- WAF Release Notes
- User Guide
- Product Introduction
- Purchase Guide
- Getting Started
- Operation Guide
- Best Practice
- FAQS
- Security Advisory
- Command Execution Vulnerability in Exchange Server
- SQL Injection Vulnerability in Yonyou GRP-U8
- XXE Vulnerability in Apache Cocoon (CVE-2020-11991)
- Arbitrary Code Execution Vulnerability in WordPress File Manager
- Jenkins Security Advisory for September
- Remote Code Execution Vulnerabilities in Apache Struts 2 (CVE-2019-0230 and CVE-2019-0233)
- SQL Injection Vulnerability in Apache SkyWalking (CVE-2020-13921)
- WAF Policy
- Glossary
- WAF Release Notes
- User Guide
- Product Introduction
- Purchase Guide
- Getting Started
- Operation Guide
- Best Practice
- FAQS
- Security Advisory
- Command Execution Vulnerability in Exchange Server
- SQL Injection Vulnerability in Yonyou GRP-U8
- XXE Vulnerability in Apache Cocoon (CVE-2020-11991)
- Arbitrary Code Execution Vulnerability in WordPress File Manager
- Jenkins Security Advisory for September
- Remote Code Execution Vulnerabilities in Apache Struts 2 (CVE-2019-0230 and CVE-2019-0233)
- SQL Injection Vulnerability in Apache SkyWalking (CVE-2020-13921)
- WAF Policy
- Glossary
Feature Overview
The access log feature is used to record access logs of domain names protected by WAF. It allows you to query and download access logs generated in the last 30 days and retain them for up to 180 days. After enabling this feature, you can query and download access logs as needed to meet your security compliance and OPS requirements.
To use the access log feature, you need to purchase the security log service package and enable access log as instructed in Instructions. Only after access log is enabled for a domain name can its access requests be logged by WAF.
Instructions
Enabling access log
Log in to the WAF Console and select Web Application Firewall > Protection Setting on the left sidebar to enter the protection settings page. Select a desired domain name and click Enable Access Log.
Querying access logs
- Log in to the WAF Console and select Security Overview on the left sidebar to enter the security overview page. Select Access Log > Log Query and select a desired domain name to view its access logs.
- You can click
- Query the access logs. You can use multiple keywords separated by carriage return. After entering the keywords of the corresponding fields, click Query to search for logs.
- Access logs can be queried by key-value (kv) pairs where up to 7 keys are supported. In
value, you can enter multiple keywords of log data for easier search, which are case-insensitive and separated by separators (default separators include !@#%^&*()-_="', <>/?|;:\n\t\r[]{}). - Access log supports fuzzy query. You can use certain fuzzy keywords to query logs as described below:
- Access logs can be queried by key-value (kv) pairs where up to 7 keys are supported. In
| Metacharacter | Description |
|---|---|
| * | Fuzzy query of keywords that can match zero, single, or multiple random characters. * cannot be used as the first character. For example, if you enter abc*, all logs beginning with abc will be returned. |
| ? | Fuzzy query of keywords that can match a single character at a specific position. For example, if you enter ab?c, logs that begin with ab, end with c, and contain only one character between ab and c will be returned. |
Log query field description:
| Field Name | Description |
|---|---|
| Access source IP | Source IP of client request. |
| Access URI | URI accessed by client. |
| Referer | Source URL information of client's access request to server. |
| Cookie | Cookie information carried in client's access request to server. |
| User-Agent | Information such as browser type and OS ID in client's request to server. |
| X-Forworder-For | Used to identify the original IP address of client accessing web server through HTTP proxy or load balancer. |
| WAF response code | Response status code returned by WAF to client. |
| Real server response code | Response status code returned by real server to WAF. |
| Body | Body information carried in client's access request to server. |
Downloading access logs
- Log in to the WAF Console and select Security Overview on the left sidebar to enter the security overview page. Select Access Log > Log Query and click the download icon in the top-right corner to create a download task.
- Only one download task can be created within a certain time period. Please be patient.
- Up to 10,000 logs can be downloaded at a time. If you want to download more logs, you are recommended to download them in multiple batches or contact us for assistance.
- If you select a wildcard domain name (e.g.,
*.abc.com), logs of all associated subdomain names such as those suffixed with.abc.comwill also be downloaded.
- Click Query Download Task, select the desired download task, and click Download to download the log file to your local file system.
Log file field description:
| Download Field | Description |
|---|---|
| time | Access time. |
| host | Client request domain name. |
| client | Client's source IP. |
| ipinfo_nation | Country/region information of client's source IP. |
| ipinfo_province | District information of client's source IP. |
| schema | Client request protocol. |
| method | Client request method. |
| url | Content between the first "/" and "?" after domain name in complete path of client request. |
| query | Content after "?" in complete path of client request, which is also called query string. |
| cookie | Cookie information carried in client's access request to server. |
| referer | Source URL information of client's access request to server. |
| user-agent | Information such as browser type and OS ID in client's request to server. |
| x-forwarded-for | Used to identify the original IP address of client accessing web server through HTTP proxy or load balancer. |
| status | Response status code returned by WAF to client. |
| upstream_status | Response status code returned by real server to WAF. |
| upstream | Intermediate IP and port after a client request passes through WAF. |
| upstream_connect_time | The time it takes for a client request to arrive at the real server from WAF. |
| upstream_response_time | The time it takes for a client request to arrive at WAF from the real server. |
| request_time | The time it takes for a client request to arrive at WAF and return from WAF. |
Was this page helpful?