Updated on 2024-02-29 GMT+08:00

WAF Monitored Metrics

Function Description

This topic describes metrics reported by WAF to Cloud Eye as well as their namespaces and dimensions. You can use APIs provided by Cloud Eye to query the metrics of the monitored object and alarms generated for WAF. You can also query them on the Cloud Eye console.

namespaces

SYS.WAF

A namespace is an abstract collection of resources and objects. Multiple namespaces can be created in a single cluster with the data isolated from each other. This enables namespaces to share the same cluster services without affecting each other.

Monitored Metrics for Protected Domain Names

Table 1 Monitored metrics for domain names protected with WAF

Metric ID

Metric Name

Description

Value Range

Monitored Object

Monitoring Interval (Minute)

requests

Number of Requests

Number of requests returned by WAF in the last 5 minutes

Unit: Count

Collection method: The total number of requests for the domain name are collected.

≥ 0

Value type: Float

Protected domain dame

5 minutes

waf_http_2xx

WAF Status Code (2XX)

Number of 2XX status codes returned by WAF in the last 5 minutes

Unit: Count

Collection method: Number of 2XX status codes returned

≥ 0

Value type: Float

Protected domain dame

5

waf_http_3xx

WAF Status Code (3XX)

Number of 3XX status codes returned by WAF in the last 5 minutes

Unit: Count

Collection method: Number of 3XX status codes returned

≥ 0

Value type: Float

Protected domain dame

5

waf_http_4xx

WAF Status Code (4XX)

Number of 4XX status codes returned by WAF in the last 5 minutes

Unit: Count

Collection method: Number of 4XX status codes returned

≥ 0

Value type: Float

Protected domain dame

5

waf_http_5xx

WAF Status Code (5XX)

Number of 5XX status codes returned by WAF in the last 5 minutes

Unit: Count

Collection method: Number of 5XX status codes returned

≥ 0

Value type: Float

Protected domain dame

5

waf_fused_counts

WAF Traffic Threshold

Number of requests destined for the website in the last 5 minutes during breakdown protection duration

Unit: Count

Collection method: Number of requests to the protected domain name while the website was down

≥ 0

Value type: Float

Protected domain dame

5

inbound_traffic

Total Inbound Traffic

Total inbound traffic in the last 5 minutes

Unit: Mbit/s

Collection method: Total inbound traffic in the last 5 minutes

≥0 Mbit

Value type: Float

Protected domain dame

5

outbound_traffic

Total Outbound Traffic

Total outbound traffic in the last 5 minutes

Unit: Mbit/s

Collection method: Total outbound traffic in the last 5 minutes

≥0 Mbit

Value type: Float

Protected domain dame

5

waf_process_time_0

WAF Latency [0-10) ms

This metric is used to collect how many requests are processed by WAF at latencies from 0 ms (included) to 10 ms (excluded) in the last 5 minutes.

Unit: Count

Collection method: The number of requests processed by WAF at latencies from 0 ms (included) to 10 ms (excluded) in the last 5 minutes are collected.

≥ 0

Value type: Float

Protected domain dame

5 minutes

waf_process_time_10

WAF Latency [10-20) ms

This metric is used to collect how many requests are processed by WAF at latencies in the 10 ms to less than 20 ms range in the last 5 minutes.

Unit: Count

Collection method: The number of requests processed by WAF at latencies in the 10 ms to less than 20 ms range in the last 5 minutes are collected.

≥ 0

Value type: Float

Protected domain dame

5 minutes

waf_process_time_20

WAF Latency [20-50) ms

This metric is used to collect how many requests are processed by WAF at latencies from 20 ms (included) to 50 ms (excluded) in the last 5 minutes.

Unit: Count

Collection method: The number of requests processed by WAF at latencies from 20 ms (included) to 50 ms (excluded) in the last 5 minutes are collected.

≥ 0

Value type: Float

Protected domain dame

5 minutes

waf_process_time_50

WAF Latency [50-100) ms

This metric is used to collect how many requests are processed by WAF at latencies from 50 ms (included) to 100 ms (excluded) in the last 5 minutes.

Unit: Count

Collection method: The number of requests processed by WAF at latencies from 50 ms (included) to 100 ms (excluded) in the last 5 minutes are collected.

≥ 0

Value type: Float

Protected domain dame

5 minutes

waf_process_time_100

WAF Latency [100, 1,000) ms

This metric is used to collect how many requests are processed by WAF at latencies in the 100 ms to less than 1,000 ms range in the last 5 minutes.

Unit: Count

Collection method: The number of requests processed by WAF at latencies in the 100 ms to less than 1000 ms range in the last 5 minutes are collected.

≥ 0

Value type: Float

Protected domain dame

5 minutes

waf_process_time_1000

WAF Latency [1,000, above) ms

This metric is used to collect how many requests are processed by WAF at latencies above 1000 ms in the last 5 minutes.

Unit: Count

Collection method: The number of requests processed by WAF at latencies above 1000 ms in the last 5 minutes are collected.

