- Release Notes and Announcements
- Release Notes
- Announcements
- Security Advisory
- Notice for Apache Log4j 2 RCE Vulnerability (CVE-2021-44832)
- Notice for Apache Log4j 2 RCE Vulnerability (CVE-2021-45046)
- Notice for Apache Log4j 2 RCE Vulnerability (CVE-2021-44228)
- Notice for WebLogic Console HTTP RCE Vulnerability
- Notice for Exchange Server Command Execution Vulnerability
- Notice for Yonyou GRP-U8 SQL Injection Vulnerability
- Notice for Apache Cocoon XXE Vulnerability (CVE-2020-11991)
- Notice for WordPress File Manager Arbitrary Code Execution Vulnerability
- Jenkins Security Advisory for September
- Notice for Apache Struts 2 RCE Vulnerabilities (CVE-2019-0230 and CVE-2019-0233)
- Notice for Apache SkyWalking SQL Injection Vulnerability (CVE-2020-13921)
- User Guide
- Product Introduction
- Purchase Guide
- Getting Started
- Operation Guide
- Best Practice
- Combined Application of WAF and Anti-DDoS Pro
- WAF Security Protection for API Gateway
- Applying for and Using Free HTTPS Certificates
- Obtaining Real Client IPs
- Replacing Certificate
- Setting CC Protection
- WAF CCP Overview
- Connecting Frontend-Backend Separated Site to WAF CAPTCHA
- Best Practices of Bot Behavior Management Connection
- FAQS
- Service Level Agreement
- WAF Policy
- Contact Us
- Glossary
- Release Notes and Announcements
- Release Notes
- Announcements
- Security Advisory
- Notice for Apache Log4j 2 RCE Vulnerability (CVE-2021-44832)
- Notice for Apache Log4j 2 RCE Vulnerability (CVE-2021-45046)
- Notice for Apache Log4j 2 RCE Vulnerability (CVE-2021-44228)
- Notice for WebLogic Console HTTP RCE Vulnerability
- Notice for Exchange Server Command Execution Vulnerability
- Notice for Yonyou GRP-U8 SQL Injection Vulnerability
- Notice for Apache Cocoon XXE Vulnerability (CVE-2020-11991)
- Notice for WordPress File Manager Arbitrary Code Execution Vulnerability
- Jenkins Security Advisory for September
- Notice for Apache Struts 2 RCE Vulnerabilities (CVE-2019-0230 and CVE-2019-0233)
- Notice for Apache SkyWalking SQL Injection Vulnerability (CVE-2020-13921)
- User Guide
- Product Introduction
- Purchase Guide
- Getting Started
- Operation Guide
- Best Practice
- Combined Application of WAF and Anti-DDoS Pro
- WAF Security Protection for API Gateway
- Applying for and Using Free HTTPS Certificates
- Obtaining Real Client IPs
- Replacing Certificate
- Setting CC Protection
- WAF CCP Overview
- Connecting Frontend-Backend Separated Site to WAF CAPTCHA
- Best Practices of Bot Behavior Management Connection
- FAQS
- Service Level Agreement
- WAF Policy
- Contact Us
- Glossary
This guide describes how to search and analyze attack logs.
Overview
WAF supports logging to get attack information including the attack time, attacker IP and attack type. You can query or export the data for the last 30 days, search data with full-text search, fuzzy search, and search by filter, and download data and even million of logs based on your search filters.
Directions
- Log in to the WAF console and select Log Service > Attack Logs on the left sidebar.
- On the log search tab, select a domain name, attack type, action and attack time to view the attack log.
Field description:
- Domain name: It supports multiple domain names. All domain names will be displayed by default.
- Attack type: It supports multiple attack types. All attack types will be displayed by default. Attack types involve observation and blocking logs generated by various security modules.
- Action type: It supports
ObserveorBlock. Default:All. - Risk level: It supports
High risk,Medium riskorLow risk. - Time period: It supports selecting a time period you want. By default, a time period of one hour is selected.
- Auto refresh: It supports automatic refresh, which is disabled by default. If it is enabled, you can select a time period for auto refresh and obtain the latest attack log data.
- Specify the search filters prior to clicking Search to view search results.
- On the left of the raw data page, click a specific statistical field to quickly check each field value as a percentage of the attack log based on your search filters.
Customize field: At the top right of the log list, click
to select fields to be displayed, and then click OK. To know more about the log fields, refer to Log field description.
Downloading attack logs:
- At the top right of the log list, click
to create a download task.
Note:
- You can only create one download task at a time. One download task can contain up to 1 million logs. If you need to download more, it is recommended to create a task to start after another task completes, or contact us for support.
- If you select a wildcard domain name (for example, *.abc.com), log entries of all associated subdomain names such as those suffixed with .abc.com will also be downloaded.
- At the top of the Attack Logs page, click Download to view the downloading status.
- Enter a download task name and click Create. The download will start after the task is created.
- On the right of the raw data page, click the unfold button to display log details. To view the information in JSON format, click JSON.
- On the log details page, select a specific parameter value as a search filter. Multiple field combinations are also supported for searching.
Appendix
Log field description
Basic Information
| Field | Description |
|---|---|
| host | Domain name accessed by the client |
| attack_type | All attack types |
| attack_category | Unavailable currently |
| count | Number of attacks of the same type from the same attacker IP every 10 seconds |
| attack_ip | Attacker IP, the source IP used by the client to launch an attack |
| rule_id | ID of the hit protection rule. ID of the rule taken by the AI engine is 0. |
| method | Request method used by the client to launch an attack |
| risk_level | Risk level of the attack |
| attack_time | Time that the attack is launched |
| attack_place | Attack location in the HTTP request |
| action | Action triggered by the attack |
| uri | Content of the request URI |
| attack_content | Content of the attack triggered by the client |
| http_log | Other information of the request, including the request protocol and protocol version |
| user_agent | Information about the browser type and operating system used by the attacker IP |
| headers | Header information, including custom headers |
| UUID | Unique identifier of the log |
Attacker IP Attribute
| Field | Description |
|---|---|
| ipinfo_province | Province of the attacker IP |
| ipinfo_state | Country abbreviation of the attacker IP |
| pinfo_nation | Country name of the attacker IP |
| ipinfo_city | City of the attacker IP |
| ipinfo_isp | ISP of the attacker IP |
| ipinfo_dimensionality | Latitude of the attacker IP |
| ipinfo_longitude | Longitude of the attacker IP |
Log field description
| Field | Description |
|---|---|
| uuid | Unique identifier of the log |
| attack_time | Time that the attack is launched by the client |
| rule_id | ID of the protection rule triggered by the attack |
| count | Number of attacks of the same type from the same attacker IP every 10 seconds |
| status | Status of the action. 0: observe; 1: block. |
| domain | Domain name attacked by the client |
| attack_ip | IP address used by the client to launch an attack |
| attack_type | Attack type |
| args_name | Attacked object in a client request, such as request parameters, URI, and IP |
| attack_content | Content of the attack triggered by the client |
| uri | URI of the attack triggered by the client |
| method | Method of the attack request sent by the client |
| user_agent | User-Agent information of the client |
Yes
No
Was this page helpful?