更新时间:2024-12-10 GMT+08:00
WAF仪表盘模板(管道符方式)
Web应用防火墙(Web Application Firewall, WAF),通过对HTTP(S)请求进行检测,识别并阻断SQL注入、跨站脚本攻击、网页木马上传、命令/代码注入、文件包含、敏感文件访问、第三方应用漏洞攻击、CC攻击、恶意爬虫扫描、跨站请求伪造等攻击,保护Web服务安全稳定。
需要开通管道符后,使用日志搜索与分析(管道符方式-邀测)时,对应的WAF仪表盘模板支持查看WAF安全日志中心和查看WAF访问日志中心。
前提条件
- 已采集WAF日志,详情请参考Web应用防火墙WAF接入LTS。
- 日志配置结构化,详情请参见设置云端结构化解析日志。
查看WAF安全日志中心
- 登录云日志服务控制台,在左侧导航栏中选择“仪表盘 ”。
- 在仪表盘模板下方,选择“WAF仪表盘模板 > WAF安全日志中心”,查看图表详情。
- CC攻击拦截图表所关联的查询分析语句如下所示:
* |SELECT CASE WHEN diff [ 1 ] < 1000 THEN concat( cast( cast( diff [ 1 ] as DECIMAL(20,2)) AS VARCHAR ), ' 次' ) WHEN diff [ 1 ] < 1000 * 1000 THEN concat( cast(cast( diff [ 1 ]/ 1000 as DECIMAL(20,2)) AS VARCHAR ), ' 千次' ) WHEN diff [ 1 ] < 1000000000 THEN concat( cast( cast( diff [ 1 ]/ 1000000.0 as DECIMAL(20,2)) AS VARCHAR ), ' 百万次' ) WHEN diff [ 1 ]/ 1000.0 < 1000000000 THEN concat( cast( cast( diff [ 1 ]/ 1000.0 / 1000000 as DECIMAL(20,2)) AS VARCHAR ), ' 十亿次' ) ELSE concat( cast ( cast( diff [ 1 ]/ 1000.0 / 1000 / 1000 / 1000 as DECIMAL(20,2)) AS VARCHAR ), ' 万亿次' ) END AS "value" , CASE WHEN diff [ 2 ]= 0 THEN 0 ELSE round( diff [ 3 ]- 1, 2 ) END AS ratio FROM ( SELECT compare ( "data", 86400 ) AS diff FROM ( SELECT count( 1 ) AS "data" FROM log WHERE attack != 'default') )
- 攻击峰值图表所关联的查询分析语句如下所示:
* |SELECT diff [ 1 ] AS "VALUE", CASE WHEN diff [ 2 ]= 0 THEN 0 ELSE round( diff [ 3 ]- 1, 2 ) END AS ratio FROM ( SELECT compare ( "DATA" , 86400 ) AS diff FROM ( SELECT COALESCE ( max( pv ), 0 ) AS "DATA" FROM ( SELECT from_unixtime(__time - __time%60000) AS dt, CEIL(count(1)/ 60.0) AS pv FROM log WHERE action != '' GROUP BY dt LIMIT 10000 )))
- 攻击来源国家图表所关联的查询分析语句如下所示:
* |SELECT diff [ 1 ] AS "VALUE" , COALESCE ( diff [ 1 ]- diff [ 2 ], 0 ) AS "BEFORE" FROM ( SELECT compare ( "DATA", 86400 ) AS diff FROM ( SELECT count( DISTINCT ip_to_country ( CASE WHEN sip = '-' THEN remote_ip ELSE sip END) ) AS "DATA" FROM log WHERE action != '' ) )
- Web攻击拦截图表所关联的查询分析语句如下所示:
* |SELECT CASE WHEN diff [ 1 ] < 1000 THEN concat( cast( cast( diff [ 1 ] as DECIMAL(20,2)) AS VARCHAR ), ' 次' ) WHEN diff [ 1 ] < 1000 * 1000 THEN concat( cast( cast( diff [ 1 ]/ 1000 as DECIMAL(20,2)) AS VARCHAR ), ' 千次' ) WHEN diff [ 1 ] < 1000000000 THEN concat( cast( cast( diff [ 1 ]/ 1000000.0 as DECIMAL(20,2)) AS VARCHAR ), ' 百万次' ) WHEN diff [ 1 ]/ 1000.0 < 1000000000 THEN concat( cast( cast( diff [ 1 ]/ 1000.0 / 1000000 as DECIMAL(20,2)) AS VARCHAR ), ' 十亿次' ) ELSE concat( cast( cast( diff [ 1 ]/ 1000.0 / 1000 / 1000 / 1000 as DECIMAL(20,2)) AS VARCHAR ), ' 万亿次' ) END AS "value" , CASE WHEN diff [ 2 ]= 0 THEN 0 ELSE round( diff [ 3 ]- 1, 2 ) END AS ratio FROM ( SELECT compare ( "data", 86400 ) AS diff FROM ( SELECT count( 1 ) AS "data" FROM log WHERE action != '' ) )
