This topic describes the proprietary fields in Web Application Firewall (WAF) logs.
Field reference
This table describes the proprietary fields in WAF logs. Search for a field by name.
Initial | Field |
a |
|
b |
|
c |
|
d |
|
f | Final protection action on a request: final_action | final_plugin | final_rule_id | final_rule_type |
h |
|
j |
|
m |
|
n | Matched non-terminating rules: non_terminating_rules |
p | Indicates the Proxy Protocol usage status in bitmap format: pp_state |
q | The query string of the request: querystring |
r |
|
s |
|
t |
|
u |
|
w |
|
Required fields
Required fields are always included in WAF logs.
Parameter | Description | Example |
bypass_matched_ids | The ID of a WAF rule that allows a request. This includes whitelist rules and custom protection rules with the "Allow" action. If a request matches multiple allow rules, this field records all their IDs, separated by commas (,). | 283531 |
content_type | The content type of the request. | application/x-www-form-urlencoded |
dst_port | The destination port of the request. | 443 |
final_action | The final action WAF takes on a request. Valid values:
For more information about WAF protection actions, see Description of *_action fields. This field is omitted if a request does not trigger any protection module, such as when it matches an allow rule or is permitted after a client passes a challenge. If a request triggers multiple protection modules, this field records only the action with the highest priority. The actions are prioritized in the following descending order: block > captcha_strict > captcha > js. | block |
final_plugin | The protection module corresponding to the
This field is not recorded if a request does not trigger any protection module, such as when it matches an allow rule or is permitted after the client passes a challenge. If a request triggers multiple protection modules, this field records only the module that corresponds to the final_action. | waf |
final_rule_id | The ID of the protection rule that corresponds to the final_action. | 115341 |
final_rule_type | The subtype of the rule identified by final_rule_id. For example, a rule with | xss/webShell |
host | The value of the | api.example.com |
http_cookie | The value of the | k1=v1;k2=v2 |
http_referer | The value of the If the request does not have a source URL, this field displays a hyphen ( | http://example.com |
http_user_agent | The value of the | Dalvik/2.1.0 (Linux; U; Android 10; Android SDK built for x86 Build/QSR1.200715.002) |
http_x_forwarded_for | The value of the | 47.100.XX.XX |
https | Indicates whether the request is an HTTPS request.
| on |
matched_host | The protected object, such as a cloud service instance or a domain name, that the client request matched. Note Because WAF supports wildcard domain names for protected objects, a client request might match a wildcard domain name. For example, if you add | *.aliyundoc.com |
request_uri | The request path and parameters. | /news/search.php?id=1 |
real_client_ip | The client's real IP address, which WAF determines after analyzing the request. You can use this IP address directly in your services. If WAF cannot determine the real client IP address, for example, because the client uses a proxy server or the IP-related field in the request header is incorrect, this field displays a hyphen ( | 192.0.XX.XX |
region | The region ID of the WAF instance. Valid values:
| cn |
src_port | The port of the client or proxy connecting directly to WAF. If the client directly connects to WAF, this field indicates the client port. If another Layer 7 proxy, such as a CDN, is deployed in front of WAF, this field indicates the port of the proxy. | 80 |
src_ip | The IP address of the client or proxy connecting directly to WAF. If the client directly connects to WAF, this field indicates the client IP address. If another Layer 7 proxy, such as a CDN, is deployed in front of WAF, this field indicates the IP address of the proxy. | 198.51.XX.XX |
start_time | A Unix timestamp (in seconds) indicating when the client initiated the request. | 1696534058 |
request_length | The size of the request (in bytes), including the request line, headers, and body. | 111111 |
request_method | The request method. | GET |
request_time_msec | The time (in milliseconds) that WAF takes to process the request. | 44 |
request_traceid | The unique ID that WAF generates for the request. | 7837b11715410386943437009ea1f0 |
request_traceid_origin | The original ID of the request. | 7ce319151*****18890e |
remote_region_id | The ID of the geographic region to which the IP address belongs. | 410000 |
server_protocol | The protocol used between the client and WAF. Important This field is not supported for protected objects that are Function Compute (FC) services. | HTTP/1.1 |
ssl_cipher | The cipher suite used by the client request. | ECDHE-RSA-AES128-GCM-SHA256 |
ssl_protocol | The SSL/TLS protocol and version used by the client request. | TLSv1.2 |
status | The HTTP status code that WAF returns to the client. For example, 200 indicates that the request was successful. | 200 |
time | The time when the client initiated the request. The time is in UTC and is formatted according to the ISO 8601 standard in the | 2018-05-02T16:03:59+08:00 |
upstream_addr | The IP address and port of the origin server. The format is Important This field is not supported for protected objects that are Function Compute (FC) services. | 198.51.XX.XX:443 |
upstream_response_time | The time (in seconds) the origin server takes to respond to a back-to-origin request from WAF. | 0.044 |
upstream_status | The HTTP status code returned by the origin server for a back-to-origin request from WAF. For example, 200 indicates that the request was successful. | 200 |
user_id | The Alibaba Cloud account ID to which the WAF instance belongs. | 17045741******** |
Optional fields
You can enable optional fields to be included in your WAF (Web Application Firewall) logs. WAF records only the optional fields that you enable.
