:original_name: ListAttackLogs.html
.. _ListAttackLogs:
Querying Attack Logs
====================
Function
--------
This API is used to query attack logs.
URI
---
GET /v1/{project_id}/cfw/logs/attack
.. table:: **Table 1** Path Parameters
+------------+-----------+--------+----------------------------------------------------------------------------------------------------------------------------------------+
| Parameter | Mandatory | Type | Description |
+============+===========+========+========================================================================================================================================+
| project_id | Yes | String | Project ID, which can be obtained by calling an API or from the console. For details, see :ref:`Obtaining a Project ID `. |
+------------+-----------+--------+----------------------------------------------------------------------------------------------------------------------------------------+
.. table:: **Table 2** Query Parameters
+-----------------------+-----------+---------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Parameter | Mandatory | Type | Description |
+=======================+===========+=========+==============================================================================================================================================================================================================================================================================+
| start_time | Yes | Long | Start time, in milliseconds. The value is a timestamp, for example, 1718936272648. |
+-----------------------+-----------+---------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| end_time | Yes | Long | End time, in milliseconds. The value is a timestamp, for example, 1718936272648. |
+-----------------------+-----------+---------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| src_ip | No | String | Source IP address. |
+-----------------------+-----------+---------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| src_port | No | Integer | Source port. |
+-----------------------+-----------+---------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| dst_ip | No | String | Destination IP address. |
+-----------------------+-----------+---------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| dst_port | No | Integer | Destination port. |
+-----------------------+-----------+---------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| protocol | No | String | Protocol type. Its value can be **TCP**, **UDP**, **ICMP**, or **ICMPv6**. |
+-----------------------+-----------+---------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| app | No | String | Rule application type. Its value can be **HTTP**, **HTTPS**, **TLS1**, **DNS**, **SSH**, **MYSQL**, **SMTP**, **RDP**, **RDPS**, **VNC**, **POP3**, **IMAP4**, **SMTPS**, **POP3S**, **FTPS**, or **ANY**. |
+-----------------------+-----------+---------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| log_id | No | String | Document ID. For the first page, its value is null. For other pages, its value can be the **log_id** of the last record in the last query. |
+-----------------------+-----------+---------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| next_date | No | Long | Next date. For the first page, its value is null. For other pages, its value can be the **event_time** of the last record in the last query. |
+-----------------------+-----------+---------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| offset | No | Integer | Offset, which specifies the start position of the record to be returned. The value must be a number greater than 0. For the first page, its value is null. For other pages, its value is not null. |
+-----------------------+-----------+---------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| limit | Yes | Integer | Number of records displayed on each page. The value ranges from 1 to 1024. |
+-----------------------+-----------+---------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| fw_instance_id | Yes | String | Firewall ID, which can be obtained by referring to :ref:`Obtaining a Firewall ID `. |
+-----------------------+-----------+---------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| action | No | String | Action. Its value can be **permit** or **deny**. |
+-----------------------+-----------+---------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| direction | No | String | Direction. Its value can be **in2out** or **out2in**. |
+-----------------------+-----------+---------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| attack_type | No | String | Intrusion event type. |
+-----------------------+-----------+---------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| attack_rule | No | String | Intrusion event rule. |
+-----------------------+-----------+---------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| level | No | String | Threat level. Its value can be **CRITICAL**, **HIGH**, **MEDIUM**, or **LOW**. |
+-----------------------+-----------+---------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| enterprise_project_id | No | String | Enterprise project ID, which is the ID of a project planned based on organizations. You can obtain the enterprise project ID by referring to :ref:`Obtaining an Enterprise Project ID `. If the enterprise project function is not enabled, the value is **0**. |
+-----------------------+-----------+---------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| dst_host | No | String | Destination host. |
+-----------------------+-----------+---------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| log_type | No | String | Log type. Its value can be **internet**, **vpc**, or **nat**. |
+-----------------------+-----------+---------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| attack_rule_id | No | String | Intrusion event ID. |
+-----------------------+-----------+---------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| src_region_name | No | String | Source region name. |
+-----------------------+-----------+---------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| dst_region_name | No | String | Destination region name. |
+-----------------------+-----------+---------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| src_province_name | No | String | Source province name. |
+-----------------------+-----------+---------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| dst_province_name | No | String | Destination province name. |
+-----------------------+-----------+---------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| src_city_name | No | String | Source city name. |
+-----------------------+-----------+---------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| dst_city_name | No | String | Destination city name. |
+-----------------------+-----------+---------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
Request Parameters
------------------
.. table:: **Table 3** Request header parameters
+--------------+-----------+--------+---------------------------------------------------------------------------------------------------+
| Parameter | Mandatory | Type | Description |
+==============+===========+========+===================================================================================================+
| X-Auth-Token | Yes | String | User token. You can obtain the token by referring to :ref:`Obtaining a User Token `. |
