tencent cloud

PrevNext

Feedback

search by keyword

Recent Pages

Documentation
Web Application Firewall
    Documentation
    Download PDF

    Attack Logs

    Last updated: 2023-12-29 14:46:24
    Download PDF
      This guide describes how to search and analyze attack logs.

      Background

      WAF collects attack logs that record information about the attack time, attacker IP and attack type, and allows you to query and download logs for up to 30 days in the past by full-text search, fuzzy search and filter search (which support downloading million of logs).

      Searching Attack Logs

      1. Log in to the WAF console. Select Attack Logs on the left sidebar and then the Log service tab.
      2. Select the instance, domain name, attack type, action and attack time to search attack logs.
      
      
      Field Name
      Description
      Instance
      Select instances. By default, all instances are selected.
      Domain name
      Select domain names. By default, all domain names are selected.
      Attack type
      Select attack types observed/blocked by security modules. By default, all attack types are selected.
      Action
      Select Observe or Block. By default, all actions are selected.
      Risk level
      Select High risk, Medium risk or Low risk. By default, all risk levels are selected.
      Time period
      Select a time period for the logs you want to search. If this field is not specified, Last 1 hour is selected by default.
      Auto-refresh
      Automatically refresh the page at the specified frequency. This feature is disabled by default.
      3. Specify the search filters prior to clicking Search.
      
      

      Analyzing Attack Logs

      1. On the top right of the log list, click
      
      to select fields, and then click OK. To know more about the log fields, refer to Log field description.
      
      
      2. On the left of the Raw data section, select the field you want to view its percentage. Then select the value to filter the log results.
      
      
      3. Click
      
      to expand log details, where you can select the field value to find the log results. To view logs in JSON format, click JSON.
      
      

      Downloading Attack Logs

      1. On the top right of the log list, click
      
      to view your download tasks.
      Note
      By default, your log results are downloaded.
      Only one download task can be created at a time.
      One download task can contain up to 1 million logs. If you need to download more, it is recommended to create multiple tasks one by one, or contact us for support.
      If you select a wildcard domain name (for example, *.abc.com), logs of all its associated subdomain names such as those suffixed with .abc.com will also be downloaded.
      2. On the Download task page, click Create task.
      
      
      3. Enter a task name and click Create.
      
      
      4. After the task is created, you can view the total number of logs, download progress, download status, creation time, and expiration time. Click Download to export the logs in CSV format.
      Note
      Logs downloaded are retained for 3 days.

      See Also

      Log field description

      Basic Information
      Field Name
      Description
      host
      The domain name accessed by the client.
      uri
      The request URI, which is a character string for identifying resources.
      attack_ip
      The source IP of the attack.
      attack_type
      The attack type.
      rule_id
      ID of the protection rule applied. Note that ID of the AI engine rule is 0.
      method
      The request method used in the attack request.
      user_agent
      User-Agent that records information about the browser type and operating system used by the attacker IP.
      risk_level
      Risk level of the attack.
      status
      The action taken on the attack request. Valid values are 0 (Observe) and 1 (Block).
      count
      Number of attacks from the same attacker IP every 10 seconds.
      domain
      The domain name attacked by the client.
      pan
      The domain name accessed by the client.
      domain_name
      The domain name accessed by the client.
      attack_time
      The time that the attack is launched.
      attack_place
      The attack location in the HTTP request.
      action
      The action to take on the attack request. Valid values are 0 (Observe) and 1 (Block).
      ipinfo_nation
      Country of the attacker IP.
      ipinfo_province
      Province/State of the attacker IP.
      ipinfo_city
      City of the attacker IP.
      ipinfo_state
      Country of the attacker IP.
      ipinfo_dimensionality
      Latitude of the attacker IP.
      instance
      Name of the WAF instance accessed by the domain name.
      attack_category
      The attack category (unavailable currently).
      edition
      Edition of the WAF instance. Valid values are sparta-waf (SaaS WAF) and clb-waf (CLB WAF).
      uuid
      Unique ID of the log.
      attack_content
      The content that was attacked.
      http_log
      The log files recording HTTP requests and responses.
      headers
      The protocol headers, including custom headers.
      rule_name
      The rule name (unavailable currently).
      count
      Number of attacks of the same type from the same attacker IP every 10 seconds.
      args_name
      Parameters in the HTTP request.
      ipinfo_isp
      ISP of the attacker IP.
      appid
      APPID of the Tencent Cloud account.
      ipinfo_longitude
      Longitude of the attacker IP.
      
      Contact Us

      Contact our sales team or business advisors to help your business.

      Contact Us
      Technical Support

      Open a ticket if you're looking for further assistance. Our Ticket is 7x24 avaliable.

      Submit a Ticket
      7x24 Phone Support
      Copyright © 2013-2024 Tencent Cloud. All Rights Reserved.
      Privacy PolicyLegalCookie Policy