Enabling LTS for WAF Logging

After you authorize WAF to access Log Tank Service (LTS), you can use the WAF logs recorded by LTS for quick and efficient real-time analysis, device O&M management, and analysis of service trends.

LTS analyzes and processes a large number of logs. It enables you to process logs in real-time, efficiently, and securely. Logs can be stored in LTS for seven days by default but you can configure LTS for up to 30 days if needed. Logs earlier than 30 days are automatically deleted. However, you can configure LTS to dump those logs to an Object Storage Service (OBS) bucket or enable Data Ingestion Service (DIS) for long-term storage.

Prerequisites

  • You have applied for your WAF.

  • The website to be protected has been added to WAF.

Impact on the System

Enabling LTS for WAF does not affect WAF performance.

Enabling LTS for WAF Protection Event Logging

  1. Log in to the management console.

  2. Click image1 in the upper left corner of the management console and select a region or project.

  3. Click image2 in the upper left corner and choose Web Application Firewall (Dedicated) under Security.

  4. In the navigation pane on the left, choose Events.

  5. Click the Configure Logs tab, enable LTS (image3), and select a log group and log stream. Table 1 describes the parameters.

    **Figure 1** Configuring logs

    Figure 1 Configuring logs

    Table 1 Log configuration

    Parameter

    Description

    Example Value

    Log Group

    Select a log group or click View Log Group to go to the LTS console and create a log group.

    lts-group-waf

    Attack Log

    Select a log stream or click View Log Stream to go to the LTS console and create a log stream.

    An attack log includes information about event type, protective action, and attack source IP address of each attack.

    lts-topic-waf-attack

    Access Log

    Select a log stream or click View Log Stream to go to the LTS console and create a log stream.

    An access log includes key information about access time, client IP address, and resource URL of each HTTP access requests.

    lts-topic-waf-access

  6. Click OK.

    You can view WAF protection event logs on the LTS console.

Viewing WAF Protection Event Logs on LTS

After enabling LTS, perform the following steps to view and analyze WAF logs on the LTS console.

  1. Log in to the management console.

  2. Click image4 in the upper left corner of the management console and select a region or project.

  3. Click image5 in the upper left corner of the page and choose Management & Deployment > Log Tank Service.

  4. In the log group list, click image6 to expand the WAF log group (for example, lts-group-waf).

  5. View protection event logs.

    • View attack logs.

      1. In the log stream list, click the name of the configured attack log stream.

      2. View attack logs.

        **Figure 2** Viewing attack logs

        Figure 2 Viewing attack logs

    • View access logs.

      1. In the log stream list, click the name of the configured access log stream.

      2. View access logs.

        **Figure 3** Viewing access logs

        Figure 3 Viewing access logs

WAF access_log Field

Field

Type

Field Description

Description

requestid

string

Random ID

The value is the same as the last eight characters of the req_id field in the attack log.

time

string

Time an access request is received.

GMT time a log is generated.

eng_ip

string

IP address of the WAF engine

-

hostid

string

Domain name identifier of the access request.

Protected domain name ID (upstream_id).

tenantid

string

Account ID

Your account

projectid

string

ID of the project the protected domain name belongs to

Project ID of a user in a specific region.

remote_ip

string

IP address from which a client request originates.

IP address from which a client request originates.

Important

NOTICE: If a layer-7 proxy is deployed in front of WAF, this field indicates the IP address of the proxy node closest to WAF. The real IP address of the visitor is specified by the x-forwarded-for and x_real_ip fields.

x-forwarded-for

string

A string of IP addresses for a proxy when the proxy is deployed in front of WAF.

The sting includes one or more IP addresses.

The leftmost IP address is the originating IP address of the client. Each time the proxy server receives a request, it adds the source IP address of the request to the right of the originating IP address.

x_real_ip

string

Real IP address of the client when a proxy is deployed in front of WAF.

Real IP address of the client, which is identified by the proxy.

cdn_src_ip

string

Client IP address identified by CDN when CDN is deployed in front of WAF

This field specifies the real IP address of the client if CDN is deployed in front of WAF.

Important

NOTICE: Some CDN vendors may use other fields. WAF records only the most common fields.

scheme

string

Request protocol

Protocols that can be used in the request:

  • HTTP

  • HTTPS

response_code

string

Response code

Response status code returned by the origin server to WAF.

method

string

Request method.

Request type in a request line. Generally, the value is GET or POST.

http_host

string

Domain name of the requested server.

Address, domain name, or IP address entered in the address box of a browser.

url

string

Request URL.

Path in a URL (excluding the domain name).

request_length

string

Request length.

The request length includes the access request address, HTTP request header, and number of bytes in the request body.

bytes_send

string

Total number of bytes sent to the client.

Number of bytes sent by WAF to the client.

body_bytes_sent

string

Total number of bytes of the response body sent to the client

Number of bytes of the response body sent by WAF to the client

upstream_addr

string

Address of the backend server.

IP address of the origin server for which a request is destined. For example, if WAF forwards requests to an ECS, the IP address of the ECS is returned to this parameter.

request_time

string

Request processing time

Processing time starts when the first byte of the client is read.

upstream_response_time

string

Backend server response time.

Time when the backend server responds to the WAF request.

upstream_status

string

Response code of the backend server.

Response status code returned by the backend server to WAF.

upstream_connect_time

string

Time elapsed for origin servers to connect to backend servers

Time for the origin server to establish a connection to its backend servers. If the backend service uses an encryption protocol, this parameter includes the handshake time.

upstream_header_time

string

Time used by the backend server to receive the first byte of the response header.

