This guide describes how to search and analyze attack logs.
WAF supports logging to get attack information including the attack time, attacker IP and attack type. You can query or export the data for the last 30 days, search data with full-text search, fuzzy search, and search by filter, and download data and even million of logs based on your search filters.
Field description:
Observe
or Block
. Default: All
.High risk
, Medium risk
or Low risk
.Customize field: At the top right of the log list, click to select fields to be displayed, and then click OK. To know more about the log fields, refer to Log field description.
Downloading attack logs:
Note:
- You can only create one download task at a time. One download task can contain up to 1 million logs. If you need to download more, it is recommended to create a task to start after another task completes, or contact us for support.
- If you select a wildcard domain name (for example, *.abc.com), log entries of all associated subdomain names such as those suffixed with .abc.com will also be downloaded.
Basic Information
Field | Description |
---|---|
host | Domain name accessed by the client |
attack_type | All attack types |
attack_category | Unavailable currently |
count | Number of attacks of the same type from the same attacker IP every 10 seconds |
attack_ip | Attacker IP, the source IP used by the client to launch an attack |
rule_id | ID of the hit protection rule. ID of the rule taken by the AI engine is 0. |
method | Request method used by the client to launch an attack |
risk_level | Risk level of the attack |
attack_time | Time that the attack is launched |
attack_place | Attack location in the HTTP request |
action | Action triggered by the attack |
uri | Content of the request URI |
attack_content | Content of the attack triggered by the client |
http_log | Other information of the request, including the request protocol and protocol version |
user_agent | Information about the browser type and operating system used by the attacker IP |
headers | Header information, including custom headers |
UUID | Unique identifier of the log |
Attacker IP Attribute
Field | Description |
---|---|
ipinfo_province | Province of the attacker IP |
ipinfo_state | Country abbreviation of the attacker IP |
pinfo_nation | Country name of the attacker IP |
ipinfo_city | City of the attacker IP |
ipinfo_isp | ISP of the attacker IP |
ipinfo_dimensionality | Latitude of the attacker IP |
ipinfo_longitude | Longitude of the attacker IP |
Field | Description |
---|---|
uuid | Unique identifier of the log |
attack_time | Time that the attack is launched by the client |
rule_id | ID of the protection rule triggered by the attack |
count | Number of attacks of the same type from the same attacker IP every 10 seconds |
status | Status of the action. 0 : observe; 1 : block. |
domain | Domain name attacked by the client |
attack_ip | IP address used by the client to launch an attack |
attack_type | Attack type |
args_name | Attacked object in a client request, such as request parameters, URI, and IP |
attack_content | Content of the attack triggered by the client |
uri | URI of the attack triggered by the client |
method | Method of the attack request sent by the client |
user_agent | User-Agent information of the client |
Was this page helpful?