Collecting Logs from WAF

WAF access logs

{"response_code":"504","scheme":"http","upstream_addr":"100.93.2.229:80","body_bytes_sent":"163","upstream_header_time":"-","connection_requests":"1","ssl_cipher":"","hostid":"1736cc7331b74b198e2ef07555a970ce","pid":"2152","tls_version":"","http_host":"www.testh.com","process_time":"0","access_stream_id":"88003425-d7bc-46ce-8ae7-77a8aa18a814","time_iso8601":"2022-07-29T19:39:10+08:00","intel_crawler":"","upstream_status":"504","remote_ip":"10.63.46.110","request_time":"30.008","tenantid":"1d26cc8c86a840e28a4f8d0d07852f1d","sip":"10.63.46.110","bytes_send":"420","projectid":"2a473356cca5487f8373be891bffc1cf","user_agent":"curl/7.29.0","web_tag":"","method":"GET","bind_ip":"10.63.36.208","region_id":"","remote_port":"20582","ssl_ciphers_md5":"","x_real_ip":"","url":"/","x_forwarded_for":"","sni":"","args":"public/../style/general.css=true","cdn_src_ip":"","enterprise_project_id":"0","upstream_connect_time":"-","engine_id":"","request_length":"110","group_id":"5d574e6a-87da-42bc-bfd4-ff61a1b336a4","requestid":"36f0a9212b14528ffc090f1811cd87d8","ssl_curves":"","ssl_session_reused":"","waf-time":"2022-07-29T11:39:10.000Z","upstream_response_time":"30.008","time":"29/Jul/2022:19:39:10 +0800","category":"access","eng_ip":"10.63.36.208"}

response_code

504

Response status code returned by the origin server to WAF

string

scheme

http

Protocols that can be used in the request:

• http
• https

string

upstream_addr

100.93.2.229:80

Address of the backend server. For example, if WAF forwards requests to an ECS, the IP address of the ECS is returned to this parameter.