-

bind_ip

string

WAF engine back-to-source IP address.

Back-to-source IP address used by the WAF engine.

group_id

string

LTS log group ID

ID of the log group for interconnecting WAF with LTS.

access_stream_id

string

Log stream ID.

ID of access_stream of the user in the log group identified by the group_id field.

engine_id

string

WAF engine ID

Unique ID of the WAF engine.

time_iso8601

string

ISO 8601 time format of logs.

-

sni

string

Domain name requested through SNI.

-

tls_version

string

Protocol version for establishing an SSL connection.

TLS version used in the request.

ssl_curves

string

Curve group list supported by the client.

-

ssl_session_reused

string

SSL session reuse

Whether the SSL session can be reused

r: Yes

.: No

process_time

string

Detection duration

-

WAF request_log field description

Field

Type

Field Description

Description

scheme

string

Request protocol

Protocols that can be used in the request:

  • HTTP

  • https

hport

string

Listening port for the engine

-

body_bytes_sent

string

Total number of bytes of the response body sent to the client.

-

hostid

string

Protected domain name ID (upstream_id).

-

time_iso8601

string

ISO 8601 time format of logs.

-

host

string

Domain name of the requested server.

-

tenantid

string

Account ID

-

inet_ip

string

IP address of the engine

-

backend.protocol

string

Current backend protocol

-

backend.alive

string

Current backend status

-

backend.port

string

Current backend port

-

backend.host

string

Current backend host value

-

backend.type

string

Current backend host type

Type of the backend host. It can be a domain name or an IP address.

id

string

Request ID

The last eight characters are the same as the first eight characters of the requestid in the access log.

sip

string

IP address from which a client request originates.

-

sport

string

Port used by the IP address from which a client request originates.

-

projectid

string

ID of the project the protected domain name belongs to

-

cookie

string

Cookie

-

method

string

Request method.

-

uri

string

Request URI

-

request_stream_id

string

Log stream ID

ID of request_stream of the user in the log group identified by the group_id field.

group_id

string

Log group ID

LTS log group ID

engine_id

string

Unique ID of the engine

-

header

string

Header content

-

time

string

Log time

-

category

string

Log category

The value is request.

status

string

Response code

-

WAF attack_log field description

Field

Type

Field Description

Description

category

string

Log category

The value is attack.

time

string

Log time

-

time_iso8601

string

ISO 8601 time format of logs.

-

policy_id

string

Policy ID

-

level

string

Protection level

Protection level of a built-in rule in basic web protection

  • 1: Low

  • 2: Medium

  • 3: High

attack

string

Type of attack

Attack type. This parameter is listed in attack logs only.

  • default: default attacks

  • sqli: SQL injections

  • xss: cross-site scripting (XSS) attacks

  • webshell: web shells

  • robot: malicious crawlers

  • cmdi: command injections

  • rfi: remote file inclusion attacks

  • lfi: local file inclusion attacks

  • illegal: unauthorized requests

  • vuln: exploits

  • cc: attacks that hit the CC protection rules

  • custom_custom: attacks that hit a precise protection rule

  • custom_whiteip: attacks that hit an IP address blacklist or whitelist rule

  • custom_geoip: attacks that hit a geolocation access control rule

  • antitamper: attacks that hit a web tamper protection rule

  • anticrawler: attacks that hit the JS challenge anti-crawler rule

  • leakage: vulnerabilities that hit an information leakage prevention rule

  • followed_action: The source is marked as a known attack source.

action

string

Protective action

WAF defense action.

  • block: WAF blocks attacks.

  • log: WAF only logs detected attacks.

  • captcha: Verification code

sub_type

string

Crawler types

When attack is set to robot, this parameter cannot be left blank.

  • script_tool: Script tools

  • search_engine: Search engines

  • scanner: Scanning tools

  • uncategorized: Other crawlers

rule

string

ID of the triggered rule or the description of the custom policy type.

-

location

string

Location triggering the malicious load

-

hit_data

string

String triggering the malicious load

-

resp_headers

string

Response header

-

resp_body

string

Response body

-

backend

string

Address of the backend server to which the request is forwarded.

-

status

string

Response status code

-

reqid

string

Random ID

-

id

string

Attack ID

ID of the attack

method

string

Request method

-

sip

string

Client request IP address

-

sport

string

Client request port

-

host

string

Requested domain name

-

http_host

string

Domain name of the requested server.

-

hport

string

Port of the requested server.

-

uri

string

Request URL.

The domain is excluded.

header

A JSON string. A JSON table is obtained after the string is decoded.

Request header

-

multipart

A JSON string. A JSON table is obtained after the string is decoded.

Request multipart header

This parameter is used to upload files.

cookie

A JSON string. A JSON table is obtained after the string is decoded.

Cookie of the request

-

params

A JSON string. A JSON table is obtained after the string is decoded.

Params value following the request URI.

-

body_bytes_sent

string

Total number of bytes of the response body sent to the client.

Total number of bytes of the response body sent by WAF to the client.

upstream_response_time

string

Backend server response time.

-

process_time

string

Detection duration

-

engine_id

string

Unique ID of the engine

-

group_id

string

Log group ID

LTS log group ID

attack_stream_id

string

Log stream ID

ID of access_stream of the user in the log group identified by the group_id field.

hostid

string

Protected domain name ID (upstream_id).

-

tenantid

string

Account ID

-

projectid

string

ID of the project the protected domain name belongs to

-

last updated: 2024-09-09 09:53 UTC - commit: 0dd8692423ca7a0fd922b672f45ba4c8930aad67