Using LTS to Log WAF Activities¶
After you authorize WAF to access Log Tank Service (LTS), you can use the WAF logs recorded by LTS for quick and efficient real-time analysis, device O&M management, and analysis of service trends.
LTS analyzes and processes a large number of logs. It enables you to process logs in real-time, efficiently, and securely. Logs can be stored in LTS for seven days by default but you can configure LTS for up to 30 days if needed. Logs earlier than 30 days are automatically deleted. However, you can configure LTS to dump those logs to an Object Storage Service (OBS) bucket or enable Data Ingestion Service (DIS) for long-term storage.
Prerequisites¶
You have applied for your WAF.
Impact on the System¶
Enabling LTS for WAF does not affect WAF performance.
Enabling LTS for WAF Protection Event Logging¶
Log in to the management console.
Click in the upper left corner of the management console and select a region or project.
Click in the upper left corner and choose Web Application Firewall (Dedicated) under Security.
In the navigation pane on the left, choose Events.
Click the Configure Logs tab, enable LTS (), and select a log group and log stream. Table 1 describes the parameters.
¶ Parameter
Description
Example Value
Log Group
Select a log group or click View Log Group to go to the LTS console and create a log group.
lts-group-waf
Attack Log
Select a log stream or click View Log Stream to go to the LTS console and create a log stream.
An attack log includes information about event type, protective action, and attack source IP address of each attack.
lts-topic-waf-attack
Access Log
Select a log stream or click View Log Stream to go to the LTS console and create a log stream.
An access log includes key information about access time, client IP address, and resource URL of each HTTP access requests.
lts-topic-waf-access
Click OK.
You can view WAF protection event logs on the LTS console.
Checking and Downloading WAF Protection Event Logs on LTS¶
After enabling LTS, you can go to the LTS console and check, analyze, and download WAF logs.
Log in to the management console.
Click in the upper left corner of the management console and select a region or project.
Click in the upper left corner of the page and choose Management & Deployment > Log Tank Service.
In the log group list, click to expand the WAF log group (for example, lts-group-waf).
In the log stream list, click the log stream name to go to the log stream log page. Then, you can check and analyze logs.
WAF access_log Field¶
Field | Type | Field Description | Description |
---|---|---|---|
access_log.requestid | string | Random ID | The value is the same as the last eight characters of the req_id field in the attack log. |
access_log.time | string | Access time | GMT time a log is generated. |
access_log.connection_requests | string | Sequence number of the request over the connection |
|
access_log.eng_ip | string | IP address of the WAF engine |
|
access_log.pid | string | The engine that processes the request | Engine (worker PID). |
access_log.hostid | string | Domain name identifier of the access request. | Protected domain name ID (upstream_id). |
access_log.tenantid | string | Account ID | ID of your account. |
access_log.projectid | string | ID of the project the protected domain name belongs to | Project ID of a user in a specific region. |
access_log.remote_ip | string | Remote IP address of the request at layer 4 | IP address from which a client request originates. Important NOTICE: If a layer-7 proxy is deployed in front of WAF, this field indicates the IP address of the proxy node closest to WAF. The real IP address of the visitor is specified by the x-forwarded-for and x_real_ip fields. |
access_log.remote_port | string | Remote port of the request at layer 4 | Port used by the IP address from which a client request originates |
access_log.sip | string | IP address of the client that sends the request | For example, XFF. |
access_log.scheme | string | Request protocol | Protocols that can be used in the request:
|
access_log.response_code | string | Response code | Response status code returned by the origin server to WAF. |
access_log.method | string | Request method. | Request type in a request line. Generally, the value is GET or POST. |
access_log.http_host | string | Domain name of the requested server. | Address, domain name, or IP address entered in the address bar of a browser. |
access_log.url | string | Request URL. | Path in a URL (excluding the domain name). |
access_log.request_length | string | Request length. | The request length includes the access request address, HTTP request header, and number of bytes in the request body. |
access_log.bytes_send | string | Total number of bytes sent to the client. | Number of bytes sent by WAF to the client. |