Enabling optional fields increases log storage usage. If you have sufficient storage, we recommend enabling additional optional fields for more detailed log analysis.
Parameter | Description | Example |
account | The extracted account information. To use this field, you must first configure protected objects and protected object groups. | user1 |
acl_action | The protection action taken when a request matches an IP address blacklist or an access control rule. Valid values:
For more information about WAF protection actions, see Descriptions of *_action fields. | block |
acl_rule_id | The ID of the matched rule. The rule can be an IP address blacklist, access control, region blacklist, threat intelligence, basic bot protection, or bot management app protection rule. | 151235 |
acl_rule_type | The type of the matched IP address blacklist or access control rule. Valid values:
| custom |
acl_test | The protection mode of the matched IP address blacklist or access control rule. Valid values:
Note When | false |
antiscan_action | The action taken by a scan protection rule. The only valid value is block. For more information about WAF protection actions, see Descriptions of *_action fields. | block |
antiscan_rule_id | The ID of the matched scan protection rule. | 151235 |
antiscan_rule_type | The type of the matched scan protection rule. Valid values:
| highfreq |
antiscan_test | The protection mode of the matched scan protection rule. Valid values:
| false |
body_bytes_sent | The size of the response body, in bytes. This size excludes the response header. Important This field is not supported for protected objects that are Function Compute (FC) services. | 1111 |
cc_action | The action taken by an or throttling rule. Valid values:
For more information about WAF protection actions, see Descriptions of *_action fields. | block |
cc_rule_id | The ID of the matched or throttling rule. | 151234 |
cc_rule_type | The type of the matched or throttling rule. Valid values:
| custom |
cc_test | The protection mode of the matched or throttling rule. Valid values:
| false |
request_body | The request body. A maximum of 8 KB of the request body is recorded. | test123curl -ki https://automated-acltest02.***.top/ --resolve automated-acltest02.***.top:443:39.107.XX.XX |
request_headers_all | All headers in the request. | { "Accept": "*/*", "Accept-Encoding": "gz**, de**te, **r", "Accept-Language": "zh-Hans-CN;q=1", "Connection": "keep-***ve", "Content-Length": "1**6", "Content-Type": "application/json", "Cookie": "cookie_key=***; acw_tc=0abc****opqrstuvwxyz0***7890;", "Host": "1.****.****.1", ... } |
request_header | A custom request header. After selecting this field, you must specify the names of the request headers to record. You can add up to five custom request headers. Separate multiple header names with commas (,). Important This field is not supported for protected objects that are Microservices Engine (MSE) or Function Compute (FC) services. | {"ttt":"abcd"} |
server_port | The WAF port that receives the request. Important This field is not supported for protected objects that are Microservices Engine (MSE), API Gateway (APIG), Application Load Balancer (ALB), or Function Compute (FC) services. | 443 |
waf_action | The action taken by a core protection rule. The only valid value is block. For more information about WAF protection actions, see Descriptions of *_action fields. | block |
waf_rule_id | The ID of the matched core protection rule. Note You can find this ID on the Core Protection Rule tab of the Security Reports page. For more information, see Security Reports. | 113406 |
waf_rule_type | The type of the matched core protection rule. Valid values:
| xss |
waf_test | The protection mode of the matched core protection rule. Valid values:
| false |
major_protection_action | The action taken by a major event protection rule. For more information about WAF protection actions, see Descriptions of *_action fields. | block |
major_protection_rule_id | The ID of the matched rule from a major event protection template. | 2221 |
major_protection_rule_type | The type of the matched rule from a major event protection template. Valid values:
