vpc_id, start_time, start_time_min, tcp_seq, total_bps, total_packet_bytes, total_packet_count, total_pps
VPC firewalls
acl_rule_id, aliuid, app_dpi_state, app_name, attack_type_name, attack_type_name_en, domain, dst_ip, dst_network_instance_id, dst_port, dst_region, end_time, firewall_id, in_bps, in_packet_bytes, in_packet_count, in_pps, ip_protocol, ips_ai_rule_id, ips_rule_id, ips_rule_name, ips_rule_name_en, log_type, loose_allow_acl_id, new_conn, out_bps, out_packet_bytes, out_packet_count, out_pps, rule_result, rule_source, src_ip, src_network_instance_id, src_port, src_region, start_time, start_time_min, tcp_seq, total_bps, total_packet_bytes, total_packet_count, total_pps, vul_level
Fields that support indexes
Log field descriptions
| Field | Applies to | Description | Example |
|---|---|---|---|
| __time__ | All | The time when the log entry is written to the Logstore. UNIX timestamp, unit: seconds. | 1703483369 |
| __topic__ | All | The log topic. Fixed value: cloudfirewall_access_log. | cloudfirewall_access_log |
| acl_rule_id | All | The ID of the access control policy hit by the traffic. 00000000-0000-0000-0000-000000000000: no policy was hit. | 073a1475-6e11-43e2-8b28-98cee9c6**** |
| aliuid | All | The Alibaba Cloud account ID. | 1233333333**** |
| app_dpi_state | All | The result of deep packet inspection (DPI). Valid values: success (application identified) / policy_discard (traffic blocked by policy) / tcp_not_establish (TCP connection failed) / analysing (application being analyzed) / no_payload (payload not yet received) / unknown_loose (application unidentified in loose mode) / unknown_strict (application unidentified in strict mode) / none (stateless traffic) | success |
| app_name | All | The application type of the traffic. Valid values include HTTPS, NTP, SIP, SMB, NFS, DNS, and Unknown (protocol type unknown). | HTTPS |
| attack_type_name | Internet, VPC | The Chinese name of the attack type detected in the traffic. | Mining behavior |
| attack_type_name_en | Internet, VPC | The English name of the attack type detected in the traffic. | Mining Behavior |
| city_id | Internet | The city identifier. The value is the six-digit administrative region code for a Chinese city at or above the county level. Beijing is 110000. | 110000 |
| cloud_instance_id | NAT | The ID of the protected asset instance. | ngw-bp1d5bx2orlw1p2wn**** |
| country_id | Internet | The country or region code (ISO 3166-1, two-letter format). YY: unknown country or region. If direction is in, this field is the origin country or region. If direction is out, this field is the destination country or region. | CN |
| direction | Internet, NAT | The traffic direction. in: inbound traffic to your assets from the Internet or other ECS instances. out: outbound traffic from your assets to the Internet or other ECS instances. VPC firewalls do not distinguish inbound from outbound — the default value for VPC firewall logs is out. | in |
| domain | All | The destination domain name of the traffic. This field appears only when the traffic contains domain name information. If app_name is DNS, this field is the domain name queried in the DNS request. | www.aliyundoc.com |
| dst_ip | All | The destination IP address of the traffic. | 39.108.XX.XX |
| dst_network_instance_id | VPC | The destination network instance of the traffic. | vpc-bp18ina819injc9zs**** |
| dst_port | All | The destination port of the traffic. | 443 |
| dst_region | VPC | The destination region of the traffic. | cn-beijing |
| end_time | All | The time when the session ends. UNIX timestamp, unit: seconds. | 1702367350 |
| firewall_id | VPC | The ID of the VPC firewall instance. | cen-m9y9u2hgc0t9im**** |
| in_bps | All | The inbound traffic rate. Unit: bit/s. | 42 |
| in_packet_bytes | All | The inbound traffic volume. Unit: bytes. | 58 |
| in_packet_count | All | The number of inbound packets. | 1 |
| in_pps | All | The average inbound packet rate. Unit: packets per second. If the rate is less than 1 packet/second, this field displays 0 (no decimal places). | 1 |
| ip_protocol | All | The IP protocol. Valid values: tcp / udp / icmp | tcp |
| ips_ai_rule_id | Internet, VPC | The ID of the AI Recommendation-based access control policy hit by the traffic. 00000000-0000-0000-0000-000000000000: no AI-based policy was matched. | 00000000-0000-0000-0000-000000000000 |
| ips_rule_id | Internet, VPC | The ID of the intrusion prevention rule hit by the traffic. 00000000-0000-0000-0000-000000000000: no intrusion prevention rule was matched. | 00000000-0000-0000-0000-000000000000 |