- 攻击者UV图表所关联的查询分析语句如下所示:
* |SELECT CASE WHEN diff [ 1 ] < 1000 THEN concat( cast( cast ( diff [ 1 ] AS INTEGER ) AS VARCHAR ), ' 个' ) WHEN diff [ 1 ] < 1000 * 1000 THEN concat( cast( cast( diff [ 1 ]/ 1000 as DECIMAL(20,2)) AS VARCHAR ), ' 千个' ) WHEN diff [ 1 ] < 1000000000 THEN concat( cast( cast( diff [ 1 ]/ 1000000.0 as DECIMAL(20,2)) AS VARCHAR ), ' 百万个' ) WHEN diff [ 1 ]/ 1000.0 < 1000000000 THEN concat( cast( cast(diff [ 1 ]/ 1000.0 / 1000000 as DECIMAL(20,2)) AS VARCHAR ), ' 十亿' ) ELSE concat( cast( cast( diff [ 1 ]/ 1000.0 / 1000 / 1000 / 1000 as DECIMAL(20,2)) AS VARCHAR ), ' 万亿' ) END AS "value", CASE WHEN diff [ 2 ]= 0 THEN 0 ELSE round( diff [ 3 ]- 1, 2 ) END AS ratio FROM ( SELECT compare ( "data", 86400 ) AS diff FROM ( SELECT count( DISTINCT CASE WHEN sip = '-' THEN remote_ip ELSE sip END ) AS "data" FROM log ))
- 攻击拦截图表所关联的查询分析语句如下所示:
* |SELECT CASE WHEN diff [ 1 ] < 1000 THEN concat( cast(cast( diff [ 1 ] as DECIMAL(20,2)) AS VARCHAR ), ' 次' ) WHEN diff [ 1 ] < 1000 * 1000 THEN concat( cast( cast( diff [ 1 ]/ 1000 as DECIMAL(20,2)) AS VARCHAR ), ' 千次' ) WHEN diff [ 1 ] < 1000000000 THEN concat( cast( cast( diff [ 1 ]/ 1000000.0 as DECIMAL(20,2)) AS VARCHAR ), ' 百万次' ) WHEN diff [ 1 ]/ 1000.0 < 1000000000 THEN concat( cast( cast( diff [ 1 ]/ 1000.0 / 1000000 as DECIMAL(20,2)) AS VARCHAR ), ' 十亿次' ) ELSE concat( cast( cast( diff [ 1 ]/ 1000.0 / 1000 / 1000 / 1000 as DECIMAL(20,2)) AS VARCHAR ), ' 万亿次' ) END AS "value", CASE WHEN diff [ 2 ]= 0 THEN 0 ELSE round( diff [ 3 ]- 1, 2 ) END AS "ratio" FROM ( SELECT compare ( "data", 86400 ) AS diff FROM ( SELECT count( 1 ) AS "data" FROM log WHERE action != '') )
- CC攻击图表所关联的查询分析语如下所示:
* |SELECT ip_to_province ( CASE WHEN sip = '-' THEN remote_ip ELSE sip END) AS province, count( 1 ) AS "攻击次数" WHERE attack != 'default' GROUP BY province
- Web攻击图表所关联的查询分析语句如下所示:
* |SELECT ip_to_province ( CASE WHEN sip = '-' THEN remote_ip ELSE sip END) AS province, count( 1 ) AS "攻击次数" WHERE action = 'block' GROUP BY province
- 攻击类型分布图表所关联的查询分析语句如下所示:
* | SELECT time_format(from_unixtime(__time - __time%60000),'yyyy-MM-dd HH:mm:ss','+08:00') AS dt, count( 1 ) AS cnt, CASE WHEN action = 'block' THEN '拦截' WHEN action = 'log' THEN '仅记录' WHEN action = 'captcha' THEN '人机验证' END AS attack FROM log WHERE action != '' GROUP BY dt, attack ORDER BY dt
- CC攻击(世界)图表所关联的查询分析语句如下所示:
* | SELECT ip_to_country (CASE WHEN sip = '-' THEN remote_ip ELSE sip END) AS country, count( 1 ) AS "攻击次数" WHERE attack != 'default' GROUP BY country
- Web攻击(世界)图表所关联的查询分析语句如下所示:
* | SELECT ip_to_country (CASE WHEN sip = '-' THEN remote_ip ELSE sip END) AS country, count( 1 ) AS "攻击次数" WHERE action = 'block' GROUP BY country
- CC攻击拦截图表所关联的查询分析语句如下所示:
查看WAF访问日志中心
- 登录云日志服务控制台,在左侧导航栏中选择“仪表盘 ”。
- 在仪表盘模板下方,选择“WAF仪表盘模板 > WAF访问日志中心”,查看图表详情。
- PV图表所关联的查询分析语句如下所示:
* | SELECT CASE WHEN diff [ 1 ] < 1000 THEN concat( cast( cast(diff [ 1 ] AS DECIMAL(20,2)) AS VARCHAR ), ' 次' ) WHEN diff [ 1 ] < 1000 * 1000 THEN concat( cast(cast( diff [ 1 ]/ 1000 AS DECIMAL(20,2)) AS VARCHAR ), ' 千次' ) WHEN diff [ 1 ] < 1000000000 THEN concat( cast(cast( diff [ 1 ]/ 1000000.0 AS DECIMAL(20,2)) AS VARCHAR ), ' 百万次' ) WHEN diff [ 1 ]/ 1000.0 < 1000000000 THEN concat( cast(cast( diff [ 1 ]/ 1000 / 1000000.0 AS DECIMAL(20,2)) AS VARCHAR ), ' 十亿次' ) ELSE concat( cast(cast( diff [ 1 ]/ 1000.0 / 1000 / 1000 / 1000 AS DECIMAL(20,2)) AS VARCHAR ), ' 万亿次' ) END AS "VALUE" , CASE WHEN diff [ 2 ]= 0 THEN 0 ELSE round(diff [ 3 ]- 1,2) END AS ratio FROM ( SELECT compare ( DATA, 86400 ) AS diff FROM ( SELECT count( 1 ) AS DATA FROM log ) )
- UV图表所关联的查询分析语句如下所示:
* | SELECT CASE WHEN diff [ 1 ] < 1000 THEN concat( cast( cast( diff [ 1 ] AS DECIMAL(20,2)) AS VARCHAR ), ' 次' ) WHEN diff [ 1 ] < 1000 * 1000 THEN concat( cast( cast( diff [ 1 ]/ 1000 AS DECIMAL(20,2)) AS VARCHAR ), ' 千次' ) WHEN diff [ 1 ] < 1000000000 THEN concat( cast( cast( diff [ 1 ]/ 1000000.0 AS DECIMAL(20,2)) AS VARCHAR ), ' 百万次' ) WHEN diff [ 1 ]/ 1000.0 < 1000000000 THEN concat( cast( cast( diff [ 1 ]/ 1000 / 1000000.0 AS DECIMAL(20,2)) AS VARCHAR ), ' 十亿次' ) ELSE concat( cast( cast( diff [ 1 ]/ 1000.0 / 1000 / 1000 / 1000 AS DECIMAL(20,2)) AS VARCHAR ), ' 万亿次' ) END AS "VALUE" , CASE WHEN diff [ 2 ]= 0 THEN 0 ELSE round( diff [ 3 ]- 1, 2 ) END AS ratio FROM ( SELECT compare ( DATA, 86400 ) AS diff FROM ( SELECT count( DISTINCT CASE WHEN sip = '-' THEN remote_ip ELSE sip END ) AS "DATA" FROM log ) )
- 流入流量图表所关联的查询分析语句如下所示:
