tencent cloud

Feedback

Attack Logs

Last updated: 2023-12-29 14:46:24
    This guide describes how to search and analyze attack logs.

    Background

    WAF collects attack logs that record information about the attack time, attacker IP and attack type, and allows you to query and download logs for up to 30 days in the past by full-text search, fuzzy search and filter search (which support downloading million of logs).

    Searching Attack Logs

    1. Log in to the WAF console. Select Attack Logs on the left sidebar and then the Log service tab.
    2. Select the instance, domain name, attack type, action and attack time to search attack logs.
    
    
    Field Name
    Description
    Instance
    Select instances. By default, all instances are selected.
    Domain name
    Select domain names. By default, all domain names are selected.
    Attack type
    Select attack types observed/blocked by security modules. By default, all attack types are selected.
    Action
    Select Observe or Block. By default, all actions are selected.
    Risk level
    Select High risk, Medium risk or Low risk. By default, all risk levels are selected.
    Time period
    Select a time period for the logs you want to search. If this field is not specified, Last 1 hour is selected by default.
    Auto-refresh
    Automatically refresh the page at the specified frequency. This feature is disabled by default.
    3. Specify the search filters prior to clicking Search.
    
    

    Analyzing Attack Logs

    1. On the top right of the log list, click
    
    to select fields, and then click OK. To know more about the log fields, refer to Log field description.
    
    
    2. On the left of the Raw data section, select the field you want to view its percentage. Then select the value to filter the log results.
    
    
    3. Click
    
    to expand log details, where you can select the field value to find the log results. To view logs in JSON format, click JSON.
    
    

    Downloading Attack Logs

    1. On the top right of the log list, click
    
    to view your download tasks.
    Note
    By default, your log results are downloaded.
    Only one download task can be created at a time.
    One download task can contain up to 1 million logs. If you need to download more, it is recommended to create multiple tasks one by one, or contact us for support.
    If you select a wildcard domain name (for example, *.abc.com), logs of all its associated subdomain names such as those suffixed with .abc.com will also be downloaded.
    2. On the Download task page, click Create task.
    
    
    3. Enter a task name and click Create.
    
    
    4. After the task is created, you can view the total number of logs, download progress, download status, creation time, and expiration time. Click Download to export the logs in CSV format.
    Note
    Logs downloaded are retained for 3 days.

    See Also

    Log field description

    Basic Information
    Field Name
    Description
    host
    The domain name accessed by the client.
    uri
    The request URI, which is a character string for identifying resources.
    attack_ip
    The source IP of the attack.
    attack_type
    The attack type.
    rule_id
    ID of the protection rule applied. Note that ID of the AI engine rule is 0.
    method
    The request method used in the attack request.
    user_agent
    User-Agent that records information about the browser type and operating system used by the attacker IP.
    risk_level
    Risk level of the attack.
    status
    The action taken on the attack request. Valid values are 0 (Observe) and 1 (Block).
    count
    Number of attacks from the same attacker IP every 10 seconds.
    domain
    The domain name attacked by the client.
    pan
    The domain name accessed by the client.
    domain_name
    The domain name accessed by the client.
    attack_time
    The time that the attack is launched.
    attack_place
    The attack location in the HTTP request.
    action
    The action to take on the attack request. Valid values are 0 (Observe) and 1 (Block).
    ipinfo_nation
    Country of the attacker IP.
    ipinfo_province
    Province/State of the attacker IP.
    ipinfo_city
    City of the attacker IP.
    ipinfo_state
    Country of the attacker IP.
    ipinfo_dimensionality
    Latitude of the attacker IP.
    instance
    Name of the WAF instance accessed by the domain name.
    attack_category
    The attack category (unavailable currently).
    edition
    Edition of the WAF instance. Valid values are sparta-waf (SaaS WAF) and clb-waf (CLB WAF).
    uuid
    Unique ID of the log.
    attack_content
    The content that was attacked.
    http_log
    The log files recording HTTP requests and responses.
    headers
    The protocol headers, including custom headers.
    rule_name
    The rule name (unavailable currently).
    count
    Number of attacks of the same type from the same attacker IP every 10 seconds.
    args_name
    Parameters in the HTTP request.
    ipinfo_isp
    ISP of the attacker IP.
    appid
    APPID of the Tencent Cloud account.
    ipinfo_longitude
    Longitude of the attacker IP.
    
    Contact Us

    Contact our sales team or business advisors to help your business.

    Technical Support

    Open a ticket if you're looking for further assistance. Our Ticket is 7x24 avaliable.

    7x24 Phone Support