UWAF Log Format
UWAF’s access logs and attack logs are both in JSON format. After downloading the attack log, you can specify fields to extract corresponding information for log analysis or to access dedicated logging services.
Access Log Field Description
| Field | Description |
|---|---|
| @timestamp | Request time, UTC time |
| bytes_sent | Size of the response content, in bytes |
| content_type | Type of the response content |
| cookies | The Cookie field of the request |
| forward | The X-Forwared-For field of the request |
| host | The Host field of request, i.e., domain name |
| hostname | UWAF hostname |
| organization_id | Project ID |
| referer | The Referer field of request |
| region | UWAF deployment region |
| remote_addr | Source IP |
| remote_port | Source port |
| request_id | Unique ID of the request |
| request_length | Size of the request content, in bytes |
| request_method | Request method |
| request_time | Response time, in seconds |
| request_uri | The URI of the request |
| scheme | The protocol of the request |
| server_addr | IP address of the protected domain |
| server_name | Protected domain |
| server_port | Port of the protected domain |
| server_protocol | Version of the request HTTP protocol |
| status | Response status code |
| time_local | Request time, local time |
| top_organization_id | Customer ID |
| upstream_addr | Source server address |
| upstream_bytes_received | Size of content received from the source, type: array, unit: bytes |
| upstream_bytes_sent | Size of content transmitted to the source, type: array, unit: bytes |
| upstream_response_length | Size of the source’s response content, type: array, unit: bytes |
| upstream_response_time | Source’s response time, type: array, unit: seconds |
| upstream_status | The status code of the source’s response |
| uri | The URI actually processed by the request |
| user_agent | The User-Agent field of the request |
| x_real_ip | The X-Real-IP field of the request |
Attack Log Field Description
| Field | Description |
|---|---|
| AccessId | Unique ID of the attack log |
| Action | Matching action of the rule, not the actual action |
| Alerts | Rule information that is triggered, type: key-value pair array |
| Args | Parameter part of the request’s URI |
| Attack | Attack type |
| Client | Source IP |
| ClientIPinfo | Geographic information of the source IP, type: object |
| ClientPort | Source port |
| Count | Number of attacks |
| DestIp | IP address of the protected domain |
| FalsePositive | Whether it is a false positive |
| Host | The Host field of the attack request, i.e., domain name |
| Id | Unique ID of the attack log |
| Method | Method of the attack request |
| mode | UWAF protection mode |
| Port | Port of the protected domain |
| Protocol | Version of the HTTP of the attack request |
| Referer | The Referer field of the attack request |
| Region | UWAF deployment region |
| RequestBody | Body content of the attack request, first 512 bytes |
| RequestHeaders | All request fields of the attack request, type: key-value pair array |
| RequestID | Unique ID of the request |
| RiskRank | Risk level |
| ServerName | Protected domain |
| TimeStamp | Time of the attack, in second-level timestamps |
| TopId | Customer ID |
| UA | The User-Agent field of the attack request |
| Uri | URI of the attack request |