* | SELECT CASE WHEN diff [ 1 ] < 102 THEN concat( cast( cast( diff [ 1 ] AS DECIMAL(20,2)) AS VARCHAR ), ' B' ) WHEN diff [ 1 ] < 1024 * 1024 THEN concat( cast( cast( diff [ 1 ]/ 1024 AS DECIMAL(20,2)) AS VARCHAR ), ' KB' ) WHEN diff [ 1 ] < 1024 * 1024 * 1024 THEN concat( cast( cast( diff [ 1 ]/ 1024.0 / 1024 AS DECIMAL(20,2)) AS VARCHAR ), ' MB' ) WHEN diff [ 1 ]/ 1024.0 < 1024 * 1024 * 1024 THEN concat( cast( cast( diff [ 1 ]/ 1024.0 / 1024 / 1024 AS DECIMAL(20,2)) AS VARCHAR ), ' GB' ) ELSE concat( cast( cast( diff [ 1 ]/ 1024.0 / 1024 / 1024 / 1024 AS DECIMAL(20,2)) AS VARCHAR ), ' TB' ) END AS "VALUE" , CASE WHEN diff [ 2 ]= 0 THEN 0 ELSE round( diff [ 3 ]- 1, 2 ) END AS ratio FROM ( SELECT compare ( "DATA", 86400 ) AS diff FROM ( SELECT COALESCE ( sum( try_cast(request_length as bigint) ), 0 ) AS "DATA" FROM log ) )
- 网络in带宽峰值图表所关联的查询分析语句如下所示:
* | SELECT CASE WHEN diff [ 1 ] < 102 THEN concat( cast( cast( diff [ 1 ] AS DECIMAL(20,2)) AS VARCHAR ), ' B/s' ) WHEN diff [ 1 ] < 1024 * 1024 THEN concat( cast( cast( diff [ 1 ]/ 1024 AS DECIMAL(20,2)) AS VARCHAR ), ' KB/s' ) WHEN diff [ 1 ] < 1024 * 1024 * 1024 THEN concat( cast( cast( diff [ 1 ]/ 1024.0 / 1024 AS DECIMAL(20,2)) AS VARCHAR ), ' MB/s' ) WHEN diff [ 1 ]/ 1024.0 < 1024 * 1024 * 1024 THEN concat( cast( cast( diff [ 1 ]/ 1024.0 / 1024 / 1024 AS DECIMAL(20,2)) AS VARCHAR ), ' GB/s' ) ELSE concat( cast( cast( diff [ 1 ]/ 1024.0 / 1024 / 1024 / 1024 AS DECIMAL(20,2)) AS VARCHAR ), ' TB/s' ) END AS "VALUE", CASE WHEN diff [ 2 ]= 0 THEN 0 ELSE round( diff [ 3 ]- 1, 2 ) END AS ratio FROM ( SELECT compare ( "DATA", 86400 ) AS diff FROM ( SELECT COALESCE ( max( "DATA" ), 0 ) AS "DATA" FROM ( SELECT time_format(from_unixtime(__time - __time%60000),'yyyy-MM-dd HH:mm:ss','+08:00') AS dt, sum( try_cast( request_length AS BIGINT ) )/ 60.0 AS "DATA" FROM log GROUP BY dt LIMIT 10000 )) )
- 网络out带宽峰值图表所关联的查询分析语句如下所示:
* | SELECT CASE WHEN diff [ 1 ] < 102 THEN concat( cast( cast( diff [ 1 ] AS DECIMAL(20,2)) AS VARCHAR ), ' B/s' ) WHEN diff [ 1 ] < 1024 * 1024 THEN concat(cast( cast( diff [ 1 ]/ 1024 AS DECIMAL(20,2)) AS VARCHAR ), ' KB/s' ) WHEN diff [ 1 ] < 1024 * 1024 * 1024 THEN concat( cast( cast( diff [ 1 ]/ 1024.0 / 1024 AS DECIMAL(20,2)) AS VARCHAR ), ' MB/s' ) WHEN diff [ 1 ]/ 1024.0 < 1024 * 1024 * 1024 THEN concat( cast( cast( diff [ 1 ]/ 1024.0 / 1024 / 1024 AS DECIMAL(20,2)) AS