Using LTS to Log WAF Activities

After you authorize WAF to access Log Tank Service (LTS), you can use the WAF logs recorded by LTS for quick and efficient real-time analysis, device O&M management, and analysis of service trends.

LTS analyzes and processes a large number of logs. It enables you to process logs in real-time, efficiently, and securely. Logs can be stored in LTS for seven days by default but you can configure LTS for up to 30 days if needed. Logs earlier than 30 days are automatically deleted. However, you can configure LTS to dump those logs to an Object Storage Service (OBS) bucket or enable Data Ingestion Service (DIS) for long-term storage.

Prerequisites

Impact on the System

Enabling LTS for WAF does not affect WAF performance.

Enabling LTS for WAF Protection Event Logging

  1. Log in to the management console.

  2. Click image1 in the upper left corner of the management console and select a region or project.

  3. Click image2 in the upper left corner and choose Web Application Firewall (Dedicated) under Security.

  4. In the navigation pane on the left, choose Events.

  5. Click the Configure Logs tab, enable LTS (image3), and select a log group and log stream. Table 1 describes the parameters.

    **Figure 1** Log settings

    Figure 1 Log settings

    Table 1 Log configuration

    Parameter

    Description

    Example Value

    Log Group

    Select a log group or click View Log Group to go to the LTS console and create a log group.

    lts-group-waf

    Attack Log

    Select a log stream or click View Log Stream to go to the LTS console and create a log stream.

    An attack log includes information about event type, protective action, and attack source IP address of each attack.

    lts-topic-waf-attack

    Access Log

    Select a log stream or click View Log Stream to go to the LTS console and create a log stream.

    An access log includes key information about access time, client IP address, and resource URL of each HTTP access requests.

    lts-topic-waf-access

  6. Click OK.

    You can view WAF protection event logs on the LTS console.

Checking and Downloading WAF Protection Event Logs on LTS

After enabling LTS, you can go to the LTS console and check, analyze, and download WAF logs.

  1. Log in to the management console.

  2. Click image4 in the upper left corner of the management console and select a region or project.

  3. Click image5 in the upper left corner of the page and choose Management & Deployment > Log Tank Service.

  4. In the log group list, click image6 to expand the WAF log group (for example, lts-group-waf).

  5. In the log stream list, click the log stream name to go to the log stream log page. Then, you can check and analyze logs.

WAF access_log Field

Field

Type

Field Description

Description

access_log.requestid

string

Random ID

The value is the same as the last eight characters of the req_id field in the attack log.

access_log.time

string

Access time

GMT time a log is generated.

access_log.connection_requests

string

Sequence number of the request over the connection

-

access_log.eng_ip

string

IP address of the WAF engine

-

access_log.pid

string

The engine that processes the request

Engine (worker PID).

access_log.hostid

string

Domain name identifier of the access request.

Protected domain name ID (upstream_id).

access_log.tenantid

string

Account ID

ID of your account.

access_log.projectid

string

ID of the project the protected domain name belongs to

Project ID of a user in a specific region.

access_log.remote_ip

string

Remote IP address of the request at layer 4

IP address from which a client request originates.

Important

NOTICE: If a layer-7 proxy is deployed in front of WAF, this field indicates the IP address of the proxy node closest to WAF. The real IP address of the visitor is specified by the x-forwarded-for and x_real_ip fields.

access_log.remote_port

string

Remote port of the request at layer 4

Port used by the IP address from which a client request originates

access_log.sip

string

IP address of the client that sends the request

For example, XFF.

access_log.scheme

string

Request protocol

Protocols that can be used in the request:

  • HTTP

  • HTTPS

access_log.response_code

string

Response code

Response status code returned by the origin server to WAF.

access_log.method

string

Request method.

Request type in a request line. Generally, the value is GET or POST.

access_log.http_host

string

Domain name of the requested server.

Address, domain name, or IP address entered in the address bar of a browser.

access_log.url

string

Request URL.

Path in a URL (excluding the domain name).

access_log.request_length

string

Request length.

The request length includes the access request address, HTTP request header, and number of bytes in the request body.

access_log.bytes_send

string

Total number of bytes sent to the client.

Number of bytes sent by WAF to the client.

access_log.body_bytes_sent

string

Total number of bytes of the response body sent to the client

Number of bytes of the response body sent by WAF to the client

access_log.upstream_addr

string

Address of the backend server.

