Help Center/ Web Application Firewall/ User Guide/ Viewing Protection Events/ Querying a Protection Event
Updated on 2025-08-19 GMT+08:00
View PDF
Share

Querying a Protection Event

WAF sorts out the attacks, the ten websites attacked the most, ten attack source IP addresses that launched the most attacks, and the ten URLs attacked the most for a selected time range. You can view the blocked or logged events on the Events page. You can view details of WAF protection events for the past 30 days. You can check the time an event occurred, origin server IP address, geographic location of the origin server IP address, malicious load, and hit rule.

If you want to store logs for a longer period, you can enable Log Tank Service (LTS) for WAF to record attack logs and access logs. You can also use LTS to transfer logs to Object Storage Service (OBS) or Data Ingestion Service (DIS) for long-term storage.

  • Logs stored in LTS are retained for 30 days by default. You can customize a retention duration from 1 to 365 days. Logs will be automatically deleted when the retention duration expires. For more details, see Log Tank Service (LTS).
  • If you enable LTS logging, logs in LTS will be billed by traffic volume. For details about LTS billing, see LTS Pricing Details.

Prerequisites

You have connected the website you want to protect to WAF.

Constraints

  • On the WAF console, you can view the event data for all protected domain names over the last 30 days. You can authorize LTS to log WAF activities so that you can view attack and access logs and store all logs for a long time. For more details, see Using LTS to Log WAF Activities.
  • If you switch the WAF working mode for a website to Suspended, WAF only forwards all requests to the website without inspection. It does not log any attack events neither.
  • After an attack occurs, it takes about 2 to 3 minutes for the attack to be logged as a protection event.

Viewing Protection Event Logs

  1. Log in to the WAF console.
  2. Click in the upper left corner and select a region or project.
  3. (Optional) If you have enabled the enterprise project function, in the upper part of the navigation pane on the left, select your enterprise project from the Filter by enterprise project drop-down list. Then, WAF will display the related security data in the enterprise project on the page.
  4. In the navigation pane on the left, click Events.
  5. On the Search tab, view the statistical charts and event details.

This area displays the event trends and top 10 events for a specified protected domain name, instance, and time range.

Figure 1 Tables and Charts
  1. Set search criteria.

    • Domain name (① in Figure 1): You can select a specific domain name, multiple domain names, or all domain names to view the security statistics.
    • Instance (② in Figure 1): You can select a specific instance or all instances to view security statistics.
    • Query time (③ in Figure 1): You can view bot protection statistics for yesterday, today, past 3 days, past 7 days, past 30 days, or any time range within 30 days.

  2. View the statistical charts.

    Function Module

    Description

    Related Operation

    Events over Time (④ in Figure 1)

    Displays the WAF protection status for the selected website within a specified period.

    --

    Top Tens (⑤ in Figure 1)

    Displays the top 10 attack events, attacked objects, attack source IP addresses, and attacked URLs in the selected period.
    • Attacks (1-5), Attacked Targets (1-5), Attack Source IP Addresses (1-5), and Attacked URLs (1-5) are displayed by default. You can click next to each area to check Attacks (6-10), Attacked Targets (6-10), Attack Source IP Addresses (6-10), and Attacked URLs (6-10).
    • You can click next to Attacks, Top Attacked Objects, Attack Source IP Addresses, or Attacked URLs to copy the data in the statistical charts.
    • You can click a domain name, client IP address, or URL listed in Top Attacked Objects, Attack Source IP Addresses, or Attacked URLs charts to make a quick search in the event list, as WAF automatically adds filter criteria to the event search box after you click an object.

A maximum of 10,000 logs are displayed on the console. To query more logs, specify a time range or transfer logs to Log Tank Service (LTS).

Figure 2 Events
  1. Set matching conditions (① in Figure 2) based on filter condition fields. The matching conditions you set will be displayed above the event list. For details about the condition fields, see Table 1.

    Table 1 Filter condition fields

    Parameter

    Description

    Client IP Address

    Public IP address of the web visitor/attacker.