+--------------+-----------+--------+---------------------------------------------------------------------------------------------------+
Response Parameters
-------------------
**Status code: 200**
.. table:: **Table 4** Response body parameters
+-----------+----------------------------------------------------+----------------------------------------+
| Parameter | Type | Description |
+===========+====================================================+========================================+
| data | :ref:`data ` object | Return value for querying attack logs. |
+-----------+----------------------------------------------------+----------------------------------------+
.. _listattacklogs__response_data:
.. table:: **Table 5** data
+-----------+--------------------------------------------------------------------+----------------------------------------------------------------------------+
| Parameter | Type | Description |
+===========+====================================================================+============================================================================+
| total | Integer | Total number of returned attack data records. |
+-----------+--------------------------------------------------------------------+----------------------------------------------------------------------------+
| limit | Integer | Number of records displayed on each page. The value ranges from 1 to 1024. |
+-----------+--------------------------------------------------------------------+----------------------------------------------------------------------------+
| records | Array of :ref:`records ` objects | Attack log list. |
+-----------+--------------------------------------------------------------------+----------------------------------------------------------------------------+
.. _listattacklogs__response_records:
.. table:: **Table 6** records
+-------------------+--------------------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Parameter | Type | Description |
+===================+================================================================================+============================================================================================================================================================================================================+
| direction | String | Direction. Its value can be **in2out** or **out2in**. |
+-------------------+--------------------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| action | String | Action. Its value can be **permit** or **deny**. |
+-------------------+--------------------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| event_time | Long | Event time, in milliseconds. The value is a timestamp, for example, 1718936272648. |
+-------------------+--------------------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| attack_type | String | Attack type. |
+-------------------+--------------------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| attack_rule | String | Attack rule. |
+-------------------+--------------------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| level | String | Threat level. Its value can be **CRITICAL**, **HIGH**, **MEDIUM**, or **LOW**. |
+-------------------+--------------------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| source | String | Source. |
+-------------------+--------------------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| packet_length | Long | Packet length. |
+-------------------+--------------------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| attack_rule_id | String | Attack rule ID. |
+-------------------+--------------------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| hit_time | Long | Hit time, in milliseconds. The value is a timestamp, for example, 1718936272648. |
+-------------------+--------------------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| log_id | String | Log ID. |
+-------------------+--------------------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| src_ip | String | Source IP address. |
+-------------------+--------------------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| src_port | Integer | Source port. |
+-------------------+--------------------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| dst_ip | String | Destination IP address. |
+-------------------+--------------------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| dst_port | Integer | Destination port. |
+-------------------+--------------------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| protocol | String | Protocol type. Its value can be **TCP**, **UDP**, **ICMP**, or **ICMPv6**. |
+-------------------+--------------------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| packet | String | Attack log packet. |
+-------------------+--------------------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| app | String | Rule application type. Its value can be **HTTP**, **HTTPS**, **TLS1**, **DNS**, **SSH**, **MYSQL**, **SMTP**, **RDP**, **RDPS**, **VNC**, **POP3**, **IMAP4**, **SMTPS**, **POP3S**, **FTPS**, or **ANY**. |
+-------------------+--------------------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| packetMessages | Array of :ref:`PacketMessage ` objects | Attack packet information. |
+-------------------+--------------------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| src_region_id | String | Source region ID. |
+-------------------+--------------------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| src_region_name | String | Source region name. |
+-------------------+--------------------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| dst_region_id | String | Destination region ID. |
+-------------------+--------------------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| dst_region_name | String | Destination region name. |
+-------------------+--------------------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| src_province_id | String | Source province ID. |
+-------------------+--------------------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| src_province_name | String | Source province name. |
+-------------------+--------------------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| src_city_id | String | Source city ID. |
+-------------------+--------------------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| src_city_name | String | Source city name. |
+-------------------+--------------------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| dst_province_id | String | Destination province ID. |
+-------------------+--------------------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| dst_province_name | String | Destination province name. |
+-------------------+--------------------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| dst_city_id | String | Destination city ID. |
+-------------------+--------------------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| dst_city_name | String | Destination city name. |
+-------------------+--------------------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
.. _listattacklogs__response_packetmessage:
.. table:: **Table 7** PacketMessage
=========== ================ ============================
Parameter Type Description
=========== ================ ============================
hex_index String Hexadecimal index.
hexs Array of strings Hexadecimal number sequence.
utf8_String String UTF-8 string.
