Attack Logs

Last updated: 2025-10-28 11:11:38

Attack Logs

Last updated: 2025-10-28 11:11:38

This guide describes how to search and analyze attack logs.
Background
WAF collects attack logs that record information about the attack time, attacker IP and attack type, and allows you to query and download logs for up to 30 days in the past by full-text search, fuzzy search and filter search (which support downloading million of logs).
Searching Attack Logs
1. Log in to the WAF console. Select Attack Logs on the left sidebar and then the Log service tab.
2. Select the instance, domain name, attack type, action and attack time to search attack logs.
﻿
﻿
Field Name
Description
Instance
Select instances. By default, all instances are selected.
Domain name
Select domain names. By default, all domain names are selected.
Attack type
Select attack types observed/blocked by security modules. By default, all attack types are selected.
Action
Select Observe or Block. By default, all actions are selected.
Risk level
Select High risk, Medium risk or Low risk. By default, all risk levels are selected.
Time period
Select a time period for the logs you want to search. If this field is not specified, Last 1 hour is selected by default.
Auto-refresh
Automatically refresh the page at the specified frequency. This feature is disabled by default.
3. Specify the search filters prior to clicking Search.
﻿
﻿
Analyzing Attack Logs
1. On the top right of the log list, click 
﻿
 to select fields, and then click OK. To know more about the log fields, refer to Log field description.
1. ﻿
﻿
﻿
2. On the left of the Raw data section, select the field you want to view its percentage. Then select the value to filter the log results.
﻿
﻿
3. Click 
﻿
 to expand log details, where you can select the field value to find the log results. To view logs in JSON format, click JSON.
﻿
﻿
Downloading Attack Logs
1. On the top right of the log list, click 
﻿
 to view your download tasks.
Note
By default, your log results are downloaded.
Only one download task can be created at a time.
One download task can contain up to 1 million logs. If you need to download more, it is recommended to create multiple tasks one by one, or contact us for support.
If you select a wildcard domain name (for example, *.abc.com), logs of all its associated subdomain names such as those suffixed with .abc.com will also be downloaded.
2. On the Download task page, click Create task.
﻿
﻿
3. Enter a task name and click Create.
﻿
﻿
4. After the task is created, you can view the total number of logs, download progress, download status, creation time, and expiration time. Click Download to export the logs in CSV format.
Note
Logs downloaded are retained for 3 days.
See Also
Log field description
Basic Information
Field Name
Description
host
The domain name accessed by the client.
uri
The request URI, which is a character string for identifying resources.
attack_ip
The source IP of the attack.
attack_type
The attack type.
rule_id
ID of the protection rule applied. Note that ID of the AI engine rule is 0.
method
The request method used in the attack request.
user_agent
User-Agent that records information about the browser type and operating system used by the attacker IP.
risk_level
Risk level of the attack.
status
The action taken on the attack request. Valid values are 0 (Observe) and 1 (Block).
count
Number of attacks from the same attacker IP every 10 seconds.
domain
The domain name attacked by the client.
pan
The domain name accessed by the client.
domain_name
The domain name accessed by the client.
attack_time
The time that the attack is launched.
attack_place
The attack location in the HTTP request.
action
The action to take on the attack request. Valid values are 0 (Observe) and 1 (Block).
ipinfo_nation
Country of the attacker IP.
ipinfo_province
Province/State of the attacker IP.
ipinfo_city
City of the attacker IP.
ipinfo_state
Country of the attacker IP.
ipinfo_dimensionality
Latitude of the attacker IP.
instance
Name of the WAF instance accessed by the domain name.
attack_category
The attack category (unavailable currently).
edition
Edition of the WAF instance. Valid values are sparta-waf (SaaS WAF) and clb-waf (CLB WAF).
uuid
Unique ID of the log.
attack_content
The content that was attacked.
http_log
The log files recording HTTP requests and responses.
headers
The protocol headers, including custom headers.
rule_name
The rule name (unavailable currently).
count
Number of attacks of the same type from the same attacker IP every 10 seconds.
args_name
Parameters in the HTTP request.
ipinfo_isp
ISP of the attacker IP.
appid
APPID of the Tencent Cloud account.
ipinfo_longitude
Longitude of the attacker IP.
﻿

Was this page helpful?

You can also Contact Sales or Submit a Ticket for help.

Yes

Feedback

Field Name	Description
Instance	Select instances. By default, all instances are selected.
Domain name	Select domain names. By default, all domain names are selected.
Attack type	Select attack types observed/blocked by security modules. By default, all attack types are selected.
Action	Select Observe or Block. By default, all actions are selected.
Risk level	Select High risk, Medium risk or Low risk. By default, all risk levels are selected.
Time period	Select a time period for the logs you want to search. If this field is not specified, Last 1 hour is selected by default.
Auto-refresh	Automatically refresh the page at the specified frequency. This feature is disabled by default.

Field Name	Description
host	The domain name accessed by the client.
uri	The request URI, which is a character string for identifying resources.
attack_ip	The source IP of the attack.
attack_type	The attack type.
rule_id	ID of the protection rule applied. Note that ID of the AI engine rule is 0.
method	The request method used in the attack request.
user_agent	User-Agent that records information about the browser type and operating system used by the attacker IP.
risk_level	Risk level of the attack.
status	The action taken on the attack request. Valid values are `0` (Observe) and `1` (Block).
count	Number of attacks from the same attacker IP every 10 seconds.
domain	The domain name attacked by the client.
pan	The domain name accessed by the client.
domain_name	The domain name accessed by the client.
attack_time	The time that the attack is launched.
attack_place	The attack location in the HTTP request.
action	The action to take on the attack request. Valid values are `0` (Observe) and `1` (Block).
ipinfo_nation	Country of the attacker IP.
ipinfo_province	Province/State of the attacker IP.
ipinfo_city	City of the attacker IP.
ipinfo_state	Country of the attacker IP.
ipinfo_dimensionality	Latitude of the attacker IP.
instance	Name of the WAF instance accessed by the domain name.
attack_category	The attack category (unavailable currently).
edition	Edition of the WAF instance. Valid values are sparta-waf (SaaS WAF) and clb-waf (CLB WAF).
uuid	Unique ID of the log.
attack_content	The content that was attacked.
http_log	The log files recording HTTP requests and responses.
headers	The protocol headers, including custom headers.
rule_name	The rule name (unavailable currently).
count	Number of attacks of the same type from the same attacker IP every 10 seconds.
args_name	Parameters in the HTTP request.
ipinfo_isp	ISP of the attacker IP.
appid	APPID of the Tencent Cloud account.
ipinfo_longitude	Longitude of the attacker IP.

tencent cloud

Background

Searching Attack Logs

Analyzing Attack Logs

Downloading Attack Logs

See Also

Log field description