Downloading Events¶
This topic describes how to download events (logged and blocked events) data for the last five days. One or more CSV files containing the event data of the current day will be generated at the beginning of the next day.
Note
If you have enabled enterprise projects, ensure that you have all operation permissions for the project where your WAF instance locates. Then, you can select the project from the Enterprise Project drop-down list and download protection event logs in the project.
Prerequisites¶
An event file has been generated.
Specification Limitations¶
Each file can include a maximum of 5,000 events. If there are more than 5,000 events, another file is generated.
Only event data for the last five days can be downloaded through the WAF console.
Downloading Events Data¶
Log in to the management console.
Click
in the upper left corner and select a region or project.Click
in the upper left corner and choose Web Application Firewall (Dedicated) under Security.In the navigation pane on the left, click Events.
On the Downloads tab, click Download in the Operation column of the target protection event file to download the protection data file.
Table 1 describes the parameters in the protection event data list.
Table 1 Parameter description¶ Parameter
Description
File Name
Data name of the protection event. The format is File name.csv.
File Source
Data source of the protection event.
Number of Events
Total number of events, including blocked and logged-only events.
Note
Each file can include a maximum of 5,000 events. If there are more than 5,000 events, another file is generated.
Generated
Time the protection event data was generated.
After the download is complete, you can obtain the downloaded file in the download list of the browser and check the events in the file.
Fields in a Protection Event Data File¶
Field | Description | Example Value |
|---|---|---|
action | Protective action taken in response to the event | Block |
attack | Attack type | SQL Injection |
body | Request content of the attack | N/A |
cookie | Cookie of the attacker | N/A |
headers | Header of the attacker | N/A |
Host | Domain name or IP address of the protected website | www.example.com |
id | ID of the event. | 02-11-16-20201121060347-feb42002 |
payload | The part of the attack that causes damage to the protected website | python-requests/2.20.1 |
payload_location | The location of the attack that causes damage or the number of times that the URL is accessed by the attacker | user-agent |
policyid | Policy ID. | d5580c8f6cd4403ebbf85892d4bbb8e4 |
request_line | Request line of the attack. | GET / |
rule | ID of the rule against which the event is generated. | 81066 |
sip | Public IP address of the web visitor/attacker. | N/A |
time | When the event occurred. | 2020/11/21 0:20:44 |
url | URL of the protected domain name. | N/A |