tencent cloud

Feedback

Attack Logs

Last updated: 2022-06-24 10:53:50

    This guide describes how to search and analyze attack logs.

    Overview

    WAF supports logging to get attack information including the attack time, attacker IP and attack type. You can query or export the data for the last 30 days, search data with full-text search, fuzzy search, and search by filter, and download data and even million of logs based on your search filters.

    Directions

    1. Log in to the WAF console and select Log Service > Attack Logs on the left sidebar.
    2. On the log search tab, select a domain name, attack type, action and attack time to view the attack log.

    Field description:

    • Domain name: It supports multiple domain names. All domain names will be displayed by default.
    • Attack type: It supports multiple attack types. All attack types will be displayed by default. Attack types involve observation and blocking logs generated by various security modules.
    • Action type: It supports Observe or Block. Default: All.
    • Risk level: It supports High risk, Medium risk or Low risk.
    • Time period: It supports selecting a time period you want. By default, a time period of one hour is selected.
    • Auto refresh: It supports automatic refresh, which is disabled by default. If it is enabled, you can select a time period for auto refresh and obtain the latest attack log data.
    1. Specify the search filters prior to clicking Search to view search results.
    2. On the left of the raw data page, click a specific statistical field to quickly check each field value as a percentage of the attack log based on your search filters.
    • Customize field: At the top right of the log list, click to select fields to be displayed, and then click OK. To know more about the log fields, refer to Log field description.

    • Downloading attack logs:

    1. At the top right of the log list, click to create a download task.
    Note:

    • You can only create one download task at a time. One download task can contain up to 1 million logs. If you need to download more, it is recommended to create a task to start after another task completes, or contact us for support.
    • If you select a wildcard domain name (for example, *.abc.com), log entries of all associated subdomain names such as those suffixed with .abc.com will also be downloaded.
    1. At the top of the Attack Logs page, click Download to view the downloading status.
    2. Enter a download task name and click Create. The download will start after the task is created.
    3. On the right of the raw data page, click the unfold button to display log details. To view the information in JSON format, click JSON.
    4. On the log details page, select a specific parameter value as a search filter. Multiple field combinations are also supported for searching.

    Appendix

    Log field description

    Basic Information

    Field Description
    host Domain name accessed by the client
    attack_type All attack types
    attack_category Unavailable currently
    count Number of attacks of the same type from the same attacker IP every 10 seconds
    attack_ip Attacker IP, the source IP used by the client to launch an attack
    rule_id ID of the hit protection rule. ID of the rule taken by the AI engine is 0.
    method Request method used by the client to launch an attack
    risk_level Risk level of the attack
    attack_time Time that the attack is launched
    attack_place Attack location in the HTTP request
    action Action triggered by the attack
    uri Content of the request URI
    attack_content Content of the attack triggered by the client
    http_log Other information of the request, including the request protocol and protocol version
    user_agent Information about the browser type and operating system used by the attacker IP
    headers Header information, including custom headers
    UUID Unique identifier of the log

    Attacker IP Attribute

    Field Description
    ipinfo_province Province of the attacker IP
    ipinfo_state Country abbreviation of the attacker IP
    pinfo_nation Country name of the attacker IP
    ipinfo_city City of the attacker IP
    ipinfo_isp ISP of the attacker IP
    ipinfo_dimensionality Latitude of the attacker IP
    ipinfo_longitude Longitude of the attacker IP

    Log field description

    Field Description
    uuid Unique identifier of the log
    attack_time Time that the attack is launched by the client
    rule_id ID of the protection rule triggered by the attack
    count Number of attacks of the same type from the same attacker IP every 10 seconds
    status Status of the action. 0: observe; 1: block.
    domain Domain name attacked by the client
    attack_ip IP address used by the client to launch an attack
    attack_type Attack type
    args_name Attacked object in a client request, such as request parameters, URI, and IP
    attack_content Content of the attack triggered by the client
    uri URI of the attack triggered by the client
    method Method of the attack request sent by the client
    user_agent User-Agent information of the client
    Contact Us

    Contact our sales team or business advisors to help your business.

    Technical Support

    Open a ticket if you're looking for further assistance. Our Ticket is 7x24 avaliable.

    7x24 Phone Support