Help Center> Web Application Firewall> User Guide> Events> Enabling LTS for WAF Logging

Updated on 2024-04-17 GMT+08:00

View PDF

Enabling LTS for WAF Logging

After you authorize WAF to access Log Tank Service (LTS), you can use the WAF logs recorded by LTS for quick and efficient real-time analysis, device O&M management, and analysis of service trends.

LTS analyzes and processes a large number of logs. It enables you to process logs in real-time, efficiently, and securely. Logs can be stored in LTS for seven days by default but you can configure LTS for up to 30 days if needed. Logs earlier than 30 days are automatically deleted. However, you can configure LTS to dump those logs to an Object Storage Service (OBS) bucket or enable Data Ingestion Service (DIS) for long-term storage.

On the WAF console, you can view logs for the last 30 days and download logs for all protected websites for the last five days.
LTS is billed by traffic and is billed separately from WAF. For details about LTS pricing, see LTS Pricing Details.
If you have enabled enterprise projects, ensure that you have all operation permissions for the project where your WAF instance locates. Then, you can select the project from the Enterprise Project drop-down list and configure WAF logging.

Prerequisites

You have purchased a WAF instance.
The website to be protected has been added to WAF.

Impact on the System

Enabling LTS for WAF does not affect WAF performance.

Enabling LTS for WAF Protection Event Logging

Log in to the management console.
Click in the upper left corner of the management console and select a region or project.
Click in the upper left corner and choose Web Application Firewall under Security & Compliance.
In the navigation pane on the left, choose Events.

Click the Log Settings tab, enable LTS (

), and select a log group and log stream. Table 1 describes the parameters.

Figure 1 Log settings

**Table 1** Log configuration
Parameter	Description	Example Value
Log Group	Select a log group or click View Log Group to go to the LTS console and create a log group.	lts-group-waf
Attack Log	Select a log stream or click View Log Stream to go to the LTS console and create a log stream. An attack log includes information about event type, protective action, and attack source IP address of each attack.	lts-topic-waf-attack
Access Log	Select a log stream or click View Log Stream to go to the LTS console and create a log stream. An access log includes key information about access time, client IP address, and resource URL of each HTTP access requests.	lts-topic-waf-access

Click OK.
You can view WAF protection event logs on the LTS console.

Viewing WAF Protection Event Logs on LTS

After enabling LTS, perform the following steps to view and analyze WAF logs on the LTS console.

Log in to the management console.
Click in the upper left corner of the management console and select a region or project.
Click in the upper left corner of the page and choose Management & Deployment > Log Tank Service.
In the log group list, click to expand the WAF log group (for example, lts-group-waf).
View protection event logs.
- View attack logs.
  1. In the log stream list, click the name of the configured attack log stream.
    Figure 2 Log stream name configured for attack logs
  2. View attack logs.
    Figure 3 Viewing attack logs
- View access logs.
  1. In the log stream list, click the name of the configured access log stream.
    Figure 4 Log stream name configured for access logs
  2. View access logs.
    Figure 5 Viewing access logs

