This topic describes how to download events (logged and blocked events) data for the last five days. One or more CSV files containing the event data of the current day will be generated at the beginning of the next day.
If you have enabled enterprise projects, ensure that you have all operation permissions for the project where your WAF instance locates. Then, you can select the project from the Enterprise Project drop-down list and download protection event logs in the project.
Prerequisites
- The website to be protected has been added to WAF.
- An event file has been generated.
Specification Limitations
- Each file can include a maximum of 5,000 events. If there are more than 5,000 events, another file is generated.
- Only event data for the last five days can be downloaded through the WAF console.
Procedure
- Log in to the management console.
- Click
in the upper left corner of the management console and select a region or project. - Click
in the upper left corner and choose Web Application Firewall (Dedicated) under Security. - In the navigation pane on the left, choose Events.
- Click the Download Events tab and download the desired protection data. Table 1 describes the parameters.
- In the Operation column, click Download to download data to the local PC.
Fields in a Protection Event Data File
Field |
Description |
Example Value |
|---|---|---|
action |
Protective action taken in response to the event |
block |
attack |
Attack type |
SQL Injection |
body |
Request content of the attack |
N/A |
cookie |
Cookie of the attacker |
N/A |
headers |
Header of the attacker |
N/A |
host |
Domain name or IP address of the protected website |
www.example.com |
id |
ID of the event. |
02-11-16-20201121060347-feb42002 |
payload |
The part of the attack that causes damage to the protected website |
python-requests/2.20.1 |
payload_location |
The location of the attack that causes damage or the number of times that the URL is accessed by the attacker |
user-agent |
policyid |
Policy ID. |
d5580c8f6cd4403ebbf85892d4bbb8e4 |
request_line |
Request line of the attack |
GET / |
rule |
ID of the rule against which the event is generated. |
81066 |
sip |
Public IP address of the web visitor/attacker |
N/A |
time |
When the event occurred. |
2020/11/21 0:20:44 |
url |
URL of the protected domain name |
N/A |