Collecting Logs from WAF
LTS can collect logs from Web Application Firewall (WAF). For details, see Enabling LTS for WAF Logging
Structuring Template Details of WAF Access Logs
- WAF access log example
Table 1 Structuring template example Template Name
Example Log
WAF access logs
{"response_code":"504","scheme":"http","upstream_addr":"100.93.2.229:80","body_bytes_sent":"163","upstream_header_time":"-","connection_requests":"1","ssl_cipher":"","hostid":"1736cc7331b74b198e2ef07555a970ce","pid":"2152","tls_version":"","http_host":"www.testh.com","process_time":"0","access_stream_id":"88003425-d7bc-46ce-8ae7-77a8aa18a814","time_iso8601":"2022-07-29T19:39:10+08:00","intel_crawler":"","upstream_status":"504","remote_ip":"10.63.46.110","request_time":"30.008","tenantid":"1d26cc8c86a840e28a4f8d0d07852f1d","sip":"10.63.46.110","bytes_send":"420","projectid":"2a473356cca5487f8373be891bffc1cf","user_agent":"curl/7.29.0","web_tag":"","method":"GET","bind_ip":"10.63.36.208","region_id":"","remote_port":"20582","ssl_ciphers_md5":"","x_real_ip":"","url":"/","x_forwarded_for":"","sni":"","args":"public/../style/general.css=true","cdn_src_ip":"","enterprise_project_id":"0","upstream_connect_time":"-","engine_id":"","request_length":"110","group_id":"5d574e6a-87da-42bc-bfd4-ff61a1b336a4","requestid":"36f0a9212b14528ffc090f1811cd87d8","ssl_curves":"","ssl_session_reused":"","waf-time":"2022-07-29T11:39:10.000Z","upstream_response_time":"30.008","time":"29/Jul/2022:19:39:10 +0800","category":"access","eng_ip":"10.63.36.208"}
- Structuring fields and description
Table 2 Structuring fields Field
Example
Description
Type
response_code
504
Response status code returned by the origin server to WAF
string
scheme
http
Protocols that can be used in the request:
- http
- https
string
upstream_addr
100.93.2.229:80
Address of the backend server. For example, if WAF forwards requests to an ECS, the IP address of the ECS is returned to this parameter.
string
body_bytes_sent
163
Total number of bytes of the response body sent to the client
string
upstream_header_time
-
Time used by the backend server to receive the first byte of the response header
string
connection_requests
1
Connection request
string
ssl_cipher
-
SSL password
string
hostid
1736cc7331b74b198e2ef07555a970ce
Domain name identifier of the access request
string
pid
2152
Process ID
string
tls_version
-
Protocol version for establishing an SSL connection
string
http_host
www.testh.com
Domain name of the requested server
string
process_time
0
Detection duration
string
access_stream_id
88003425-d7bc-46ce-8ae7-77a8aa18a814
Log stream ID
string
time_iso8601
2022-07-29T19:39:10+08:00
ISO 8601 time format of logs
string
intel_crawler
-
Web crawlers
string
upstream_status
504
Response code of the backend server
string
remote_ip
10.63.46.110
IP address from which a client request originates
string
request_time
30.008
Request processing time
string
tenantid
1d26cc8c86a840e28a4f8d0d07852f1d
Tenant ID of the protected domain name
string
sip
10.63.46.110
Client request IP address
string
bytes_send
420
Total number of bytes sent to the client
string
projectid
2a473356cca5487f8373be891bffc1cf
ID of the project the protected domain name belongs to
string
user_agent
curl/7.29.0
user-agent in the request header
string
web_tag
-
Website name
string
method
GET
Request method
string
bind_ip
10.63.36.208
WAF engine back-to-source IP address
string
region_id
-
Region to which the request belongs
string
remote_port
20582
Remote port
string
ssl_ciphers_md5
-
MD5 value of ssl_ciphers
string
x_real_ip
-
Real IP address of the client when a proxy is deployed in front of WAF
string
url
/
Request URL
string
x_forwarded_for
-
Content of x_forwarded_for in the request header
string
sni
-
Domain name requested through SNI