WAF access_log Field

Field	Type	Field Description	Description
access_log.requestid	string	Random ID	The value is the same as the last eight characters of the req_id field in the attack log.
access_log.time	string	Access time	GMT time a log is generated.
access_log.connection_requests	string	Sequence number of the request over the connection	-
access_log.eng_ip	string	IP address of the WAF engine	-
access_log.pid	string	The engine that processes the request	Engine (worker PID).
access_log.hostid	string	Domain name identifier of the access request.	Protected domain name ID (upstream_id).
access_log.tenantid	string	Account ID	ID of your account.
access_log.projectid	string	ID of the project the protected domain name belongs to	Project ID of a user in a specific region.
access_log.remote_ip	string	Remote IP address of the request at layer 4	IP address from which a client request originates. NOTICE: If a layer-7 proxy is deployed in front of WAF, this field indicates the IP address of the proxy node closest to WAF. The real IP address of the visitor is specified by the x-forwarded-for and x_real_ip fields.
access_log.remote_port	string	Remote port of the request at layer 4	Port used by the IP address from which a client request originates
access_log.sip	string	IP address of the client that sends the request	For example, XFF.
access_log.scheme	string	Request protocol	Protocols that can be used in the request: HTTP HTTPS
access_log.response_code	string	Response code	Response status code returned by the origin server to WAF.
access_log.method	string	Request method.	Request type in a request line. Generally, the value is GET or POST.
access_log.http_host	string	Domain name of the requested server.	Address, domain name, or IP address entered in the address bar of a browser.
access_log.url	string	Request URL.	Path in a URL (excluding the domain name).
access_log.request_length	string	Request length.	The request length includes the access request address, HTTP request header, and number of bytes in the request body.
access_log.bytes_send	string	Total number of bytes sent to the client.	Number of bytes sent by WAF to the client.
access_log.body_bytes_sent	string	Total number of bytes of the response body sent to the client	Number of bytes of the response body sent by WAF to the client
access_log.upstream_addr	string	Address of the backend server.	IP address of the origin server for which a request is destined. For example, if WAF forwards requests to an ECS, the IP address of the ECS is returned to this parameter.
access_log.request_time	string	Request processing time	Processing time starts when the first byte of the client is read (unit: s).
access_log.upstream_response_time	string	Backend server response time	Time the backend server responds to the WAF request (unit: s).
access_log.upstream_status	string	Backend server response code	Response status code returned by the backend server to WAF.
access_log.upstream_connect_time	string	Time for the origin server to establish a connection to its backend services. Unit: second.	When SSL is used, the time for the handshake process is also recorded. Time used for establishing a connection for a request. Use commas (,) to separate the time used for each request.
access_log.upstream_header_time	string	Time used by the backend server to receive the first byte of the response header. Unit: second	Response time for multiple requests. Use commas (,) to separate the time used for each response.
access_log.bind_ip	string	WAF engine back-to-source IP address.	Back-to-source IP address used by the WAF engine.
access_log.group_id	string	LTS log group ID	ID of the log group for interconnecting WAF with LTS.
access_log.access_stream_id	string	Log stream ID.	ID of access_stream of the user in the log group identified by the group_id field.
access_log.engine_id	string	WAF engine ID	Unique ID of the WAF engine.
access_log.time_iso8601	string	ISO 8601 time format of logs.	-
access_log.sni	string	Domain name requested through SNI.	-
access_log.tls_version	string	Protocol versioning an SSL connection.	TLS version used in the request.
access_log.ssl_curves	string	Curve group list supported by the client.	-
access_log.ssl_session_reused	string	SSL session reuse	Whether the SSL session can be reused r: Yes .: No
access_log.process_time	string	Engine attack detection duration (unit: ms)	-
access_log.args	string	The parameter data in the URL	-
access_log.x_forwarded_for	string	IP address chain for a proxy when the proxy is deployed in front of WAF.	The sting includes one or more IP addresses. The leftmost IP address is the originating IP address of the client. Each time the proxy server receives a request, it adds the source IP address of the request to the right of the originating IP address.
access_log.cdn_src_ip	string	Client IP address identified by CDN when CDN is deployed in front of WAF	This field specifies the real IP address of the client if CDN is deployed in front of WAF. NOTICE: Some CDN vendors may use other fields. WAF records only the most common fields.
access_log.x_real_ip	string	Real IP address of the client when a proxy is deployed in front of WAF.	Real IP address of the client, which is identified by the proxy.
access_log.intel_crawler	string	Used for intelligence anti-crawler analysis.	-
access_log.ssl_ciphers_md5	string	MD5 value of the SSL cipher (ssl_ciphers).	-
access_log.ssl_cipher	string	SSL cipher used.	-
access_log.web_tag	string	Website name.	-
access_log.user_agent	string	User agent in the request header.	-
access_log.upstream_response_length	string	Backend server response size.	-
access_log.region_id	string	Region where the request is received.	-
access_log.enterprise_project_id	string	ID of the enterprise project that the requested domain name belongs to.	-
access_log.referer	string	Referer content in the request header.	The value can contain a maximum of 128 characters. Characters over 128 characters will be truncated.
access_log.rule	string	Protection rule that the request matched.	If multiple rules are matched, only one rule is displayed.

