Log Fields - AWS WAF, AWS Firewall Manager, and AWS Shield Advanced

Log Fields

The following list describes the possible log fields.

action

The action. ALLOW and BLOCK are terminating rule actions. COUNT is a non-terminating rule action. CAPTCHA is non-terminating if the request includes a valid CAPTCHA token and terminating if it doesn't.

args

The query string.

captchaResponse

The CAPTCHA response to the request, populated when the CAPTCHA action results in the termination of web request inspection. The CAPTCHA action terminates web request inspection when the request either doesn't include a CAPTCHA token or the token is invalid or expired. This field includes a response code and a failure reason. When a CAPTCHA action results in the web request being allowed, the information is captured in the field nonTerminatingMatchingRules.

clientIp

The IP address of the client sending the request.

country

The source country of the request. If AWS WAF is unable to determine the country of origin, it sets this field to -.

excludedRules

Used only for rule group rules. The list of rules in the rule group that you have excluded. The action for these rules is set to COUNT.

exclusionType

A type that indicates that the excluded rule has the action COUNT.

ruleId

The ID of the rule within the rule group that is excluded.

formatVersion

The format version for the log.

headers

The list of headers.

httpMethod

The HTTP method in the request.

httpRequest

The metadata about the request.

httpSourceId

The source ID. This field shows the ID of the associated resource.

httpSourceName

The source of the request. Possible values: CF for Amazon CloudFront, APIGW for Amazon API Gateway, ALB for Application Load Balancer, and APPSYNC for AWS AppSync.

httpVersion

The HTTP version.

labels

The labels on the web request. These labels were applied by rules that were used to evaluate the request. AWS WAF logs the first 100 labels.

limitKey

Indicates the IP address source that AWS WAF should use to aggregate requests for rate limiting by a rate-based rule. Possible values are IP, for web request origin, and FORWARDED_IP, for an IP forwarded in a header in the request.

limitValue

The IP address used by a rate-based rule to aggregate requests for rate limiting. If a request contains an IP address that isn't valid, the limitvalue is INVALID.

maxRateAllowed

The maximum number of requests, which have an identical value in the field that is specified by limitKey, allowed in a five minute period. If the number of requests exceeds the maxRateAllowed and the other predicates specified in the rule are also met, AWS WAF triggers the action that is specified for this rule.

nonTerminatingMatchingRules

The list of non-terminating rules that match the request.

action

This is either COUNT or CAPTCHA. The CAPTCHA action is non-terminating when the web request contains a valid CAPTCHA token.

ruleId

The ID of the rule that matched the request and was non-terminating.

ruleMatchDetails

Detailed information about the rule that matched the request. This field is only populated for SQL injection and cross-site scripting (XSS) match rule statements. A matching rule might require a match for more than one inspection criteria, so these match details are provided as an array of match criteria.

oversizeFields

The list of fields in the web request that were inspected by the web ACL and that are over the AWS WAF inspection limit. This list can contain zero or more of the following values: REQUEST_BODY, REQUEST_JSON_BODY, REQUEST_HEADERS, and REQUEST_COOKIES. If a field is oversize but the web ACL doesn't inspect it, it won't be listed here. For more information about oversize fields, see Inspection of the request body, headers, and cookies.

rateBasedRuleId

The ID of the rate-based rule that acted on the request. If this has terminated the request, the ID for rateBasedRuleId is the same as the ID for terminatingRuleId.

rateBasedRuleList

The list of rate-based rules that acted on the request.

rateBasedRuleName

The name of the rate-based rule that acted on the request.

requestHeadersInserted

The list of headers inserted for custom request handling.

requestId

The ID of the request, which is generated by the underlying host service. For Application Load Balancer, this is the trace ID. For all others, this is the request ID.

responseCodeSent

The response code sent with a custom response.

ruleGroupId

The ID of the rule group. If the rule blocked the request, the ID for ruleGroupID is the same as the ID for terminatingRuleId.

ruleGroupList

The list of rule groups that acted on this request.

terminatingRule

The rule that terminated the request. If this is a non-null value, it also contains a ruleId and action.

terminatingRuleId

The ID of the rule that terminated the request. If nothing terminates the request, the value is Default_Action.

terminatingRuleMatchDetails

Detailed information about the terminating rule that matched the request. A terminating rule has an action that ends the inspection process against a web request. Possible actions for a terminating rule include ALLOW, BLOCK, and CAPTCHA. During the inspection of a web request, at the first rule that matches the request and that has a terminating action, AWS WAF stops the inspection and applies the action. The web request might contain other threats, in addition to the one that's reported in the log for the matching terminating rule.

This is only populated for SQL injection and cross-site scripting (XSS) match rule statements. The matching rule might require a match for more than one inspection criteria, so these match details are provided as an array of match criteria.

terminatingRuleType

The type of rule that terminated the request. Possible values: RATE_BASED, REGULAR, GROUP, and MANAGED_RULE_GROUP.

timestamp

The timestamp in milliseconds.

uri

The URI of the request. The preceding code example demonstrates what the value would be if this field had been redacted.

webaclId

The GUID of the web ACL.