Help Center/ Cloud Firewall/ API Reference/ API/ Log Management/ Querying Firewall Logs

Updated on 2025-08-12 GMT+08:00

Online Debugging

CLI Examples

View PDF

Querying Firewall Logs

Function

This API is used to query firewall logs.

Calling Method

For details, see Calling APIs.

URI

POST /v1/{project_id}/cfw/{fw_instance_id}/logs

**Table 1** Path Parameters
Parameter	Mandatory	Type	Description
project_id	Yes	String	Definition Project ID, which is used to specify the project that an asset belongs to. You can query the assets of a project by project ID. You can obtain the project ID from the API or console. For details, see Obtaining a Project ID. Constraints N/A Range 32-bit UUID. Default Value N/A
fw_instance_id	Yes	String	Definition Firewall ID. It is a unique ID generated after a firewall instance is created. You can obtain the firewall ID by referring to Obtaining a Firewall ID. Constraints N/A Range 32-bit UUID. Default Value N/A

Request Parameters

**Table 2** Request body parameters
Parameter	Mandatory	Type	Description
filters	No	Array of Filter objects	Definition Filter criteria. Constraints N/A Range 1-1024 Default Value N/A
limit	Yes	Integer	Definition Number of records displayed on each page. Constraints N/A Range 1-1024 Default Value N/A
offset	No	Integer	Definition Offset. Constraints The first page is empty, and other pages are not empty. Range Offset relative to the previous page. Default Value N/A
log_id	No	String	Definition Document ID. Constraints The first page is empty, and other pages are not empty. Range log_id of the last record obtained in the last query. Default Value N/A
next_date	No	Long	Definition Next date. Constraints The first page is empty, and other pages are not empty. Range For a traffic log query, it indicates the end_time of the last record obtained in the last query. Default Value N/A
start_time	Yes	Long	Definition Start time. Constraints N/A Range Milliseconds-level timestamp. Default Value N/A
end_time	Yes	Long	Definition End time. Constraints N/A Range Milliseconds-level timestamp. Default Value N/A
log_type	Yes	String	Definition Log type. Constraints N/A Range internet (north-south logs), nat (NAT logs), vpc (east-west logs), or vgw (VGW logs) Default Value N/A
type	Yes	String	Definition Log type. Constraints N/A Range attack (attack logs), acl (access control logs), flow (traffic logs), or url (URL logs) Default Value N/A

**Table 3** Filter
Parameter	Mandatory	Type	Description
field	Yes	String	Definition Log field, for example, src_ip. Constraints N/A Range N/A Default Value N/A
values	No	Array of strings	Definition Value. Constraints N/A Range N/A Default Value N/A
operator	Yes	String	Definition Operator. Constraints N/A Range equal not_equal contain starts_with Default Value N/A

Response Parameters

Status code: 200

**Table 4** Response body parameters
Parameter	Type	Description
data	data object	Definition Log. Range N/A

**Table 5** data
Parameter	Type	Description
limit	Integer	Definition Number of records. Range N/A
records	Array of LogVO objects	Definition Log. Range N/A
total	Long	Definition Total number of records. Range N/A