VARCHAR ), ' GB/s' ) ELSE concat( cast( cast( diff [ 1 ]/ 1024.0 / 1024 / 1024 / 1024 AS DECIMAL(20,2)) AS VARCHAR ), ' TB/s' ) END AS "value", case when diff [ 2 ]= 0 then 0 else round( diff [ 3 ]- 1, 2 ) END AS "ratio" FROM ( SELECT compare ( "DATA", 86400 ) AS diff FROM ( SELECT COALESCE ( max( bytes_out ), 0 ) AS "DATA" FROM ( SELECT time_format(from_unixtime(__time - __time%60000),'yyyy-MM-dd HH:mm:ss','+08:00') AS dt, sum( try_cast(body_bytes_sent as double precision) )/ 60.0 AS bytes_out FROM log GROUP BY dt LIMIT 10000 )))
- 流量带宽趋势图表所关联的查询分析语句如下所示:
* | SELECT time_format(from_unixtime(__time - __time%600000),'yyyy-MM-dd HH:mm:ss','+08:00') AS dt, round( sum( try_cast( request_length AS double precision ) )/ 1024.0 / 600, 2 ) AS "流入流量(KB/s)", round( sum( try_cast( body_bytes_sent AS double precision ) )/ 1024.0 / 600, 2) AS "流出流量(KB/s)" GROUP BY dt ORDER BY dt LIMIT 1000
- PV/UV趋势图表所关联的查询分析语句如下所示:
* | SELECT time_format(from_unixtime(__time - __time%3600000),'yyyy-MM-dd HH:mm:ss','+08:00') AS dt, count( 1 ) AS PV, COUNT( DISTINCT ( CASE WHEN sip = '-' THEN remote_ip ELSE sip END )) AS UV FROM log GROUP BY dt ORDER BY dt LIMIT 1000
- 访问状态分布图表所关联的查询分析语句如下所示:
* | SELECT time_format(from_unixtime(__time - __time%3600000),'yyyy-MM-dd HH:mm:ss','+08:00') AS dt, count( 1 ) AS cnt, concat( cast( cast("response_code" as BIGINT) / 100 AS VARCHAR ), 'XX' ) AS "status" GROUP BY dt, cast("response_code" as BIGINT) / 100 ORDER BY dt LIMIT 10000 - 访问来源图表所关联的查询分析语句如下所示:
* | SELECT ip_to_country (CASE WHEN sip = '-' THEN remote_ip ELSE sip END) AS country, count( 1 ) AS "访问次数" GROUP BY country having country != ''
- 流入流量来源(中国)图表所关联的查询分析语句如下所示:
* | SELECT ip_to_province (CASE WHEN sip = '-' THEN remote_ip ELSE sip END) AS region, round( sum( try_cast(request_length as double precision) )/ 1024.0 / 1024, 4 ) AS "流入流量(MB)" GROUP BY region having region != ''
- 流入流量来源(世界)图表所关联的查询分析语句如下所示:
* | SELECT ip_to_country (CASE WHEN sip = '-' THEN remote_ip ELSE sip END) AS region, round( sum( try_cast(request_length as double precision) )/ 1024.0 / 1024, 4 ) AS "流入流量(MB)" GROUP BY region having region != ''
- 来源网络提供商图表所关联的查询分析语句如下所示:
* | SELECT ip_to_provider (CASE WHEN sip = '-' THEN remote_ip ELSE sip END) AS provider, cast(round( sum( try_cast(request_length as bigint) )/ 1024.0 / 1024.0, 3 ) AS double precision) AS mb_in GROUP BY provider HAVING ip_to_provider (CASE WHEN sip = '-' THEN remote_ip ELSE sip END) != '*' ORDER BY mb_in DESC LIMIT 10