| ips_rule_name | Internet, VPC | The Chinese name of the intrusion prevention rule hit by the traffic. | Mining behavior on the host |
| ips_rule_name_en | Internet, VPC | The English name of the intrusion prevention rule hit by the traffic. | Mining behavior on the host |
| log_type | All | The firewall type that generated the log. Valid values: internet_log (Internet firewall) / vpc_firewall_log (VPC firewalls) / nat_firewall_log (NAT firewalls) / dns_firewall_log (DNS firewall) / ipv6_firewall_log (IPv6 asset traffic protection) | internet_log |
| loose_allow_acl_id | All | The ID of the pre-matched access control policy for unidentified traffic. 00000000-0000-0000-0000-000000000000: no unidentified traffic was allowed. Any other value is the ID of the policy that allowed the unidentified traffic. | 00000000-0000-0000-0000-000000000000 |
| new_conn | All | Whether the log entry represents a new connection. 1: yes / 0: no | 1 |
| out_bps | All | The outbound traffic rate. Unit: bit/s. | 0 |
| out_packet_bytes | All | The outbound traffic volume. Unit: bytes. | 0 |
| out_packet_count | All | The number of outbound packets. | 0 |
| out_pps | All | The average outbound packet rate. Unit: packets per second. If the rate is less than 1 packet/second, this field displays 0 (no decimal places). | 0 |
| region_id | Internet | The region ID. If direction is in, this field is the destination region ID. If direction is out, this field is the source region ID. For a list of region IDs, see Supported regions. | cn-beijing |
| rule_result | All | The action applied to the traffic. For access control policy hits: pass (Allow) / alert (Monitor) / drop (Deny). For intrusion prevention events: alert (Alert) / drop (Block) | alert |
| rule_source | All | The policy type that matched the traffic. Valid values: basic_acl (access control) / dns_acl_rule (DNS firewall access control policy) / intelligence (threat intelligence) / ips_basic_rule (basic protection) / virtual_patch (virtual patching) / unknown | basic_acl |
| src_ip | All | The source IP address of the traffic. | 167.94.XX.XX |
| src_network_instance_id | VPC | The source network instance of the traffic. | vpc-bp18ina819injc9zs**** |
| src_port | All | The source port of the traffic (the port on the originating host). | 47915 |
| src_region | NAT, VPC | The source region of the traffic. | cn-beijing |
| src_vpc_id | NAT | The ID of the source VPC. | vpc-bp18ina819injc9zs**** |
| start_time | All | The time when the session starts. UNIX timestamp, unit: seconds. | 1701759171 |
| start_time_min | All | The session start time rounded down to the minute. UNIX timestamp, unit: seconds. | 1701759120 |
| tcp_seq | All | The TCP sequence number. | 388367**** |
| total_bps | All | The combined inbound and outbound traffic rate. Unit: bit/s. | 42 |
| total_packet_bytes | All | The combined inbound and outbound traffic volume. Unit: bytes. | 58 |
| total_packet_count | All | The total number of inbound and outbound packets. | 1 |
| total_pps | All | The average combined packet rate for inbound and outbound traffic. Unit: packets per second. If the rate is less than 1 packet/second, this field displays 0 (no decimal places). | 0 |
| url | Internet | The URL of the Internet resource accessed. This field appears only when app_name is HTTP. | http://aliyundoc.com/index.html |
| vul_level | Internet, VPC | The risk level of the vulnerability exploit detected in the traffic. 0: no exploit detected / 1: low risk / 2: medium risk / 3: high risk | 1 |
|
ndr_log_type |
The log type for Network Detection and Response (NDR) protocols. This field identifies the protocol log. |
HTTP |
|
|
net_type |
The location where NDR traffic is detected. Valid values:
|
0 |
|
|
request_uri |
|
/api?key=value |
|
|
request_path |
The path part of the URI, without query parameters. |
/api |
|
|
host |
The destination hostname and port number from the request header (the Host header). |
aliyun.com:8080 |
|
|
request_method |
The HTTP request method, such as GET, POST, PUT, or DELETE. |
POST |
|
|
http_user_agent |
The client ID from the request header. |
Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.95 Safari/537.36 |
|
|
status |
The HTTP response status code, which is a three-digit code. |
200 |
What's next
Enable the log analysis feature to start collecting Cloud Firewall logs. For details, see Enable the log analysis feature.
Query and analyze collected logs in real time to monitor traffic and investigate security incidents. For details, see Query and analyze logs.
Export log query results to your local machine or to Object Storage Service (OSS). For details, see Export logs.