IP address of the origin server for which a request is destined. For example, if WAF forwards requests to an ECS, the IP address of the ECS is returned to this parameter.

access_log.request_time

string

Request processing time

Processing time starts when the first byte of the client is read (unit: s).

access_log.upstream_response_time

string

Backend server response time

Time the backend server responds to the WAF request (unit: s).

access_log.upstream_status

string

Backend server response code

Response status code returned by the backend server to WAF.

access_log.upstream_connect_time

string

Time for the origin server to establish a connection to its backend services. Unit: second.

When SSL is used, the time for the handshake process is also recorded. Time used for establishing a connection for a request. Use commas (,) to separate the time used for each request.

access_log.upstream_header_time

string

Time used by the backend server to receive the first byte of the response header. Unit: second

Response time for multiple requests. Use commas (,) to separate the time used for each response.

access_log.bind_ip

string

WAF engine back-to-source IP address.

The IP address of the NIC used by the engine for forwarding requests to the origin server. This value is not the EIP bound to the engine even if the engine forwards requests over the EIP.

access_log.group_id

string

LTS log group ID

ID of the log group for interconnecting WAF with LTS.

access_log.access_stream_id

string

Log stream ID.

ID of access_stream of the user in the log group identified by the group_id field.

access_log.engine_id

string

WAF engine ID

Unique ID of the WAF engine.

access_log.time_iso8601

string

ISO 8601 time format of logs.

-

access_log.sni

string

Domain name requested through SNI.

-

access_log.tls_version

string

Protocol versioning an SSL connection.

TLS version used in the request.

access_log.ssl_curves

string

Curve group list supported by the client.

-

access_log.ssl_session_reused

string

SSL session reuse

Whether the SSL session can be reused

r: Yes

.: No

access_log.process_time

string

Engine attack detection duration (unit: ms)

-

access_log.args

string

The parameter data in the URL

-

access_log.x_forwarded_for

string

IP address chain for a proxy when the proxy is deployed in front of WAF.

The sting includes one or more IP addresses.

The leftmost IP address is the originating IP address of the client. Each time the proxy server receives a request, it adds the source IP address of the request to the right of the originating IP address.

access_log.cdn_src_ip

string

Client IP address identified by CDN when CDN is deployed in front of WAF

This field specifies the real IP address of the client if CDN is deployed in front of WAF.

Important

NOTICE: Some CDN vendors may use other fields. WAF records only the most common fields.

access_log.x_real_ip

string

Real IP address of the client when a proxy is deployed in front of WAF.

Real IP address of the client, which is identified by the proxy.

access_log.intel_crawler

string

Used for intelligence anti-crawler analysis.

-

access_log.ssl_ciphers_md5

string

MD5 value of the SSL cipher (ssl_ciphers).

-

access_log.ssl_cipher

string

SSL cipher used.

-

access_log.web_tag

string

Website name.

-

access_log.user_agent

string

User agent in the request header.

-

access_log.upstream_response_length

string

Backend server response size.

-

access_log.region_id

string

Region where the request is received.

-

access_log.enterprise_project_id

string

ID of the enterprise project that the requested domain name belongs to.

-

access_log.referer

string

Referer content in the request header.

The value can contain a maximum of 128 characters. Characters over 128 characters will be truncated.

access_log.rule

string

Protection rule that the request matched.

If multiple rules are matched, only one rule is displayed.

access_log.category

string

Log category matched by the request.

-

access_log.waf_time

string

Time an access request is received.

-

WAF attack_log field description

Field

Type

Field Description

Description

attack_log.category

string

Log category

The value is attack.

attack_log.time

string

Log time

-

attack_log.time_iso8601

string

ISO 8601 time format of logs.

-

attack_log.policy_id

string

Policy ID

-

attack_log.level

string

Protection level

Protection level of a built-in rule in basic web protection

  • 1: Low

  • 2: Medium

  • 3: High

attack_log.attack

string

Type of attack

Attack type. This parameter is listed in attack logs only.