- 访问域名图表所关联的查询分析语句如下所示:
* | SELECT http_host, count( 1 ) AS "被访问次数" GROUP BY http_host ORDER BY "被访问次数" DESC LIMIT 30
- 响应最慢的URL图表所关联的查询分析语句如下所示:
* | SELECT http_host AS "网站",url_extract_path (COALESCE ( url, '/' )) AS URL,sum( request_time )/ count( 1 ) AS "响应时间(毫秒)",count( 1 ) AS "访问次数" GROUP BY http_host, url ORDER BY "响应时间(毫秒)" DESC LIMIT 100
- 访问最多的客户端图表所关联的查询分析语句如下所示:
* | SELECT ip AS "客户端", client AS "地理网络", concat( cast( ( CASE WHEN pv IS NULL THEN 0 ELSE pv END ) AS VARCHAR ), ' (', cast( CASE WHEN head_pv is null THEN 0 ELSE ( CASE WHEN head_pv > 0 THEN head_pv ELSE 0 END ) END AS VARCHAR ), '/', cast( CASE WHEN get_pv is null THEN 0 ELSE ( CASE WHEN get_pv > 0 THEN get_pv ELSE 0 END ) END AS VARCHAR ), '/', cast( CASE WHEN put_pv is null THEN 0 ELSE ( CASE WHEN put_pv > 0 THEN put_pv ELSE 0 END ) END AS VARCHAR ), '/', cast( CASE WHEN post_pv is null THEN 0 ELSE ( CASE WHEN post_pv > 0 THEN post_pv ELSE 0 END ) END AS VARCHAR ), '/', cast( CASE WHEN delete_pv is null THEN 0 ELSE ( CASE WHEN delete_pv > 0 THEN delete_pv ELSE 0 END ) END AS VARCHAR ), '/', ')' ) AS "PV (Head, Get, Put, Post, Delete方法)", error_count AS "错误访问次数" FROM ( SELECT ip, client, sum( CASE WHEN "method" = 'PUT' AND "status" < 400 THEN pv ELSE 0 END ) AS put_pv, sum( CASE WHEN "method" = 'GET' AND "status" < 400 THEN pv ELSE 0 END ) AS get_pv, sum( CASE WHEN "method" = 'POST' AND "status" < 400 THEN pv ELSE 0 END ) AS post_pv, sum( CASE WHEN "method" = 'DELETE' AND "status" < 400 THEN pv ELSE 0 END ) AS delete_pv, sum( CASE WHEN "method" = 'HEAD' AND "status" < 400 THEN pv ELSE 0 END ) AS head_pv, sum( throughput ) AS throughput, sum( pv ) AS pv, sum( CASE WHEN "status" < 400 THEN 1 ELSE 0 END ) AS error_count FROM ( SELECT CASE WHEN sip = '-' THEN remote_ip ELSE sip END AS ip, "method", CASE WHEN ip_to_country ( CASE WHEN sip = '-' THEN remote_ip ELSE sip END )= '香港' THEN '中国香港' WHEN ip_to_province ( CASE WHEN sip = '-' THEN remote_ip ELSE sip END )= '*' THEN '未知IP' WHEN ip_to_provider ( CASE WHEN sip = '-' THEN remote_ip ELSE sip END )= '内网IP' THEN '内网IP' ELSE concat( ip_to_country ( CASE WHEN sip = '-' THEN remote_ip ELSE sip END ), '/', ip_to_province ( CASE WHEN sip = '-' THEN remote_ip ELSE sip END ), '/', CASE WHEN ip_to_city
- PV图表所关联的查询分析语句如下所示:
父主题: 日志仪表盘模板