≥ 0

Value type: Float

Protected domain dame

5 minutes

qps_peak

Peak QPS

This metric is used to collect the peak QPS of the domain name in the last 5 minutes.

Unit: Count

Collection method: The peak QPS of the domain name in the last 5 minutes is collected.

≥ 0

Value type: Float

Protected domain dame

5 minutes

qps_mean

Average QPS

This metric is used to collect the average QPS of the domain name in the last 5 minutes.

Unit: Count

Collection method: The average QPS of the domain name in the last 5 minutes is collected.

≥ 0

Value type: Float

Protected domain dame

5 minutes

waf_http_0

No WAF Status Code

This metric is used to collect how many requests with no status code returned by WAF in the last 5 minutes.

Unit: Count

Collection method: The number of requests with no WAF status code returned in the last 5 minutes is collected.

≥ 0

Value type: Float

Protected domain dame

5 minutes

upstream_code_2xx

Status Code Returned to the Client

(2XX)

This metric is used to collect how many requests with 2XX status code are returned by the origin server in the last 5 minutes.

Unit: Count

Collection method: The number of requests with 2XX status code returned by the origin server in the last 5 minutes is collected.

≥ 0

Value type: Float

Protected domain dame

5 minutes

upstream_code_3xx

Status Code Returned by the Origin Server

(3XX)

This metric is used to collect how many requests with 3XX status code are returned by the origin server in the last 5 minutes.

Unit: Count

Collection method: The number of requests with 3XX status code returned by the origin server in the last 5 minutes is collected.

≥ 0

Value type: Float

Protected domain dame

5 minutes

upstream_code_4xx

Status Code Returned by the Origin Server

(4XX)

This metric is used to collect how many requests with 4XX status code are returned by the origin server in the last 5 minutes.

Unit: Count

Collection method: The number of requests with 4XX status code returned by the origin server in the last 5 minutes is collected.

≥ 0

Value type: Float

Protected domain dame

5 minutes

upstream_code_5xx

Status Code Returned by the Origin Server

(5XX)

This metric is used to collect how many requests with 5XX status code are returned by the origin server in the last 5 minutes.

Unit: Count

Collection method: The number of requests with 5XX status code returned by the origin server in the last 5 minutes is collected.

≥ 0

Value type: Float

Protected domain dame

5 minutes

upstream_code_0

No Origin Server Status Code

This metric is used to collect how many requests with no status code returned by the origin server in the last 5 minutes.

Unit: Count

Collection method: The number of requests with no status code returned by the origin server in the last 5 minutes is collected.

≥ 0

Value type: Float

Protected domain dame

5 minutes

inbound_traffic_peak

Peak Inbound Traffic

This metric is used to collect the peak inbound traffic to the domain name in the last 5 minutes.

Unit: Mbit/s

Collection method: The peak inbound traffic to the domain name in the last 5 minutes is collected.

≥0 Mbit/s

Value type: Float

Protected domain dame

5 minutes

inbound_traffic_mean

Average Inbound Traffic

This metric is used to collect the average inbound traffic to the domain name in the last 5 minutes.

Unit: Mbit/s

Collection method: The average inbound traffic to the domain name in the last 5 minutes is collected.

≥0 Mbit/s

Value type: Float

Protected domain dame

5 minutes

outbound_traffic_peak

Peak Outbound Traffic

This metric is used to collect the peak outbound traffic from the domain name in the last 5 minutes.

Unit: Mbit/s

Collection method: The peak outbound traffic from the domain name in the last 5 minutes is collected.

≥0 Mbit/s

Value type: Float

Protected domain dame

5 minutes

outbound_traffic_mean

Average Outbound Traffic

This metric is used to collect the average outbound traffic from the domain name in the last 5 minutes.

Unit: Mbit/s

Collection method: The average outbound traffic from the domain name in the last 5 minutes is collected.

≥0 Mbit/s

Value type: Float

Protected domain dame

5

attacks

Total number of attacks

This metric is used to collect the total number of attacks against the domain name in the last 5 minutes.

Unit: Count

Collection method: The system collects the number of attacks against the domain name over the last 5 minutes.

≥ 0

Value type: Float

Protected domain dame

5 minutes

crawlers

Number of crawler attacks

This metric is used to collect the crawler attacks against the domain name in the last 5 minutes.

Unit: Count

Collection method: The system collects the number of crawler attacks against the domain name in the last 5 minutes.

≥ 0

Value type: Float

Protected domain dame

5 minutes

base_protection_counts

Number of attacks blocked by basic web protection

This metric is used to collect the number of attacks defended by basic web protection rules over the last 5 minutes.

Unit: Count

Collection method: The system collects the number of attacks hit basic web protection rules over the last 5 minutes.

≥ 0

Value type: Float

Protected domain dame

5 minutes

precise_protection_counts

Precise protection times

This metric is used to collect the number of attacks defended by precise protection rules over the last 5 minutes.

Unit: Count

Collection method: The system collects the number of attacks hit precise protection rules over the last 5 minutes.