=========== ================ ============================
**Status code: 400**
.. table:: **Table 8** Response body parameters
========== ====== ==================
Parameter Type Description
========== ====== ==================
error_code String Error code.
error_msg String Error description.
========== ====== ==================
Example Requests
----------------
Query 10 records on the first page of the firewall with the ID 2af58b7c-893c-4453-a984-bdd9b1bd6318 in the project 9d80d070b6d44942af73c9c3d38e0429. The query time range is 1663567058000 to 1664171765000.
.. code-block::
https://{Endpoint}/v1/9d80d070b6d44942af73c9c3d38e0429/cfw/logs/attack?fw_instance_id=2af58b7c-893c-4453-a984-bdd9b1bd6318&start_time=1663567058000&end_time=1664171765000&limit=10
Example Responses
-----------------
**Status code: 200**
Return value for querying attack logs.
.. code-block::
{
"data" : {
"limit" : 10,
"records" : [ {
"action" : "deny",
"app" : "HTTP",
"attack_rule" : "Tool Nmap Web Server Probe Detected",
"attack_rule_id" : "336154",
"attack_type" : "Web Attack",
"direction" : "out2in",
"dst_ip" : "100.95.148.49",
"dst_port" : 8080,
"event_time" : 1664146216000,
"level" : "MEDIUM",
"log_id" : "15591",
"packet" : "+hZUZMhV+hY/AaHMCABFKABpXPNAADAGof1kVe6QZF+UMcTQH5B0wdaz888+uoAYAOVyNQAAAQEICjrmikVb9JLCR0VUIC9uaWNlJTIwcG9ydHMlMkMvVHJpJTZFaXR5LnR4dCUyZWJhayBIVFRQLzEuMA0KDQo=",
"packetMessages" : [ {
"hex_index" : "00000000",
"hexs" : [ "fa", "16", "54", "64", "c8", "55", "fa", "16", "3f", "01", "a1", "cc", "08", "00", "45", "28" ],
"utf8_String" : ".\u0016Td.U.\u0016?.....E("
}, {
"hex_index" : "00000010",
"hexs" : [ "00", "69", "5c", "f3", "40", "00", "30", "06", "a1", "fd", "64", "55", "ee", "90", "64", "5f" ],
"utf8_String" : ".i\\.@.0...dU.d_"
}, {
"hex_index" : "00000020",
"hexs" : [ "94", "31", "c4", "d0", "1f", "90", "74", "c1", "d6", "b3", "f3", "cf", "3e", "ba", "80", "18" ],
"utf8_String" : ".1..?.t.ֳ..>..."
}, {
"hex_index" : "00000030",
"hexs" : [ "00", "e5", "72", "35", "00", "00", "01", "01", "08", "0a", "3a", "e6", "8a", "45", "5b", "f4" ],
"utf8_String" : "..r5......:.E[."
}, {
"hex_index" : "00000040",
"hexs" : [ "92", "c2", "47", "45", "54", "20", "2f", "6e", "69", "63", "65", "25", "32", "30", "70", "6f" ],
"utf8_String" : "..GET /nice%20po"
}, {
"hex_index" : "00000050",
"hexs" : [ "72", "74", "73", "25", "32", "43", "2f", "54", "72", "69", "25", "36", "45", "69", "74", "79" ],
"utf8_String" : "rts%2C/Tri%6Eity"
}, {
"hex_index" : "00000060",
"hexs" : [ "2e", "74", "78", "74", "25", "32", "65", "62", "61", "6b", "20", "48", "54", "54", "50", "2f" ],
"utf8_String" : ".txt%2ebak HTTP/"
}, {
"hex_index" : "00000070",
"hexs" : [ "31", "2e", "30", "0d", "0a", "0d", "0a" ],
"utf8_String" : "1.0\r.\r."
} ],
"packet_length" : 119,
"protocol" : "TCP",
"source" : "0",
"src_ip" : "100.85.238.144",
"src_port" : 50384,
"src_province_id" : "source province id",
"src_province_name" : "source province name",
"src_city_id" : "source city id",
"src_city_name" : "source city name",
"dst_province_id" : "dst province id",
"dst_province_name" : "dst province name",
"dst_city_id" : "dst city id",
"dst_city_name" : "dst city name"
} ],
"total" : 1
}
}
**Status code: 400**
Bad Request
.. code-block::
{
"error_code" : "00500002",
"error_msg" : "Invalid interval."
}
Status Codes
------------
=========== ======================================
Status Code Description
=========== ======================================
200 Return value for querying attack logs.
400 Bad Request
401 Unauthorized
403 Forbidden
404 Not Found
500 Internal Server Error
=========== ======================================
Error Codes
-----------
See :ref:`Error Codes `.