| waf_blocks |
major_protection_test | The protection mode of the matched major event protection rule. Valid values:
| true |
response_set_cookie | The Set-Cookie header in the response. Important This field is not supported for protected objects that are Application Load Balancer (ALB), Microservices Engine (MSE), or Function Compute (FC) services. | acw_tc=781bad3616674790875002820e2cebbc55b6e0dfd9579302762b1dece40e0a;path=\/;HttpOnly;Max-Age=1800 |
response_header | All headers in the response. Important This field is not supported for protected objects that are Application Load Balancer (ALB), Microservices Engine (MSE), or Function Compute (FC) services. | {"transfer-encoding":"chunked","set-cookie":"acw_tc=***;path=\/;HttpOnly;Max-Age=1800","content-type":"text\/html;charset=utf-8","x-powered-by":"PHP\/7.2.24","server":"nginx\/1.18.0","connection":"close"} |
response_info | The response body. A maximum of 16 KB of the response body is recorded. If the value of the content-encoding header is gzip, the response body is Base64-encoded. Important This field is not supported for protected objects that are Application Load Balancer (ALB), Microservices Engine (MSE), or Function Compute (FC) services. | $_POST received: <br/>Array ( [***] => ) <hr/> $GLOBALS['HTTP_RAW_POST_DATA'] received: <br/> <hr/> php://input received: *** |
request_path | The request path, which is the part of the URL after the domain name and before the query string (?). | /news/search.php |
dlp_action | The protection action taken by a data leakage prevention rule. Valid values:
For more information about WAF protection actions, see Descriptions of *_action fields. | block |
dlp_rule_id | The ID of the matched data leakage prevention rule. | 20031483 |
dlp_test | The protection mode of the matched data leakage prevention rule. Valid values:
| true |
querystring | The query string of the request, which is the part of the URL that follows the question mark ( | title=tm_content%3Darticle&pid=123 |
scene_action | The protection action taken by a bot management scenario-specific rule. Valid values:
For more information about WAF protection actions, see Descriptions of *_action fields. | js |
scene_id | The scenario ID of the matched bot management scenario-specific rule. | a82d992b_bc8c_47f0_87ce_****** |
scene_rule_id | The ID of the matched bot management scenario-specific rule and basic protection configuration rule. | js-a82d992b_bc8c_47f0_87ce_****** |
scene_rule_type | The type of the matched bot management scenario-specific rule. Valid values:
| bot_aialgo |
scene_test | The protection mode of the matched bot management scenario-specific rule. Valid values:
| true |
remote_addr | The IP address that directly connects to WAF. If a client connects directly to WAF, this field records the client's IP address. If a Layer 7 proxy such as a CDN is deployed in front of WAF, this field records the IP address of the proxy. | 198.51.XX.XX |
remote_port | The port that directly connects to WAF. If a client connects directly to WAF, this field records the client's port. If a Layer 7 proxy such as a CDN is deployed in front of WAF, this field records the port of the proxy. | 80 |
waf_hit | The attack payload that matched a basic protection rule. | {"postarg_values":{"hit":["${jndi:ldap://"],"raw":"postarg.log4j=${jndi:ldap://"}} |
compliance_hit | The content that matched a protocol violation rule. | **********7df271da040a |
compliance_action | The action taken by a protocol violation rule. The only valid value is For more information about WAF protection actions, see Descriptions of *_action fields. | block |
compliance_rule_id | The ID of the matched protocol violation rule. | 300033 |
compliance_rule_type | The type of the matched protocol violation rule. The only valid value is protocol_violation. | protocol_violation |
compliance_test | The protection mode of the matched protocol violation rule. Valid values:
| false |
sema_hit | The content that matched a semantic analysis rule. | {"queryarg_values":{"hit":["\" from mysql.user"],"raw":"queryarg.y=\" from mysql.user"}} |
sema_action | The action taken by a semantic analysis rule. The only valid value is block. For more information about WAF protection actions, see Descriptions of *_action fields. | block |