    By default, All is selected. You can view logs of all attack source IP addresses, select an attack source IP address, or enter an attack source IP address to view corresponding attack logs.

    Host

    Attacked domain name.

    Rule ID

    ID of a built-in protection rule in WAF basic web protection.

    URL

    Attacked URL.

    Event Type

    Type of the attack.

    By default, All is selected. You can view logs of all attack types or select an attack type to view corresponding attack logs.

    Protective Action

    The options are Block, Log only, Verification code, and Mismatch.

    • Verification code: In CC attack protection rules, you can set Protective Action to Verification code. If a visitor sends too many requests, with the request quantity exceeding the rate limit specified by the CC attack protection rule used, a message is displayed to ask the visitor to provide a verification code. Visitor's requests will be blocked unless they enter a valid verification code.
    • Mismatch: If an access request matches a web tamper protection rule, information leakage prevention rule, or data masking rule, the protective action is marked as Mismatch.

    Status Code

    HTTP status code returned on the block page.

    Event ID

    ID of the event.

  2. Click (② in Figure 2) in the upper right corner of the event list to set the fields to be displayed in the event list. For details about the fields, see Table 2.

    Table 2 Parameters in the event list

    Parameter

    Description

    Example Value

    Time

    When the attack occurred.

    2021/02/04 13:20:04

    Client IP Address

    Public IP address of the web visitor/attacker.

    Click in the Client IP Address column to sort the event list in ascending or descending order.

    -

    Host

    Attacked domain name.

    www.example.com

    Geolocation

    Geographic location where the client IP address is located.

    -

    Rule ID

    ID of a built-in protection rule in WAF basic web protection.

    -

    URL

    Attacked URL.

    /admin

    Event Type

    Type of attack.

    SQL injection

    Application Component

    Application component that was attacked.

    pgAdmin4

    Protective Action

    Protective actions configured in the rule. The options are Block, Log only, and Verification code.

    NOTE:

    If an access request matches a web tamper protection rule, information leakage prevention rule, or data masking rule, the protective action is marked as Mismatch.

    Block

    Status Code

    HTTP status code returned on the block page.

    418

    Malicious Load

    Location or part of the attack that causes damage or the number of times that the URL was accessed.

    NOTE:
    • In a CC attack, the malicious load indicates the number of times that the URL was accessed.
    • For blacklist protection events, the malicious load is left blank.

    id=1 and 1='1

    Access Mode

    Method of connecting websites to WAF.

    Cloud Mode - CNAME

    Load Balancer Name

    Name of the ELB (Load Balancer) associated with the protected domain name in cloud mode load balancer access.

    elb-18ce

    Enterprise Project

    Enterprise project your websites belong to.

    Click in the Enterprise Project column to sort the event list in ascending or descending order.

    default

    After the preceding configurations are complete, as shown in Figure 2, you can view the events that meet the search criteria in the event list.

  3. Locate the target event and click Details in the Operation column (③ in Figure 2) to view details about the event. You can check the event overview, malicious payloads, response details, and request details.

    You need to submit a service ticket to enable the response details function, and configure the length of the response body to be logged. In this way, WAF can display the response details and record the response body based on specified length.

Related Operations

  • Handling False Alarms Triggered by Protection Rules: If you are sure that an event is a false alarm generated based on a WAF built-in rule or custom protection rule, you can handle the event as a false alarm.
    • WAF built-in rules include basic web protection rules, known bot detection, request signature detection, bot behavior detection, and proactive feature detection rules for bot protection, and feature-based anti-crawler rules.
    • WAF custom rules include CC attack protection rules, precise protection rules, blacklist and whitelist rules, and geolocation access control rules you create.
  • Handling False Positives Based on Client IP Addresses: If you are sure a client IP address is blocked mistakenly, you can add the IP address to an address group and add the IP address to a blacklist/whitelist rule to allow it.
  • Exporting protection events

    In the upper left corner of the event list, click Export to export events. If the number of events is less than 200, the events are exported to your local PC.

FAQs

Parent Topic: Viewing Protection Events