WAF logs information on cyberattacks by default, which includes the time, source IP, type, and details of attacks. You can set filters to query logs as needed and download the query results.
Search criteria description:
- Domain name: select the target domain name in the domain name drop-down list.
- Attack time: it is
Last 1 hour by default. You can search attack logs of up to 30 days.
- Risk grade: it is
All risk grades by default. You can select
- Action: it is
All actions by default. You can select
- Rule ID: enter the target rule ID, which can be found in the log entries.
- Attack source IP: enter the attack source IP that you want to search.
2. Click the button at the upper-right corner. In the Custom fields dialog box, select the fields to be displayed in the list, as shown in the following figure.
3. View the attack details. Select the target log entry and click details in the "Operation" column on the right to view the attack details.
4. On the log details page, view the corresponding fields.
Log details field description:
|Domain Name||Domain name accessed by the client.|
|Attack type||Attack types currently supported by
|Attack Count||Number of attacks from the same attack source IP address and of the same type, calculated once every 10 seconds.|
|Attack source IP||Source IP address of a client attack.|
|Rule ID||ID of the rule that triggers a protection policy. If an attack is detected by the AI engine, the rule ID will be 0.|
|Rule Name||Name of the rule that triggers a protection policy, which is empty for the rule engine and AI engine.|
|Request method||Method of the attack requests used in a client attack.|
|Risk grade||Level of risk caused by the client attack.|
|Attack time||Time of the client attack.|
|Source||Source matching information of the client attack, such as the source IP address.|
|Action||Action triggered by the client attack.|
|Request URI||Content of the request URI.|
|Attack Content||Content of the client attack.|
|Region||Abbreviation of the country/region where the source IP address was purchased.|
|IP Owner||Owner of the purchased source IP address.|
|Country||Country/region where attack source IP address is registered.|
|Province||Province where the attack source IP address is registered.|
|City||City where the attack source IP address is registered.|
|Carrier||ISP to which the attack source IP address belongs.|
|Longitude||Longitude of the attack source IP address.|
|Latitude||Latitude of the attack source IP address.|
|Protocol Version||HTTP version information of the attack source IP address.|
|User-Agent||Information such as browser type and OS ID in the requests from the attack source IP address to a server.|
Log in to the WAF Console and select Web Application Firewall -> Attack Log on the left sidebar. On the Attack Log page, click Log Search and click the download icon in the upper-right corner to create a download task.
*.abc.com), logs of all associated subdomain names such as those suffixed with
.abc.comwill also be downloaded.
Click the Download Task tab, select a target download task, and click Download in the Operation column on the right to download the log file to your local file system.
As the log file is in CSV format and encoded in UTF-8, it is incompatible with Excel. If opened in Excel, the attack type will appear as garbled text. Please use compatible editors such as WPS or Sublime to open it.
** Log file field description:**
|attack_time||Time of the client attack.|
|rule_id||ID of the rule triggered by the client attack.|
|count||Number of attacks from the same attack source IP address and of the same type, calculated once every 10 seconds.|
|status||Action taken. 0: observation; 1: block.|
|domain||Information of the domain name targeted by the client attack.|
|attack_ip||IP address of the client attack.|
|attack_type||Type of the client attack.|
|args_name||Location of the attack in the client request, such as request parameter, URI, or IP.|
|attack_content||Content of the client attack.|
|uri||URI information for the client attack.|
|method||Method of the attack requests used in the client attack.|
|user_agent||User_Agent information of the client.|