≥ 0

Value type: Float

Protected domain dame

5 minutes

cc_protection_counts

Number of CC attacks detected by WAF

This metric is used to collect the number of attacks defended by CC attack protection rules over the last 5 minutes.

Unit: Count

Collection method: The system collects the number of attacks hit CC attack protection rules over the last 5 minutes.

≥ 0

Value type: Float

Protected domain dame

5 minutes

Metrics for Dedicated WAF Instances

Table 2 Metrics for dedicated waf instances

Metric ID

Metric Name

Description

Value Range

Monitored Object

Monitoring Interval (Raw Data)

cpu_util

CPU Usage

CPU consumed by the monitored object

Unit: percentage (%)

Collection method: 100% minus idle CPU usage percentage

0% to 100%

Value type: Float

Dedicated WAF instances

1

mem_util

Memory Usage

Memory usage of the monitored object

Unit: percentage (%)

Collection method: 100% minus idle memory percentage

0% to 100%

Value type: Float

Dedicated WAF instances

1

disk_util

Disk Usage

Disk usage of the monitored object

Unit: percentage (%)

Collection method: 100% minus idle disk space percentage

0% to 100%

Value type: Float

Dedicated WAF instances

1

disk_avail_size

Available Disk Space

Available disk space of the monitored object

Unit: byte, KB, MB, GB, TB or PB

Collection mode: size of free disk space

≥ 0 bytes

Value type: Float

Dedicated WAF instances

1

disk_read_bytes_rate

Disk Read Rate

Number of bytes the monitored object reads from the disk per second

Unit: byte/s, KB/s, MB/s, or GB/s

Collection mode: number of bytes read from the disk per second

≥0 byte/s

Value type: Float

Dedicated WAF instances

1

disk_write_bytes_rate

Disk Write Rate

Number of bytes the monitored object writes into the disk per second

Unit: byte/s, KB/s, MB/s, or GB/s

Collection mode: number of bytes written into the disk per second

≥0 byte/s

Value type: Float

Dedicated WAF instances

1

disk_read_requests_rate

Disk Read Requests

Number of requests the monitored object reads from the disk per second

Unit: Requests/s

Collection mode: number of read requests processed by the disk per second

≥0 request/s

Value type: Float

Dedicated WAF instances

1

disk_write_requests_rate

Disk Write Requests

Number of requests the monitored object writes into the disk per second

Unit: Requests/s

Collection method: Number of write requests processed by the disk per second

≥0 request/s

Value type: Float

Dedicated WAF instances

1

network_incoming_bytes_rate

Incoming Traffic

Incoming traffic per second on the monitored object

Unit:

byte/s, KB/s, MB/s, or GB/s

Collection method: Incoming traffic over the NIC per second

≥0 byte/s

Value type: Float

Dedicated WAF instances

1

network_outgoing_bytes_rate

Outgoing Traffic

Outgoing traffic per second on the monitored object

Unit:

byte/s, KB/s, MB/s, or GB/s

Collection method: Outgoing traffic over the NIC per second

≥0 byte/s

Value type: Float

Dedicated WAF instances

1

network_incoming_packets_rate

Incoming Packet Rate

Incoming packets per second on the monitored object

Unit:

packet/s

Collection method: Incoming packets over the NIC per second

≥0 packet/s

Value type: Int

Dedicated WAF instances

1

network_outgoing_packets_rate

Outgoing Packet Rate

Outgoing packets per second on the monitored object

Unit:

packet/s

Collection method: Outgoing packets over the NIC per second

≥0 packet/s

Value type: Int

Dedicated WAF instances

1

concurrent_connections

Concurrent Connections

Number of concurrent connections being processed

Unit: count

Collection method: Number of concurrent connections in the system

≥0 count

Value type: Int

Dedicated WAF instances

1

active_connections

Active Connections

Number of active connections

Unit: count

Collection method: Number of active connections in the system

≥0 count

Value type: Int

Dedicated WAF instances

1

latest_policy_sync_time

Latest Rule Synchronization

Time elapsed for the WAF to synchronize the latest custom rules

Unit: ms

Collection method: Time elapsed for synchronizing to the last policies

≥0 ms

Value type: Int

Dedicated WAF instances

1

Dimensions

Key

Value

instance_id

ID of the dedicated WAF instance

waf_instance_id

ID of the website protected with WAF

Example of Raw Data Format of Monitored Metrics

[
    {
        "metric": {
             // Namespace
            "namespace": "SYS.WAF",
            "dimensions": [
                {
                    // Dimension name, for example, protected website
                    "name": "waf_instance_id",
                    // ID of the monitored object in this dimension, for example, ID of the protected website
                    "value": "082db2f542e0438aa520035b3e99cd99"
                }
            ],
           //Metric ID
            "metric_name": "waf_http_2xx"
        },
// Time to live, which is predefined for the metric
        "ttl": 172800,
         // Metric value
        "value": 0.0,
       // Metric unit
        "unit": "Count",
         // Metric value type
        "type": "float",
        // Collection time for the metric
        "collect_time": 1637677359778
    }
]