string

body_bytes_sent

163

Total number of bytes of the response body sent to the client

string

upstream_header_time

-

Time used by the backend server to receive the first byte of the response header

string

connection_requests

1

Connection request

string

ssl_cipher

-

SSL password

string

hostid

1736cc7331b74b198e2ef07555a970ce

Domain name identifier of the access request

string

pid

2152

Process ID

string

tls_version

-

Protocol version for establishing an SSL connection

string

http_host

www.testh.com

Domain name of the requested server

string

process_time

0

Detection duration

string

access_stream_id

88003425-d7bc-46ce-8ae7-77a8aa18a814

Log stream ID

string

time_iso8601

2022-07-29T19:39:10+08:00

ISO 8601 time format of logs

string

intel_crawler

-

Web crawlers

string

upstream_status

504

Response code of the backend server

string

remote_ip

10.63.46.110

IP address from which a client request originates

string

request_time

30.008

Request processing time

string

tenantid

1d26cc8c86a840e28a4f8d0d07852f1d

Tenant ID of the protected domain name

string

sip

10.63.46.110

Client request IP address

string

bytes_send

420

Total number of bytes sent to the client

string

projectid

2a473356cca5487f8373be891bffc1cf

ID of the project the protected domain name belongs to

string

user_agent

curl/7.29.0

user-agent in the request header

string

web_tag

-

Website name

string

method

GET

Request method

string

bind_ip

10.63.36.208

WAF engine back-to-source IP address

string

region_id

-

Region to which the request belongs

string

remote_port

20582

Remote port

string

ssl_ciphers_md5

-

MD5 value of ssl_ciphers

string

x_real_ip

-

Real IP address of the client when a proxy is deployed in front of WAF

string

url

/

Request URL

string

x_forwarded_for

-

Content of x_forwarded_for in the request header

string

sni

-

Domain name requested through SNI

string

args

public/../style/general.css=true

Parameter data in the URL

string

cdn_src_ip

-

Client IP address identified by CDN when CDN is deployed in front of WAF

string

enterprise_project_id

0

ID of the enterprise project to which the requested domain name belongs

string

upstream_connect_time

-

Time elapsed for origin servers to connect to backend servers

string

engine_id

-

WAF engine ID

string

request_length

110

Request length

string

group_id

5d574e6a-87da-42bc-bfd4-ff61a1b336a4

LTS log group ID

string

requestid

36f0a9212b14528ffc090f1811cd87d8

Random ID

string

ssl_curves

-

Curve group list supported by the client

string

ssl_session_reused

-

SSL session reuse

string

waf-time

2022-07-29T11:39:10.000Z

WAF log time

string

upstream_response_time

30.008

Backend server response time

string

time

29/Jul/2022:19:39:10 +0800

Time when an access request was received

string

waf_category

access

WAF log type

string

eng_ip

10.63.36.208

IP address of the WAF engine

string

WAF attack logs

{"policy_id":"cd081ba3d6674000acc37d7e2a4b9140","hport":"80","body_bytes_sent":"163","hostid":"1736cc7331b74b198e2ef07555a970ce","rule":"040002","engine_ip":"10.63.36.208","pid":"2152","http_host":"www.testh.com","process_time":"1","reqid":"0000-0000-0000-20820220729193940-f34cf25e","time_iso8601":"2022-07-29T19:39:40+08:00","upstream_status":"504","hit_data":"public/../style/general.css","attack_stream_id":"98de5d5a-9f54-4d01-9882-eca7bec99d09","remote_ip":"10.63.46.110","attack":"lfi","tenantid":"1d26cc8c86a840e28a4f8d0d07852f1d","host":"www.testh.com","action":"log","backend":{"protocol":"HTTP","alive":true,"port":80,"host":"100.93.2.229","weight":1,"type":"ip"},"id":"04-0000-0000-0000-20820220729193940-f34cf25e","sip":"10.63.46.110","projectid":"2a473356cca5487f8373be891bffc1cf","web_tag":"","attack-time":"2022-07-29T11:39:40.000Z","method":"GET","cookie":"{\"HWWAFSESTIME\":\"1659094780939\",\"HWWAFSESID\":\"e2cd0733b4712e4cc4\"}","level":2,"params":"{\"public\/..\/style\/general.css\":\"true\"}","x_real_ip":"","uri":"/","x_forwarded_for":"","cdn_src_ip":"","enterprise_project_id":"0","req_body":"","engine_id":"","group_id":"5d574e6a-87da-42bc-bfd4-ff61a1b336a4","requestid":"f34cf25eb33ed82cd7261a8276a60c39","multipart":"null","header":"{\"host\":\"www.testh.com\",\"user-agent\":\"curl\/7.29.0\",\"accept\":\"*\/*\"}","location":"params","upstream_response_time":"30.000","time":"2022-07-29 19:39:40","category":"attack","sport":28408,"status":"504"}

policy_id

cd081ba3d6674000acc37d7e2a4b9140

Policy ID

string

hport

80

Port of the requested server

string

body_bytes_sent

163

Total number of bytes of the response body sent to the client

string

hostid

1736cc7331b74b198e2ef07555a970ce

Protected domain name ID (upstream_id)

string

rule

040002

ID of the triggered rule or the description of the custom policy type

string

engine_ip

10.63.36.208

IP address of the engine

string

pid

2152

Process ID

string

http_host

www.testh.com

Domain name of the requested server

string

process_time

1

Detection duration

string

reqid

0000-0000-0000-20820220729193940-f34cf25e

Random ID

string

time_iso8601

2022-07-29T19:39:40+08:00

ISO 8601 time format of logs

string

upstream_status

504

Response code of the backend server

string

hit_data

public/../style/general.css

String triggering the malicious load

string

attack_stream_id

98de5d5a-9f54-4d01-9882-eca7bec99d09

Log stream ID

string

remote_ip

10.63.46.110

IP address from which a client request originates

string

attack

lfi

Attack type. This parameter is listed in attack logs only.

• default: default attacks
• sqli: SQL injections
• xss: cross-site scripting (XSS) attacks
• webshell: web shells
• robot: malicious crawlers
• cmdi: command injections
• rfi: remote file inclusion attacks
• lfi: local file inclusion attacks
• illegal: unauthorized requests
• vuln: exploits
• cc: attacks that hit the CC protection rules
• custom_custom: attacks that hit a precise protection rule
• custom_whiteip: attacks that hit an IP address blacklist or whitelist rule
• custom_geoip: attacks that hit a geolocation access control rule
• antitamper: attacks that hit a web tamper protection rule
• anticrawler: attacks that hit the JS challenge anti-crawler rule
• leakage: vulnerabilities that hit an information leakage prevention rule
• followed_action: known attack source rule. For details, see Configuring a Known Attack Source Rule to Block Specific Visitors for a Specified Duration.

string

tenantid

1d26cc8c86a840e28a4f8d0d07852f1d

Tenant ID of the protected domain name

string

host

www.testh.com

Domain name of the requested server

string

action

log

WAF defense action

• block: attacks blocked
• log: attacks logged
• captcha: human-machine verification

string

backend.protocol

HTTP

Current backend protocol

string

backend.alive

true

Current backend status

string

backend.port

80

Current backend port

long

backend.host

100.93.2.229

Current backend host value

string

backend.weight

1

Current backend weight

long

backend.type

ip

Current backend host type

string

id

04-0000-0000-0000-20820220729193940-f34cf25e

Request ID

string

sip

10.63.46.110

IP address from which a client request originates

string

projectid

2a473356cca5487f8373be891bffc1cf

ID of the project the protected domain name belongs to

string

web_tag

-

Website name

string

attack-time

2022-07-29T11:39:40.000Z

Attack time

string

method

GET

Request method

string

cookie

{"HWWAFSESTIME":"1659094780939","HWWAFSESID":"e2cd0733b4712e4cc4"}

Cookie

string

level

2

Protection level of a built-in rule in basic web protection

• 1: Low
• 2: Medium
• 3: High

long

params

{"public\/..\/style\/general.css":"true"}

Params value following the request URI

string

x_real_ip

-

Real IP address of the client when a proxy is deployed in front of WAF

string

uri

/

Request URI

string

x_forwarded_for

-

Content of x_forwarded_for in the request header

string

cdn_src_ip

-

Client IP address identified by CDN when CDN is deployed in front of WAF

string

enterprise_project_id

0

ID of the enterprise project to which the requested domain name belongs.

string

req_body

-

Request body

string

engine_id

-

WAF engine ID

string

group_id

5d574e6a-87da-42bc-bfd4-ff61a1b336a4

group_id

string

requestid

f34cf25eb33ed82cd7261a8276a60c39

Random ID

string

multipart

null

multipart

string

header

{"host":"www.testh.com","user-agent":"curl\/7.29.0","accept":"*\/*"}

Request header

string

location

params

Location triggering the malicious load

string

upstream_response_time

30.000

Backend server response time

string

time

2022-07-29 19:39:40

Log time

string

waf_category

attack

WAF log type

string

sport

28408

Client request port

long

status

504

Response status code

string