- WAF Release Notes
- User Guide
- Product Introduction
- Purchase Guide
- Getting Started
- Operation Guide
- Best Practice
- FAQS
- Security Advisory
- Command Execution Vulnerability in Exchange Server
- SQL Injection Vulnerability in Yonyou GRP-U8
- XXE Vulnerability in Apache Cocoon (CVE-2020-11991)
- Arbitrary Code Execution Vulnerability in WordPress File Manager
- Jenkins Security Advisory for September
- Remote Code Execution Vulnerabilities in Apache Struts 2 (CVE-2019-0230 and CVE-2019-0233)
- SQL Injection Vulnerability in Apache SkyWalking (CVE-2020-13921)
- WAF Policy
- Glossary
- WAF Release Notes
- User Guide
- Product Introduction
- Purchase Guide
- Getting Started
- Operation Guide
- Best Practice
- FAQS
- Security Advisory
- Command Execution Vulnerability in Exchange Server
- SQL Injection Vulnerability in Yonyou GRP-U8
- XXE Vulnerability in Apache Cocoon (CVE-2020-11991)
- Arbitrary Code Execution Vulnerability in WordPress File Manager
- Jenkins Security Advisory for September
- Remote Code Execution Vulnerabilities in Apache Struts 2 (CVE-2019-0230 and CVE-2019-0233)
- SQL Injection Vulnerability in Apache SkyWalking (CVE-2020-13921)
- WAF Policy
- Glossary
Overview
WAF logs information on cyberattacks by default, which includes the time, source IP, type, and details of attacks. You can set filters to query logs as needed and download the query results.
Instructions
Querying attack logs
- Log in to the WAF Console and choose Web Application Firewall -> Attack Log on the left sidebar. On the Attack Log page, click Log Search, select the target domain name in the drop-down list at the top, set search criteria as needed, and click Search to view the corresponding attack logs.
Search criteria description:
- Domain name: select the target domain name in the domain name drop-down list.
- Attack time: it is Last 1 hour by default. You can search attack logs of up to 30 days.
- Risk grade: it is All risk grades by default. You can select Major, Medium, or Minor.
- Action: it is All actions by default. You can select Observation or Block.
- Rule ID: enter the target rule ID, which can be found in the log entries.
- Attack source IP: enter the attack source IP that you want to search.
2. Click the 
3. View the attack details. Select the target log entry and click details in the "Operation" column on the right to view the attack details.
4. On the log details page, view the corresponding fields.
Log details field description:
- Basic Info
| Field | Description |
|---|---|
| Domain Name | Domain name accessed by the client. |
| Attack type | Attack types currently supported by WAF, which is "All" by default. |
| Attack Count | Number of attacks from the same attack source IP address and of the same type, calculated once every 10 seconds. |
| Attack source IP | Source IP address of a client attack. |
| Rule ID | ID of the rule that triggers a protection policy. If an attack is detected by the AI engine, the rule ID will be 0. |
| Rule Name | Name of the rule that triggers a protection policy, which is empty for the rule engine and AI engine. |
| Request method | Method of the attack requests used in a client attack. |
| Risk grade | Level of risk caused by the client attack. |
| Attack time | Time of the client attack. |
| Source | Source matching information of the client attack, such as the source IP address. |
| Action | Action triggered by the client attack. |
| Request URI | Content of the request URI. |
| Attack Content | Content of the client attack. |
- Attack IP Details
| Field | Description |
|---|---|
| Region | Abbreviation of the country/region where the source IP address was purchased. |
| IP Owner | Owner of the purchased source IP address. |
| Country | Country/region where attack source IP address is registered. |
| Province | Province where the attack source IP address is registered. |
| City | City where the attack source IP address is registered. |
| Carrier | ISP to which the attack source IP address belongs. |
| Longitude | Longitude of the attack source IP address. |
| Latitude | Latitude of the attack source IP address. |
- Details
| Field | Description |
|---|---|
| Protocol Version | HTTP version information of the attack source IP address. |
| User-Agent | Information such as browser type and OS ID in the requests from the attack source IP address to a server. |
Downloading attack logs
Log in to the WAF Console and select Web Application Firewall -> Attack Log on the left sidebar. On the Attack Log page, click Log Search and click the download icon in the upper-right corner to create a download task.
Note:
- Only one download task can be created within a certain time period.
- Up to 10,000 logs can be downloaded at a time. If you want to download more logs, we recommend that you download them in multiple batches or contact us for assistance.
- If you select a wildcard domain name (e.g.,
*.abc.com), logs of all associated subdomain names such as those suffixed with.abc.comwill also be downloaded.
Click the Download Task tab, select a target download task, and click Download in the Operation column on the right to download the log file to your local file system.
Note:
As the log file is in CSV format and encoded in UTF-8, it is incompatible with Excel. If opened in Excel, the attack type will appear as garbled text. Please use compatible editors such as WPS or Sublime to open it.
** Log file field description:**
| Download Field | Description |
|---|---|
| attack_time | Time of the client attack. |
| rule_id | ID of the rule triggered by the client attack. |
| count | Number of attacks from the same attack source IP address and of the same type, calculated once every 10 seconds. |
| status | Action taken. 0: observation; 1: block. |
| domain | Information of the domain name targeted by the client attack. |
| attack_ip | IP address of the client attack. |
| attack_type | Type of the client attack. |
| args_name | Location of the attack in the client request, such as request parameter, URI, or IP. |
| attack_content | Content of the client attack. |
| uri | URI information for the client attack. |
| method | Method of the attack requests used in the client attack. |
| user_agent | User_Agent information of the client. |
Was this page helpful?