access_log.body_bytes_sent | string | Total number of bytes of the response body sent to the client | Number of bytes of the response body sent by WAF to the client |
access_log.upstream_addr | string | Address of the backend server. | IP address of the origin server for which a request is destined. For example, if WAF forwards requests to an ECS, the IP address of the ECS is returned to this parameter. |
access_log.request_time | string | Request processing time | Processing time starts when the first byte of the client is read (unit: s). |
access_log.upstream_response_time | string | Backend server response time | Time the backend server responds to the WAF request (unit: s). |
access_log.upstream_status | string | Backend server response code | Response status code returned by the backend server to WAF. |
access_log.upstream_connect_time | string | Time for the origin server to establish a connection to its backend services. Unit: second. | When SSL is used, the time for the handshake process is also recorded. Time used for establishing a connection for a request. Use commas (,) to separate the time used for each request. |
access_log.upstream_header_time | string | Time used by the backend server to receive the first byte of the response header. Unit: second | Response time for multiple requests. Use commas (,) to separate the time used for each response. |
access_log.bind_ip | string | WAF engine back-to-source IP address. | The IP address of the NIC used by the engine for forwarding requests to the origin server. This value is not the EIP bound to the engine even if the engine forwards requests over the EIP. |
access_log.group_id | string | LTS log group ID | ID of the log group for interconnecting WAF with LTS. |
access_log.access_stream_id | string | Log stream ID. | ID of access_stream of the user in the log group identified by the group_id field. |
access_log.engine_id | string | WAF engine ID | Unique ID of the WAF engine. |
access_log.time_iso8601 | string | ISO 8601 time format of logs. |
|
access_log.sni | string | Domain name requested through SNI. |
|
access_log.tls_version | string | Protocol versioning an SSL connection. | TLS version used in the request. |
access_log.ssl_curves | string | Curve group list supported by the client. |
|
access_log.ssl_session_reused | string | SSL session reuse | Whether the SSL session can be reused r: Yes .: No |
access_log.process_time | string | Engine attack detection duration (unit: ms) |
|
access_log.args | string | The parameter data in the URL |
|
access_log.x_forwarded_for | string | IP address chain for a proxy when the proxy is deployed in front of WAF. | The sting includes one or more IP addresses. The leftmost IP address is the originating IP address of the client. Each time the proxy server receives a request, it adds the source IP address of the request to the right of the originating IP address. |
access_log.cdn_src_ip | string | Client IP address identified by CDN when CDN is deployed in front of WAF | This field specifies the real IP address of the client if CDN is deployed in front of WAF. Important NOTICE: Some CDN vendors may use other fields. WAF records only the most common fields. |
access_log.x_real_ip | string | Real IP address of the client when a proxy is deployed in front of WAF. | Real IP address of the client, which is identified by the proxy. |
access_log.intel_crawler | string | Used for intelligence anti-crawler analysis. |
|
access_log.ssl_ciphers_md5 | string | MD5 value of the SSL cipher (ssl_ciphers). |
|
access_log.ssl_cipher | string | SSL cipher used. |
|
access_log.web_tag | string | Website name. |
|
access_log.user_agent | string | User agent in the request header. |
|
access_log.upstream_response_length | string | Backend server response size. |
|
access_log.region_id | string | Region where the request is received. |
|
access_log.enterprise_project_id | string | ID of the enterprise project that the requested domain name belongs to. |
|
access_log.referer | string | Referer content in the request header. | The value can contain a maximum of 128 characters. Characters over 128 characters will be truncated. |
access_log.rule | string | Protection rule that the request matched. | If multiple rules are matched, only one rule is displayed. |
access_log.category | string | Log category matched by the request. |
|
access_log.waf_time | string | Time an access request is received. |
|
WAF attack_log field description¶
Field | Type | Field Description | Description |
---|---|---|---|
attack_log.category | string | Log category | The value is attack. |
attack_log.time | string | Log time |
|
attack_log.time_iso8601 | string | ISO 8601 time format of logs. |
|
attack_log.policy_id | string | Policy ID |
|
attack_log.level | string | Protection level | Protection level of a built-in rule in basic web protection
|
attack_log.attack | string | Type of attack | Attack type. This parameter is listed in attack logs only.