  • default: default attacks

  • sqli: SQL injections

  • xss: cross-site scripting (XSS) attacks

  • webshell: web shells

  • robot: malicious crawlers

  • cmdi: command injections

  • rfi: remote file inclusion attacks

  • lfi: local file inclusion attacks

  • illegal: unauthorized requests

  • vuln: exploits

  • cc: attacks that hit the CC protection rules

  • custom_custom: attacks that hit a precise protection rule

  • custom_whiteblackip: attacks that hit an IP address blacklist or whitelist rule

  • custom_geoip: attacks that hit a geolocation access control rule

  • antitamper: attacks that hit a web tamper protection rule

  • anticrawler: attacks that hit the JS challenge anti-crawler rule

  • leakage: vulnerabilities that hit an information leakage prevention rule

  • antiscan_high_freq_scan: Attacks that hit malicious scanning rules.

  • followed_action: The source is marked as a known attack source.

attack_log.action

string

Protective action

WAF defense action.

  • block: WAF blocks attacks.

  • log: WAF only logs detected attacks.

  • captcha: Verification code

attack_log.sub_type

string

Crawler types

When attack is set to robot, this parameter cannot be left blank.

  • script_tool: Script tools

  • search_engine: Search engines

  • scanner: Scanning tools

  • uncategorized: Other crawlers

attack_log.rule

string

ID of the triggered rule or the description of the custom policy type.

-

attack_log.rule_name

string

Description of a custom rule type.

This field is empty when a basic protection rule is matched.

attack_log.location

string

Location triggering the malicious load

-

attack_log.req_body

sting

Request body.

-

attack_log.resp_headers

string

Response header

-

attack_log.hit_data

string

String triggering the malicious load

-

attack_log.resp_body

string

Response body

-

attack_log.backend.protocol

string

Backend protocol.

-

attack_log.backend.alive

string

Backend server status.

-

attack_log.backend.port

string

Backend server port.

-

attack_log.backend.host

string

Backend server host value.

-

attack_log.backend.type

string

Backend server type.

IP address or domain name.

attack_log.backend.weight

number

Backend server weight.

-

attack_log.status

string

Response status code

-

attack_log.upstream_status

string

Origin server response code.

-

attack_log.reqid

string

Random ID

The value consists of the engine IP address suffix, request timestamp, and request ID allocated by Nginx.

attack_log.requestid

string

Unique ID of the request.

Request ID allocated by Nginx.

attack_log.id

string

Attack ID

ID of the attack

attack_log.method

string

Request method

-

attack_log.sip

string

Client request IP address

-

attack_log.sport

string

Client request port

-

attack_log.host

string

Requested domain name

-

attack_log.http_host

string

Domain name of the requested server.

-

attack_log.hport

string

Port of the requested server.

-

attack_log.uri

string

Request URL.

The domain is excluded.

attack_log.header

A JSON string. A JSON table is obtained after the string is decoded.

Request header

-

attack_log.mutipart

A JSON string. A JSON table is obtained after the string is decoded.

Request multipart header

This parameter is used to upload files.

attack_log.cookie

A JSON string. A JSON table is obtained after the string is decoded.

Cookie of the request

-

attack_log.params

A JSON string. A JSON table is obtained after the string is decoded.

Params value following the request URI.

-

attack_log.body_bytes_sent

string

Total number of bytes of the response body sent to the client.

Total number of bytes of the response body sent by WAF to the client.

attack_log.upstream_response_time

string

Time elapsed since the backend server received the response content from the upstream service. Unit: second.

Response time for multiple requests. Use commas (,) to separate the time used for each response.

attack_log.engine_id

string

Unique ID of the engine

-

attack_log.region_id

string

ID of the region where the engine is located.

-

attack_log.engine_ip

string

Engine IP address.

-

attack_log.process_time

string

Detection duration

-

attack_log.remote_ip

string

Layer-4 IP address of the client that sends the request.

-

attack_log.x_forwarded_for

string

Content of X-Forwarded-For in the request header.

-

attack_log.cdn_src_ip

string

Content of Cdn-Src-Ip in the request header.

-

attack_log.x_real_ip

string

Content of X-Real-IP in the request header.

-

attack_log.group_id

string

Log group ID

LTS log group ID

attack_log.attack_stream_id

string

Log stream ID

ID of access_stream of the user in the log group identified by the group_id field.

attack_log.hostid

string

Protected domain name ID (upstream_id).

-

attack_log.tenantid

string

Account ID

-

attack_log.projectid

string

ID of the project the protected domain name belongs to

-

attack_log.enterprise_project_id

string

ID of the enterprise project that the requested domain name belongs to.

-

attack_log.web_tag

string

Website name.

-

attack_log.req_body

string

Request body. (If the request body larger than 1 KB, it will be truncated.)

-