**Table 6** LogVO
Parameter	Type	Description
app	String	Definition Application. Range N/A
bytes	Double	Definition Number of bytes in a stream. It is a traffic log field. Range N/A
direction	String	Definition Session direction. Range out2in: inbound access in2out: outbound access
dst_host	String	Definition Number of bytes in a stream. It can be found in access control logs and traffic logs. Range Destination website.
dst_ip	String	Definition Destination IP address. Range N/A
dst_port	Integer	Definition Destination port. Range N/A
end_time	Long	Definition Session end time. It is a traffic log field. Range N/A
log_id	String	Definition Log ID, which is used for pagination query. Range N/A
packets	Double	Definition Number of packets in a stream. It is a traffic log field. Range N/A
protocol	String	Definition Protocol. Range N/A
src_ip	String	Definition Source IP address. Range N/A
src_port	Integer	Definition Source port. Range N/A
start_time	Long	Definition Session start time. It is a traffic log field. Range N/A
dst_region_id	AnyType	Definition Destination region ID. Range N/A
dst_region_name	String	Definition Destination region name. Range N/A
dst_province_id	String	Definition Destination province ID. Range N/A
dst_province_name	String	Definition Destination province name. Range N/A
dst_city_id	String	Definition Destination city ID. Range N/A
dst_city_name	String	Definition Destination city name. Range N/A
src_region_id	String	Definition Source region ID. Range N/A
src_region_name	String	Definition Source region name. Range N/A
src_province_id	String	Definition Source province ID. Range N/A
src_province_name	String	Definition Source province name. Range N/A
src_city_id	String	Definition Source city ID. Range N/A
src_city_name	String	Definition Source city name. Range N/A
vgw_id	String	Definition Virtual gateway ID. Range N/A
sctp_verification_tag	Long	Definition SCTP verification tag. It is a traffic log field. Range N/A
sctp_is_handshake_flow	String	Definition SCTP handshake flow. It is a traffic log field. Range N/A
qos_rule_id	String	Definition QoS rule ID. It can be found in traffic logs and access control logs. Range N/A
qos_rule_name	String	Definition QoS rule name. It can be found in traffic logs and access control logs. Range N/A
qos_channel_id	String	Definition QoS channel ID. It is a traffic log field. Range N/A
qos_channel_name	String	Definition QoS channel name. It is a traffic log field. Range N/A
qos_drop_packets	Double	Definition Number of discarded QoS packets. It is a traffic log field. Range N/A
qos_drop_bytes	Double	Definition Number of discarded QoS bytes. It is a traffic log field. Range N/A
qos_rule_type	Integer	Definition QoS rule type. It can be found in traffic logs and access control logs. Range N/A
qos_channel_type	Integer	Definition QoS channel type. It is a traffic log field. Range N/A
action	String	Definition Action. It can be found in traffic logs, access control logs, and URL logs. Range N/A
url	String	Definition URL. It is a URL log field. Range N/A
hit_time	Long	Definition Hit time. It can be found in traffic logs and URL logs. Range N/A
rule_id	String	Definition Rule ID. It can be found in traffic logs and URL logs. Range N/A
rule_name	String	Definition Rule name. It can be found in traffic logs and URL logs. Range N/A
rule_type	Integer	Definition Rule type. It can be found in traffic logs and URL logs. Range N/A
attack_rule	String	Definition Rule type. It is an attack log field. Range N/A
attack_rule_id	String	Definition Attack rule ID. It is an attack log field. Range N/A
attack_type	String	Definition Attack type. It is an attack log field. Range N/A
event_time	Long	Definition Event time. It is an attack log field. Range N/A
level	String	Definition Attack level. It is an attack log field. Range N/A
packet	String	Definition Rule payload. It is an attack log field. Range N/A
source	String	Definition Attack source. It is an attack log field. Range N/A
real_ip	String	Definition Real IP address. It is an attack log field. Range N/A
tag	Integer	Definition Tag type. It is an attack log field. Range 1: WAF back-to-source IP address

Status code: 400

**Table 7** Response body parameters
Parameter	Type	Description
error_code	String	Definition Error code. Range N/A
error_msg	String	Definition Error message. Range N/A

Example Requests

The project ID is a16df7cf1d094befa6bbc72cbf51e93a, the firewall ID is fcd04edd-428a-4631-bef5-46a924293cca, the time range is from 1751952647737 to 1751963447737, and the number of queries is 1000. Filter the records by the destination IP address 100.85.219.117. Query traffic logs at the Internet border.

https://{Endpoint}//v1/a16df7cf1d094befa6bbc72cbf51e93a/cfw/fcd04edd-428a-4631-bef5-46a924293cca/logs

{
  "limit" : 1000,
  "filters" : [ {
    "field" : "dst_ip",
    "operator" : "equal",
    "values" : [ "100.85.219.117" ]
  } ],
  "start_time" : 1751952647737,
  "end_time" : 1751963447737,
  "log_type" : "internet",
  "type" : "flow"
}

Example Responses

Status code: 200

{
  "data" : {
    "limit" : 1000,
    "records" : [ {
      "app" : "DNS",
      "bytes" : 87,
      "direction" : "in2out",
      "dst_ip" : "100.85.219.117",
      "dst_port" : 53,
      "end_time" : 1751963431000,
      "log_id" : "73861",
      "packets" : 1,
      "protocol" : "UDP",
      "src_ip" : "100.93.2.30",
      "src_port" : 55637,
      "start_time" : 1751963369000
    } ],
    "total" : 1
  }
}

Status code: 400

Bad Request

{
  "error_code" : "CFW.00200003",
  "error_msg" : "Parameter error."
}

Status Codes

Status Code	Description
200	OK
400	Bad Request

Error Codes

See Error Codes.

Parent Topic: Log Management

Previous topic: Updating Log Configurations

Next topic: Exporting Firewall Logs

Feedback

Was this page helpful?

Helpful Not helpful

Provide feedback

Thank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.

The system is busy. Please try again later.

Which of the following issues have you encountered?

Content is inconsistent with the product UI

Unclear descriptions

Lack of examples or code

Incorrect steps

Can't find what I need

Lack of best practices

Feedback (optional)

0/500

Select at least one type of issue, and enter your comments or suggestions.

Enter a maximum of 500 characters.

Submit Cancel

For any further questions, feel free to contact us through the chatbot.

Chatbot