string
args
public/../style/general.css=true
Parameter data in the URL
string
cdn_src_ip
-
Client IP address identified by CDN when CDN is deployed in front of WAF
string
enterprise_project_id
0
ID of the enterprise project to which the requested domain name belongs
string
upstream_connect_time
-
Time elapsed for origin servers to connect to backend servers
string
engine_id
-
WAF engine ID
string
request_length
110
Request length
string
group_id
5d574e6a-87da-42bc-bfd4-ff61a1b336a4
LTS log group ID
string
requestid
36f0a9212b14528ffc090f1811cd87d8
Random ID
string
ssl_curves
-
Curve group list supported by the client
string
ssl_session_reused
-
SSL session reuse
string
waf-time
2022-07-29T11:39:10.000Z
WAF log time
string
upstream_response_time
30.008
Backend server response time
string
time
29/Jul/2022:19:39:10 +0800
Time when an access request was received
string
waf_category
access
WAF log type
string
eng_ip
10.63.36.208
IP address of the WAF engine
string
Structuring Template Details of WAF Attack Logs
- WAF attack log example
Table 3 Structuring template example Template Name
Example Log
WAF attack logs
{"policy_id":"cd081ba3d6674000acc37d7e2a4b9140","hport":"80","body_bytes_sent":"163","hostid":"1736cc7331b74b198e2ef07555a970ce","rule":"040002","engine_ip":"10.63.36.208","pid":"2152","http_host":"www.testh.com","process_time":"1","reqid":"0000-0000-0000-20820220729193940-f34cf25e","time_iso8601":"2022-07-29T19:39:40+08:00","upstream_status":"504","hit_data":"public/../style/general.css","attack_stream_id":"98de5d5a-9f54-4d01-9882-eca7bec99d09","remote_ip":"10.63.46.110","attack":"lfi","tenantid":"1d26cc8c86a840e28a4f8d0d07852f1d","host":"www.testh.com","action":"log","backend":{"protocol":"HTTP","alive":true,"port":80,"host":"100.93.2.229","weight":1,"type":"ip"},"id":"04-0000-0000-0000-20820220729193940-f34cf25e","sip":"10.63.46.110","projectid":"2a473356cca5487f8373be891bffc1cf","web_tag":"","attack-time":"2022-07-29T11:39:40.000Z","method":"GET","cookie":"{\"HWWAFSESTIME\":\"1659094780939\",\"HWWAFSESID\":\"e2cd0733b4712e4cc4\"}","level":2,"params":"{\"public\/..\/style\/general.css\":\"true\"}","x_real_ip":"","uri":"/","x_forwarded_for":"","cdn_src_ip":"","enterprise_project_id":"0","req_body":"","engine_id":"","group_id":"5d574e6a-87da-42bc-bfd4-ff61a1b336a4","requestid":"f34cf25eb33ed82cd7261a8276a60c39","multipart":"null","header":"{\"host\":\"www.testh.com\",\"user-agent\":\"curl\/7.29.0\",\"accept\":\"*\/*\"}","location":"params","upstream_response_time":"30.000","time":"2022-07-29 19:39:40","category":"attack","sport":28408,"status":"504"}
- Structuring fields and description
Table 4 Structuring fields Field
Example
Description
Type
policy_id
cd081ba3d6674000acc37d7e2a4b9140
Policy ID
string
hport
80
Port of the requested server
string
body_bytes_sent
163
Total number of bytes of the response body sent to the client
string
hostid
1736cc7331b74b198e2ef07555a970ce
Protected domain name ID (upstream_id)
string
rule
040002
ID of the triggered rule or the description of the custom policy type
string
engine_ip
10.63.36.208
IP address of the engine
string
pid
2152
Process ID
string
http_host
www.testh.com
Domain name of the requested server
string
process_time
1
Detection duration
string
reqid
0000-0000-0000-20820220729193940-f34cf25e
Random ID
string
time_iso8601
2022-07-29T19:39:40+08:00
ISO 8601 time format of logs
string
upstream_status
504
Response code of the backend server
string
hit_data
public/../style/general.css
String triggering the malicious load
string
attack_stream_id
98de5d5a-9f54-4d01-9882-eca7bec99d09
Log stream ID
string
remote_ip
10.63.46.110
IP address from which a client request originates
string
attack
lfi
Attack type. This parameter is listed in attack logs only.
