The access log feature is used to record access logs of domain names protected by WAF. It allows you to query and download access logs generated in the last 30 days and retain them for up to 180 days. After enabling this feature, you can query and download access logs as needed to meet your security compliance and OPS requirements.
To use the access log feature, you need to purchase the security log service package and enable access log as instructed in Instructions. Only after access log is enabled for a domain name can its access requests be logged by WAF.
Log in to the WAF Console and select Web Application Firewall > Protection Setting on the left sidebar to enter the protection settings page. Select a desired domain name and click Enable Access Log.
- Access logs can be queried by key-value (kv) pairs where up to 7 keys are supported. In
value
, you can enter multiple keywords of log data for easier search, which are case-insensitive and separated by separators (default separators include !@#%^&*()-_="', <>/?|;:\n\t\r[]{}).- Access log supports fuzzy query. You can use certain fuzzy keywords to query logs as described below:
Metacharacter | Description |
---|---|
* | Fuzzy query of keywords that can match zero, single, or multiple random characters. * cannot be used as the first character. For example, if you enter abc* , all logs beginning with abc will be returned. |
? | Fuzzy query of keywords that can match a single character at a specific position. For example, if you enter ab?c , logs that begin with ab , end with c , and contain only one character between ab and c will be returned. |
Log query field description:
Field Name | Description |
---|---|
Access source IP | Source IP of client request. |
Access URI | URI accessed by client. |
Referer | Source URL information of client's access request to server. |
Cookie | Cookie information carried in client's access request to server. |
User-Agent | Information such as browser type and OS ID in client's request to server. |
X-Forworder-For | Used to identify the original IP address of client accessing web server through HTTP proxy or load balancer. |
WAF response code | Response status code returned by WAF to client. |
Real server response code | Response status code returned by real server to WAF. |
Body | Body information carried in client's access request to server. |
*.abc.com
), logs of all associated subdomain names such as those suffixed with .abc.com
will also be downloaded.Download Field | Description |
---|---|
time | Access time. |
host | Client request domain name. |
client | Client's source IP. |
ipinfo_nation | Country/region information of client's source IP. |
ipinfo_province | District information of client's source IP. |
schema | Client request protocol. |
method | Client request method. |
url | Content between the first "/" and "?" after domain name in complete path of client request. |
query | Content after "?" in complete path of client request, which is also called query string. |
cookie | Cookie information carried in client's access request to server. |
referer | Source URL information of client's access request to server. |
user-agent | Information such as browser type and OS ID in client's request to server. |
x-forwarded-for | Used to identify the original IP address of client accessing web server through HTTP proxy or load balancer. |
status | Response status code returned by WAF to client. |
upstream_status | Response status code returned by real server to WAF. |
upstream | Intermediate IP and port after a client request passes through WAF. |
upstream_connect_time | The time it takes for a client request to arrive at the real server from WAF. |
upstream_response_time | The time it takes for a client request to arrive at WAF from the real server. |
request_time | The time it takes for a client request to arrive at WAF and return from WAF. |
Was this page helpful?