WAF attack_log field description

Field	Type	Field Description	Description
attack_log.category	string	Log category	The value is attack.
attack_log.time	string	Log time	-
attack_log.time_iso8601	string	ISO 8601 time format of logs.	-
attack_log.policy_id	string	Policy ID	-
attack_log.level	string	Protection level	Protection level of a built-in rule in basic web protection 1: Low 2: Medium 3: High
attack_log.attack	string	Type of attack	Attack type. This parameter is listed in attack logs only. default: default attacks sqli: SQL injections xss: cross-site scripting (XSS) attacks webshell: web shells robot: malicious crawlers cmdi: command injections rfi: remote file inclusion attacks lfi: local file inclusion attacks illegal: unauthorized requests vuln: exploits cc: attacks that hit the CC protection rules custom_custom: attacks that hit a precise protection rule custom_whiteblackip: attacks that hit an IP address blacklist or whitelist rule custom_geoip: attacks that hit a geolocation access control rule antitamper: attacks that hit a web tamper protection rule anticrawler: attacks that hit the JS challenge anti-crawler rule leakage: vulnerabilities that hit an information leakage prevention rule antiscan_high_freq_scan: Attacks that hit malicious scanning rules. followed_action: The source is marked as a known attack source. For details, see Configuring a Known Attack Source Rule to Block Specific Visitors for a Specified Duration.
attack_log.action	string	Protective action	WAF defense action. block: WAF blocks attacks. log: WAF only logs detected attacks. captcha: Verification code
attack_log.sub_type	string	Crawler types	When attack is set to robot, this parameter cannot be left blank. script_tool: Script tools search_engine: Search engines scanner: Scanning tools uncategorized: Other crawlers
attack_log.rule	string	ID of the triggered rule or the description of the custom policy type.	-
attack_log.rule_name	string	Description of a custom rule type.	This field is empty when a basic protection rule is matched.
attack_log.location	string	Location triggering the malicious load	-
attack_log.req_body	sting	Request body.	-
attack_log.resp_headers	string	Response header	-
attack_log.hit_data	string	String triggering the malicious load	-
attack_log.resp_body	string	Response body	-
attack_log.backend.protocol	string	Backend protocol.	-
attack_log.backend.alive	string	Backend server status.	-
attack_log.backend.port	string	Backend server port.	-
attack_log.backend.host	string	Backend server host value.	-
attack_log.backend.type	string	Backend server type.	IP address or domain name.
attack_log.backend.weight	number	Backend server weight.	-
attack_log.status	string	Response status code	-
attack_log.upstream_status	string	Origin server response code.	-
attack_log.reqid	string	Random ID	The value consists of the engine IP address suffix, request timestamp, and request ID allocated by Nginx.
attack_log.requestid	string	Unique ID of the request.	Request ID allocated by Nginx.
attack_log.id	string	Attack ID	ID of the attack
attack_log.method	string	Request method	-
attack_log.sip	string	Client request IP address	-
attack_log.sport	string	Client request port	-
attack_log.host	string	Requested domain name	-
attack_log.http_host	string	Domain name of the requested server.	-
attack_log.hport	string	Port of the requested server.	-
attack_log.uri	string	Request URL.	The domain is excluded.
attack_log.header	A JSON string. A JSON table is obtained after the string is decoded.	Request header	-
attack_log.mutipart	A JSON string. A JSON table is obtained after the string is decoded.	Request multipart header	This parameter is used to upload files.
attack_log.cookie	A JSON string. A JSON table is obtained after the string is decoded.	Cookie of the request	-
attack_log.params	A JSON string. A JSON table is obtained after the string is decoded.	Params value following the request URI.	-
attack_log.body_bytes_sent	string	Total number of bytes of the response body sent to the client.	Total number of bytes of the response body sent by WAF to the client.
attack_log.upstream_response_time	string	Time elapsed since the backend server received the response content from the upstream service. Unit: second.	Response time for multiple requests. Use commas (,) to separate the time used for each response.
attack_log.engine_id	string	Unique ID of the engine	-
attack_log.region_id	string	ID of the region where the engine is located.	-
attack_log.engine_ip	string	Engine IP address.	-
attack_log.process_time	string	Detection duration	-
attack_log.remote_ip	string	Layer-4 IP address of the client that sends the request.	-
attack_log.x_forwarded_for	string	Content of X-Forwarded-For in the request header.	-
attack_log.cdn_src_ip	string	Content of Cdn-Src-Ip in the request header.	-
attack_log.x_real_ip	string	Content of X-Real-IP in the request header.	-
attack_log.group_id	string	Log group ID	LTS log group ID
attack_log.attack_stream_id	string	Log stream ID	ID of access_stream of the user in the log group identified by the group_id field.
attack_log.hostid	string	Protected domain name ID (upstream_id).	-
attack_log.tenantid	string	Account ID	-
attack_log.projectid	string	ID of the project the protected domain name belongs to	-
attack_log.enterprise_project_id	string	ID of the enterprise project that the requested domain name belongs to.	-
attack_log.web_tag	string	Website name.	-
attack_log.req_body	string	Request body. (If the request body larger than 1 KB, it will be truncated.)	-

Parent Topic: Events

Previous topic: Downloading Events Data

Next topic: Policies

Feedback

Was this page helpful?

Helpful Not helpful

Provide feedback

Thank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.

The system is busy. Please try again later.

Which of the following issues have you encountered?

Content is inconsistent with the product UI

Unclear descriptions

Lack of examples or code

Incorrect steps

Can't find what I need

Lack of best practices

Feedback (optional)

0/500

Select at least one type of issue, and enter your comments or suggestions.

Enter a maximum of 500 characters.

Submit Cancel

For any further questions, feel free to contact us through the chatbot.

Chatbot