CAPTCHA and Challenge actions in the logs and metrics - Amazon WAF, Amazon Firewall Manager, and Amazon Shield Advanced
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

CAPTCHA and Challenge actions in the logs and metrics

The CAPTCHA and Challenge actions can be non-terminating, like Count, or terminating, like Block. The outcome depends on whether the request has a valid token with an unexpired timestamp for the action type.

  • Valid token – When the action finds a valid token and doesn't block the request, Amazon WAF captures metrics and logs as follows:

    • Increments the metrics for either CaptchaRequests and RequestsWithValidCaptchaToken or ChallengeRequests and RequestsWithValidChallengeToken.

    • Logs the match as a nonTerminatingMatchingRules entry with action of CAPTCHA or Challenge. The following listing shows the section of a log for this type of match with the CAPTCHA action.

      "nonTerminatingMatchingRules": [ { "ruleId": "captcha-rule", "action": "CAPTCHA", "ruleMatchDetails": [], "captchaResponse": { "responseCode": 0, "solveTimestamp": 1632420429 } } ]
  • Missing, invalid, or expired token – When the action blocks the request due to a missing or invalid token, Amazon WAF captures metrics and logs as follows:

    • Increments the metric for CaptchaRequests or ChallengeRequests.

    • Logs the match as a CaptchaResponse entry with HTTP 405 status code or as a ChallengeResponse entry with HTTP 202 status code. The log indicates whether the request was missing the token or had an expired timestamp. The log also indicates whether Amazon WAF sent a CAPTCHA interstitial page to the client or a silent challenge to the client browser. The following listing shows the sections of a log for this type of match with the CAPTCHA action.

      "terminatingRuleId": "captcha-rule", "terminatingRuleType": "REGULAR", "action": "CAPTCHA", "terminatingRuleMatchDetails": [], ... "responseCodeSent": 405, ... "captchaResponse": { "responseCode": 405, "solveTimestamp": 0, "failureReason": "TOKEN_MISSING" }

For information about the Amazon WAF logs, see Logging Amazon WAF web ACL traffic.

For information about Amazon WAF metrics, see Amazon WAF metrics and dimensions.

For information about rule action options, see Rule action.