|
attack_log.action | string | Protective action | WAF defense action.
|
attack_log.sub_type | string | Crawler types | When attack is set to robot, this parameter cannot be left blank.
|
attack_log.rule | string | ID of the triggered rule or the description of the custom policy type. |
|
attack_log.rule_name | string | Description of a custom rule type. | This field is empty when a basic protection rule is matched. |
attack_log.location | string | Location triggering the malicious load |
|
attack_log.req_body | sting | Request body. |
|
attack_log.resp_headers | string | Response header |
|
attack_log.hit_data | string | String triggering the malicious load |
|
attack_log.resp_body | string | Response body |
|
attack_log.backend.protocol | string | Backend protocol. |
|
attack_log.backend.alive | string | Backend server status. |
|
attack_log.backend.port | string | Backend server port. |
|
attack_log.backend.host | string | Backend server host value. |
|
attack_log.backend.type | string | Backend server type. | IP address or domain name. |
attack_log.backend.weight | number | Backend server weight. |
|
attack_log.status | string | Response status code |
|
attack_log.upstream_status | string | Origin server response code. |
|
attack_log.reqid | string | Random ID | The value consists of the engine IP address suffix, request timestamp, and request ID allocated by Nginx. |
attack_log.requestid | string | Unique ID of the request. | Request ID allocated by Nginx. |
attack_log.id | string | Attack ID | ID of the attack |
attack_log.method | string | Request method |
|
attack_log.sip | string | Client request IP address |
|
attack_log.sport | string | Client request port |
|
attack_log.host | string | Requested domain name |
|
attack_log.http_host | string | Domain name of the requested server. |
|
attack_log.hport | string | Port of the requested server. |
|
attack_log.uri | string | Request URL. | The domain is excluded. |
attack_log.header | A JSON string. A JSON table is obtained after the string is decoded. | Request header |
|
attack_log.mutipart | A JSON string. A JSON table is obtained after the string is decoded. | Request multipart header | This parameter is used to upload files. |
attack_log.cookie | A JSON string. A JSON table is obtained after the string is decoded. | Cookie of the request |
|
attack_log.params | A JSON string. A JSON table is obtained after the string is decoded. | Params value following the request URI. |
|
attack_log.body_bytes_sent | string | Total number of bytes of the response body sent to the client. | Total number of bytes of the response body sent by WAF to the client. |
attack_log.upstream_response_time | string | Time elapsed since the backend server received the response content from the upstream service. Unit: second. | Response time for multiple requests. Use commas (,) to separate the time used for each response. |
attack_log.engine_id | string | Unique ID of the engine |
|
attack_log.region_id | string | ID of the region where the engine is located. |
|
attack_log.engine_ip | string | Engine IP address. |
|
attack_log.process_time | string | Detection duration |
|
attack_log.remote_ip | string | Layer-4 IP address of the client that sends the request. |
|
attack_log.x_forwarded_for | string | Content of X-Forwarded-For in the request header. |
|
attack_log.cdn_src_ip | string | Content of Cdn-Src-Ip in the request header. |
|
attack_log.x_real_ip | string | Content of X-Real-IP in the request header. |
|
attack_log.group_id | string | Log group ID | LTS log group ID |
attack_log.attack_stream_id | string | Log stream ID | ID of access_stream of the user in the log group identified by the group_id field. |
attack_log.hostid | string | Protected domain name ID (upstream_id). |
|
attack_log.tenantid | string | Account ID |
|
attack_log.projectid | string | ID of the project the protected domain name belongs to |
|
attack_log.enterprise_project_id | string | ID of the enterprise project that the requested domain name belongs to. |
|
attack_log.web_tag | string | Website name. |
|
attack_log.req_body | string | Request body. (If the request body larger than 1 KB, it will be truncated.) |
|