sema_rule_id | The ID of the matched semantic analysis rule. | 810015 |
sema_rule_type | The type of the matched semantic analysis rule. The only valid value is sqli, which indicates an SQL injection rule. | sqli |
sema_test | The protection mode of the matched semantic analysis rule. Valid values:
| false |
wxbb_info_tbl | Device information from a request that matched an app protection rule for bot management. | { "abnormal_imei": "0", "abnormal_time": "1", ***** "appversion": "9.4.3", "brand": "Android", ***** } |
websdk_umid | The unique device identifier for a web client, identified by bot management. | 6543211729a19aa0123456 |
appsdk_umid | The unique device identifier for an app client, identified by bot management. | 3c76912d48ec5eb1ea6cb775ce1ba609 |
client_id | The client type identified by bot management. | Python-urllib |
ja3_fingerprint | The JA3 fingerprint of the traffic, identified by bot management. | 5c9e5897bbebcef37337bffb97587518 |
ja4_fingerprint | The JA4 fingerprint of the traffic, identified by bot management. | b251a742b13fde5fba044eddfd05af34 |
http2_fingerprint | The HTTP/2 fingerprint of the traffic, identified by bot management. | 52d84b11737d980aef856699f885ca86 |
non_terminating_rules | Information about requests that match rules with non-terminating actions. This includes requests that match rules with the Log or Origin Custom Header action, and requests that pass challenges such as JavaScript Validation, CAPTCHA, Strict CAPTCHA, or Dynamic Token. These correspond to requests where the | [{"id":"12345678","action":"monitor","defense_scene":"waf_base"},{"id":"123123123","type":"suspicious_idc","action":"monitor","defense_scene":"bot_manager"}, {"id":"12341234","bypass_punish":"1","defense_scene":"custom_acl"}] Note In this example, |
terminating_rules | Information about requests that match rules with terminating actions. This includes requests that match the Block action, and requests that fail challenges such as JavaScript Validation, CAPTCHA, Strict CAPTCHA, or Dynamic Token. These correspond to requests where the | [{"id":"123456","action":"block","defense_scene":"custom_acl"}] |
remote_country_id | The country ID associated with the IP address. | CN |
pp_state |
You can use a bitwise AND (&) operation to check if a specific flag is set. | 6 (binary |
The *_action field
The *_action field indicates the protection action for protection rules. For example, final_action specifies the final action WAF takes, and waf_action specifies the action for a core protection rule. Supported actions vary by protection rule. For more information, see the description of the corresponding parameter.
The following table lists the protection actions that WAF supports.
Action | Description |
block | Blocks the web request and returns an HTTP 405 error page to the client. |
captcha_strict | Performs strict slider CAPTCHA verification. WAF presents a slider CAPTCHA page to the client. WAF allows the request only if the client successfully completes the CAPTCHA. Otherwise, the request is blocked. In this mode, every request from the client requires verification. |
captcha | Performs common slider CAPTCHA verification. WAF presents a slider CAPTCHA page to the client. If the client successfully completes the CAPTCHA, WAF allows subsequent requests from the client for a period (default: 30 minutes) without re-verification. Otherwise, the request is blocked. |
js | Performs JavaScript validation. WAF issues a JavaScript challenge to the client's browser. If the browser successfully executes the JavaScript code, WAF allows subsequent requests from the client for a period (default: 30 minutes) without further challenges. Otherwise, the request is blocked. |
js_pass | Indicates that the client passed the JavaScript validation, and WAF allowed the request. |
sigchl | Performs dynamic token authentication. WAF provides a Web SDK for the client to sign outgoing requests. If a request has a valid signature, WAF forwards it to the origin server. If the signature is invalid or missing, WAF challenges the client to re-sign the request. |