- default: default attacks
- sqli: SQL injections
- xss: cross-site scripting (XSS) attacks
- webshell: web shells
- robot: malicious crawlers
- cmdi: command injections
- rfi: remote file inclusion attacks
- lfi: local file inclusion attacks
- illegal: unauthorized requests
- vuln: exploits
- cc: attacks that hit the CC protection rules
- custom_custom: attacks that hit a precise protection rule
- custom_whiteip: attacks that hit an IP address blacklist or whitelist rule
- custom_geoip: attacks that hit a geolocation access control rule
- antitamper: attacks that hit a web tamper protection rule
- anticrawler: attacks that hit the JS challenge anti-crawler rule
- leakage: vulnerabilities that hit an information leakage prevention rule
- followed_action: known attack source rule. For details, see Configuring a Known Attack Source Rule to Block Specific Visitors for a Specified Duration.
string
tenantid
1d26cc8c86a840e28a4f8d0d07852f1d
Tenant ID of the protected domain name
string
host
www.testh.com
Domain name of the requested server
string
action
log
WAF defense action
- block: attacks blocked
- log: attacks logged
- captcha: human-machine verification
string
backend.protocol
HTTP
Current backend protocol
string
backend.alive
true
Current backend status
string
backend.port
80
Current backend port
long
backend.host
100.93.2.229
Current backend host value
string
backend.weight
1
Current backend weight
long
backend.type
ip
Current backend host type
string
id
04-0000-0000-0000-20820220729193940-f34cf25e
Request ID
string
sip
10.63.46.110
IP address from which a client request originates
string
projectid
2a473356cca5487f8373be891bffc1cf
ID of the project the protected domain name belongs to
string
web_tag
-
Website name
string
attack-time
2022-07-29T11:39:40.000Z
Attack time
string
method
GET
Request method
string
cookie
{"HWWAFSESTIME":"1659094780939","HWWAFSESID":"e2cd0733b4712e4cc4"}
Cookie
string
level
2
Protection level of a built-in rule in basic web protection
- 1: Low
- 2: Medium
- 3: High
long
params
{"public\/..\/style\/general.css":"true"}
Params value following the request URI
string
x_real_ip
-
Real IP address of the client when a proxy is deployed in front of WAF
string
uri
/
Request URI
string
x_forwarded_for
-
Content of x_forwarded_for in the request header
string
cdn_src_ip
-
Client IP address identified by CDN when CDN is deployed in front of WAF
string
enterprise_project_id
0
ID of the enterprise project to which the requested domain name belongs.
string
req_body
-
Request body
string
engine_id
-
WAF engine ID
string
group_id
5d574e6a-87da-42bc-bfd4-ff61a1b336a4
group_id
string
requestid
f34cf25eb33ed82cd7261a8276a60c39
Random ID
string
multipart
null
multipart
string
header
{"host":"www.testh.com","user-agent":"curl\/7.29.0","accept":"*\/*"}
Request header
string
location
params
Location triggering the malicious load
string
upstream_response_time
30.000
Backend server response time
string
time
2022-07-29 19:39:40
Log time
string
waf_category
attack
WAF log type
string
sport
28408
Client request port
long
status
504
Response status code
string
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot