Alibaba ESA(Edge Security Acceleration) Logs + AI Agents: Natural Language for Automated Ops Analysis and Reporting

Operations work revolves around logs - troubleshooting, performance tuning, security analysis, weekly and monthly reports all depend on them. Alibaba Cloud Edge Security Acceleration (ESA) provides comprehensive log collection and log delivery capabilities. Combined with Alibaba Cloud's open-source Agent Skills, ESA logs can be directly connected to mainstream AI coding assistants like Qoder, Claude Code, Cursor, and OpenClaw - enabling log queries, statistical analysis, security reports, and routine inspections using nothing but natural language.

The Lifeline of Operations: Logs, Statistics, and Data Analysis

Anyone who has done operations work knows a simple truth: without logs, operations is like navigating blindfolded.

Daily operations work depends on logs across several dimensions:

Troubleshooting

A sudden spike in 5xx errors, an API slowing down, users complaining about timeouts - the first step is always "check the logs." You need to know:

Which URLs are affected?
What's the client IP distribution?
Is the slowness on the origin fetch or the edge?
Did an upstream service go down?

Without logs, you're guessing.

Security Analysis and Incident Response

How many attacks did WAF block? Is a CC attack happening right now? Which IPs are malicious? What percentage of traffic is from bots? Answering these questions requires:

Real-time queries against security defense logs
Aggregation by attack type, IP, and domain
Pattern and trend identification
Security incident reporting

Performance Optimization and Capacity Planning

What's the cache hit ratio? Which resources should be cached? Is origin bandwidth growing abnormally? These require:

Analyzing cache status, response times, and origin fetch times from access logs
Statistical breakdowns by URL, domain, and time window
Identifying performance bottlenecks and optimization opportunities

Routine Reporting

Daily reports, weekly reports, monthly reports - operations teams need to regularly update management on:

Overall traffic trends
Security posture
Performance metrics
Incident summaries

The common prerequisite for all of this: you can easily extract the data you need from massive volumes of logs.

ESA's Logging Capabilities: Comprehensive, Unified, Deliverable

Alibaba Cloud Edge Security Acceleration (ESA) is a platform that integrates CDN acceleration, WAF protection, CC/DDoS defense, and edge computing into a single product. For operations teams, ESA's key value is that it produces complete, structured, and deliverable logs.

ESA provides two categories of core logs:

Access Logs

A detailed record for every request, including:

Field Category	Example Fields
Request Info	Timestamp, Client IP, HTTP Method, URL, Protocol Version, User-Agent
Response Info	Status Code, Response Size, Response Time, Content Type
Origin Fetch Info	Origin Server IP, Origin Fetch Time, Origin Fetch Status Code
Cache Info	Cache Hit/Miss Status, Cache Key
Routing Info	Edge Node ID, Routing Region

Xnip2026_06_17_14_14_09

Security Defense Logs

A detailed record for every security event, including:

Security Capability	Recorded Information
WAF Protection	Attack Type (SQL Injection, XSS, Command Injection, etc.), Matched Rule, Action Taken
CC Protection	Triggered IP, Frequency Threshold, Action (Block/CAPTCHA/Allow)
Bot Management	Bot Classification (Search Engine/Automation/Malicious Bot), Action Taken
IP Blocklist	Blocked IP, Block Reason, Policy Type
DDoS Protection	Attack Type, Attack Volume, Scrubbing Result

Xnip2026_06_17_14_14_29

ESA Real-Time Logs: Seconds-Level Global Delivery

Why Real-Time Logs?

Traditional log analysis is slow: download logs → upload to a data warehouse → clean data → define models → query. ESA's real-time log system cuts through this entire workflow. It uses stream processing to deliver raw logs from over 3,200 global points of presence (POPs) to your servers within seconds.

01_esa_realtime_overview

ESA real-time logs offer:

Seconds-level global delivery: Logs from 3,200+ POPs worldwide, delivered within seconds
Flexible storage: Deliver to SLS, AWS S3, S3-compatible storage, HTTP servers, or Kafka
Log customization: Custom log formats, delivery sampling, and field filters to capture exactly the data you need
Monitoring and dashboards: Data integrity checks, visualization dashboards, log analysis reports, and operational alerts

Categories of Real-Time Logs

ESA real-time logs cover a wide range of scenarios:

Log Type	Dimension	Recorded Content	Scenarios
Access and Origin Log	Website	Detailed request info when users access ESA-accelerated sites, and back-to-origin request details	User behavior analysis, Business analysis and optimization, Audit and compliance
Firewall Log	Website	Details of all malicious requests detected and blocked by ESA WAF	Security monitoring, Business analysis and optimization, Audit and compliance
TCP/UDP Proxy Log	Website	Content transmitted through ESA transport-layer acceleration	Performance monitoring, Business analysis and optimization
DNS Log	Website	DNS domain name resolution request details	Audit and compliance, DNS resolution changes

Xnip2026_06_17_10_59_17

Log Delivery Workflow

Creating a real-time log delivery task follows a straightforward flow:

Select a log category → Select log fields → Select a destination → Configure destination details → Verify ownership

02_esa_delivery_flow

Supported Delivery Destinations

ESA supports delivering real-time logs to a wide range of destinations:

Destination Type	Options
Log analysis service	Alibaba Cloud Simple Log Service (SLS)
Object storage services	Alibaba Cloud OSS, Amazon S3, S3-compatible storage
Custom services	HTTP Server, Kafka

Each destination supports compression (gzip, zlib, snappy, lz4, zstd), custom field filters, and sampling rates to control data volume and cost.

How to Create a Real-Time Log Delivery Task

Here's a step-by-step guide to setting up ESA real-time log delivery:

Step 1: Select Log Category

For account-level logs (Edge Routine Log, Edge Container Log):

Log on to the ESA Console
In the left navigation pane, choose Analytics and Logs > Real-time Logs
Click Create Delivery Task
Enter a task name and select the log category

For website-level logs (Access and Origin Log, Firewall Log, TCP/UDP Proxy Log, DNS Log):

In the ESA Console, navigate to Websites
Click on the target website
In the left navigation pane, choose Analytics and Logs > Real-time Logs
On the Delivery Tasks tab, click Create Delivery Task
Specify a task name and select the log category

Step 2: Select Log Fields

Configure the following parameters:

Log Fields: Select which fields to collect (see Log Fields Reference for available fields)
Sampling Rate: Specify a percentage to sample logs, reducing delivery volume and storage costs
Filter: Add up to 20 filter conditions to deliver only relevant logs
Container Name (for Edge Container Log): Select deployed containers (up to 19)

Step 3: Select a Destination

Choose where to deliver logs:

Simple Log Service (SLS): For real-time log analysis and querying
Object Storage Service (OSS): For long-term log archival
Amazon S3 / S3-compatible: For multi-cloud or hybrid deployments
HTTP Server: For custom log processing pipelines
Kafka: For streaming log ingestion into big data platforms

03_esa_destinations

Step 4: Configure Destination Details

For SLS delivery:

Select the SLS region
Authorize ESA to access SLS (the system automatically creates the AliyunServiceRoleForESARealtimeLogPushSLS service-linked role)

04_esa_sls_config

For OSS delivery:

Select the bucket region and bucket name
Authorize ESA to access OSS (system creates AliyunESARealtimeLogPushOSSRole)

05_esa_oss_config

For Amazon S3:

Enter bucket path and region
Configure server-side encryption settings
Copy the provided bucket policy code to your S3 bucket permissions
Verify ownership via the token file

06_esa_s3_config

For S3-compatible storage:

Enter bucket path, region, endpoint URL
Provide Access Key ID and Secret Access Key
Verify ownership via the token file

For HTTP Server:

Enter the server URL (http:// or https://)
Select compression method (gzip, zlib, snappy, or none)
Optionally configure server authentication with private key and signature expiration
Add custom HTTP headers and URL parameters

07_esa_http_config

For Kafka:

Enter Kafka topic and broker addresses (up to 50)
Select compression method (gzip, snappy, lz4, zstd, or none)
Configure authentication (PLAIN, SCRAM-SHA-256, SCRAM-SHA-512)
Select load balancer type (LeastBytes, Hash, RoundRobin, CRC32Balancer, Murmur2Balancer)

08_esa_kafka_config

For third-party object storage (S3 / S3-compatible): ownership verification is required. The system sends a .txt token file to your bucket; you retrieve it, copy the content, and submit it back to confirm ownership.

09_esa_verify_ownership

Plan Limits

Plan	Real-Time Log Delivery Tasks per Log Type
Entrance	Not supported
Pro	2
Premium	3
Enterprise	5

Note: Task limits are counted separately per log type. For example, on the Enterprise plan, you can create 5 tasks for Access and Origin Log AND 5 tasks for Firewall Log.

Custom Log Fields

For Access and Origin Logs, you can add custom fields to capture additional context:

Request Header: Custom HTTP request headers
Response Header: Custom HTTP response headers
Cookies: Session and tracking cookies

Custom fields are configured in the ESA console under Real-time Logs > Custom Fields.

10_esa_custom_fields

From ESA Real-Time Logs to SLS: The Data Foundation

Once ESA real-time logs are delivered to SLS, you gain access to SLS's powerful query and analysis capabilities:

Full-text search: Filter by keyword instantly
SQL analytics: Aggregation, GROUP BY, sorting, window functions
SPL pipelines: Multi-step data processing
Real-time alerting: Trigger alerts based on log content
Dashboards: Visualize key metrics
Downstream delivery: Forward to OSS, MaxCompute, DataHub for further analysis

ESA provides the complete data foundation - comprehensive, structured, real-time, and queryable. The question is: how can operations teams use this data efficiently?

The Bottleneck of the Traditional Approach

After ESA logs are delivered to SLS, the traditional query workflow looks like this:

Open the SLS console
Select the Project and Logstore
Write query syntax by hand (full-text index / SQL / SPL)
Execute and review results
If wrong, fix and re-execute

This approach has several problems:

Steep learning curve: SLS query syntax (full-text indexing, SQL, SPL) requires dedicated learning
Low efficiency: Every query starts from scratch, especially complex joins and aggregations
Difficult reporting: Results are out, but compiling weekly/monthly reports still means manual aggregation, screenshots, and writing summaries
Tool lock-in: You can only work in the SLS console - leave the browser and you're stuck

Operations people don't need to learn query languages - they just need answers.

The Solution: ESA Logs + Alibaba Cloud Skills + AI Agents

Architecture

Alibaba Cloud's open-source Agent Skills framework encapsulates SLS query and analysis capabilities into a standardized Skill (alibabacloud-sls-query). This Skill tells an AI Agent how to:

Automatically read the Logstore's index configuration to discover which fields are queryable
Based on the user's natural-language request, automatically choose the optimal query mode (full-text search / SQL / SPL)
Construct the correct query statement
Execute the query via Alibaba Cloud CLI
Translate the returned results into readable analysis and reports

Once this Skill is loaded, any AI coding assistant that supports the Skill/MCP protocol can query ESA logs using natural language.

┌─────────────────────────────────────────────────┐
│              Operations Engineer                   │
│  "Generate today's ESA security report"           │
│  "Which URLs had the worst response times?"       │
│  "How many SQL injections did WAF block today?"   │
└────────────────┬────────────────────────────────┘
                 │
                 ▼
┌─────────────────────────────────────────────────┐
│         AI Agent Client                           │
│  ┌──────────┬────────────────────┬──────────┐   │
│  │  Qoder   │  Claude  │  Cursor  │ OpenClaw │   │
│  │          │   Code   │          │          │   │
│  └──────────┴──────────┴──────────┴──────────┘   │
│  ┌────────────────────┬──────────┬──────────   │
│  │ Qwen Code│  Codex   │ Gemini   │ Copilot  │   │
│  │          │          │   CLI    │          │   │
│  └──────────┴──────────┴──────────┴──────────┘   │
└────────────────────────────────────────────────┘
                 │
                 ▼
┌─────────────────────────────────────────────────┐
│  Alibaba Cloud Skill: alibabacloud-sls-query      │
│                                                   │
│  Step 1 → Read ESA Logstore index config          │
│  Step 2 → Pick query mode (full-text/SQL/SPL)     │
│  Step 3 → Construct query statement               │
│  Step 4 → Resolve time range                      │
│  Step 5 → Execute via aliyun CLI                  │
│  Step 6 → Extract data, generate readable report  │
└────────────────┬────────────────────────────────┘
                 │
                 ▼
─────────────────────────────────────────────────┐
│         aliyun CLI (AI Mode)                      │
│  aliyun sls get-logs-v2                           │
└────────────────────────────────────────────────
                 │
                 ▼
┌─────────────────────────────────────────────────┐
│       Alibaba Cloud SLS (Log Service)             │
│         (fed by ESA Real-Time Logs)               │
│                                                   │
│  ┌───────────────────  ┌──────────────────────┐  │
│  │  ESA Access Logs   │  │  ESA Security Logs    │  │
│  │  · Request details │  │  · WAF block records  │  │
│  │  · Cache hit/miss  │  │  · CC protection      │  │
│  │  · Origin fetch    │  │  · Bot identification │  │
│  │  · Response time   │  │  · IP block records   │  │
│  └───────────────────┘  └──────────────────────┘  │
└─────────────────────────────────────────────────

Operations people no longer need to open the SLS console or write query syntax by hand. Ask in natural language, and the AI Agent handles querying, statistics, analysis, and report generation automatically.

Setup Guide

Step 1: Install Alibaba Cloud CLI

The CLI is the channel through which the AI Agent queries SLS logs.

# One-line install
/bin/bash -c "$(curl -fsSL https://aliyuncli.alicdn.com/install.sh)"

# Verify version (requires >= 3.3.8)
aliyun version

Step 2: Configure AK and RAM Permissions

Create a user in the RAM Console and grant log read-only access.

Recommended policy:

Policy Name	Description
`AliyunLogReadOnlyAccess`	SLS read-only access (system policy, works out of the box)

Least privilege: If you only need to query logs, scope the Resource down to the specific ESA Project and Logstore rather than granting global access.

Configure the CLI:

aliyun configure
# Follow prompts to enter AccessKey ID, AccessKey Secret, default Region

Enable AI Mode:

aliyun configure ai-mode enable
aliyun configure ai-mode set-user-agent --user-agent "AlibabaCloud-Agent-Skills/alibabacloud-sls-query"
aliyun plugin update

Security note: Never paste AK/SK values into a conversation. The Skill also strictly prohibits this behavior internally.

Step 3: Load the SLS Skill into Your AI Agent

The Skill source code is open-source on GitHub:

https://github.com/aliyun/alibabacloud-aiops-skills/tree/master/skills/storage/sls/alibabacloud-sls-query

Loading methods vary across AI clients, but the core idea is the same - place SKILL.md and the references/ directory where your client can find it. Once loaded, the AI Agent "knows" how to query and analyze SLS logs.

Practical Scenarios

Scenario 1: Routine Health Check

"Show me the overall ESA status for the past hour: total requests, status code distribution, average response time, cache hit ratio."

The AI Agent will:

Read the ESA access log index configuration
Construct a SQL query grouped by status code
Execute the query
Return a structured summary

Typical output:

ESA Health Check  -  Past 1 Hour
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Total Requests: 48,237
Status Code Distribution:
  200: 93.50% (45,102)
  304:  3.83% (1,847)
  301:  1.16% (562)
  4xx:  1.26% (604)
  5xx:  0.25% (122)  ← needs attention
Avg Response Time: 45ms (P99: 320ms)
Cache Hit Ratio: 67.21%

Spot the 0.25% 5xx rate, follow up with "show me which URLs the 5xx errors are concentrated on," and you've pinpointed the issue immediately.

Xnip2026_06_17_14_34_22

Scenario 2: Security Analysis Report

"Generate today's ESA security report: total WAF blocks, breakdown by attack type, CC protection events, and Top 10 attacking IPs."

The AI Agent automatically composes multiple queries spanning both access logs and security defense logs, producing a complete security report. This is exactly what operations teams need daily - no more manually querying individual metrics, taking screenshots, and compiling summaries. One sentence, one report.

Scenario 3: Real-Time CC Attack Analysis

"In the past 30 minutes, which IPs had abnormal request frequencies? Help me identify potential CC attack sources, listing request counts and accessed URLs for each."

The Skill automatically uses SPL for frequency analysis, identifies anomalous IPs, and lists detailed information. Combined with ESA's built-in CC protection, operations teams can quickly verify whether automatic defenses are working.

Scenario 4: Performance Bottleneck Identification

"In the past hour, what were the 20 slowest URLs by average response time? Include cache hit/miss status and origin fetch time."

Quickly identify:

Which resources have slow origin fetch (need origin fetch optimization or added caching)
Which resources have low cache hit ratios (need cache policy tuning)
Which URLs show abnormal response time spikes

Scenario 5: Automated Weekly Report

"Generate an ESA weekly operations report including: traffic trends (daily), status code trends, WAF block trends, CC protection trends, cache hit ratio trends, and top incidents."

This is where the AI Agent shines most. The traditional approach requires:

Manually creating multiple dashboards in the SLS console
Querying each metric individually and taking screenshots
Manually writing summaries and compiling into a document

With an AI Agent:

Describe what you need in natural language
The Agent automatically constructs queries across multiple time ranges
Generates a structured weekly report
You can follow up with "export this as Markdown" or "analyze the trend changes this week"

Why This Works in Practice

1. ESA Provides the Complete Data Foundation

ESA's access logs and security defense logs cover every dimension - CDN acceleration, WAF protection, CC defense, Bot management. Logs are unified and delivered to SLS with clear structure and complete fields. Without this data foundation, AI analysis has nothing to work with.

2. The Skill Standardizes the Query Workflow

The alibabacloud-sls-query Skill standardizes the entire SLS query and analysis process:

Step	Skill Handles Automatically	Operations No Longer Needs To
Index Check	Reads Logstore index config	Remember which fields are indexed
Mode Selection	Picks full-text / SQL / SPL	Learn query syntax
Statement Construction	Natural language → query	Hand-write SPL/SQL
Time Resolution	"Today" → Unix timestamps	Calculate timestamps manually
Result Interpretation	JSON → readable report	Manually format data

3. Client-Agnostic, Choose Your Tool

This solution doesn't lock you into any single AI tool. Any client that supports Skill loading works:

Client	Best For
Qoder	Alibaba-native, deep cloud ecosystem integration
Qwen Code	Tongyi assistant, strong Chinese language understanding
Claude Code	Terminal agent, strong reasoning capabilities
OpenClaw/Hermes	Open-source terminal assistant, great for ops automation
Cursor	Mainstream AI IDE, mature ecosystem
GitHub Copilot	IDE-integrated, seamless for daily development
Codex	OpenAI code agent
Gemini CLI	Google command-line assistant

Use OpenClaw or Claude Code in the terminal for quick health checks, Cursor or Copilot in the IDE for deeper analysis - same Skill, same ESA log source, different tools as needed.

4. Conversational Analysis Beats Static Dashboards

SLS console dashboards are great - but they're predefined. Real operations questions are often ad hoc:

"Did that attacking IP from yesterday show up again today?"
"Compare cache hit ratios between this week and last week."
"Are the 5xx errors on this domain correlated with origin fetch times?"

These can't be pre-built into dashboards, but an AI Agent answers them on the fly. And since the conversation retains context, you can keep drilling down.

Best Practices

Ensure Log Indexes Are Configured

The Skill's first step is reading the Logstore's index configuration. If ESA logs have no indexes, queries will fail. In the SLS console, verify:

Full-text indexing is enabled
Key fields (client_ip, host, uri, status, waf_action, attack_type, etc.) have field indexes
Statistical fields have doc_value enabled

Start Small, Then Expand

ESA log volumes are typically large. Start with narrow time windows (past 1 hour, past 30 minutes), confirm your direction, then widen. Avoid jumping straight to "past 1 month" and hitting timeouts.

Iterative Conversational Analysis

The AI Agent's strength lies in conversational context. Follow up on results rather than starting from scratch each time:

Q: "How many WAF blocks today?"
A: "12,345 blocks total..."
Q: "What's the dominant attack type?"
A: "SQL injection at 68%..."
Q: "Which IPs are driving those SQL injections?"
A: "Top 3 IPs are..."

Xnip2026_06_17_14_39_16

Combine with the ESA Console for Configuration Changes

The AI Agent helps you analyze and identify issues. Concrete configuration changes (IP blocklists, WAF rules, cache policies) are still done in the ESA console. Close the loop: analyze → identify → adjust → verify.

Summary

Operations work depends on logs, statistics, and data analysis. Alibaba Cloud ESA provides comprehensive, structured, real-time delivered access logs and security defense logs - the data foundation for any operations analysis.

Alibaba Cloud's open-source alibabacloud-sls-query Skill standardizes the SLS query and analysis workflow, enabling AI Agents to automatically handle index checks, query construction, execution, and result interpretation. When integrated into mainstream AI clients like Qoder, Claude Code, Cursor, and OpenClaw, operations teams can perform routine health checks, security analysis, performance optimization, and report generation using nothing but natural language.

ESA delivers the comprehensive log data. AI Agents make that data instantly accessible. Operations teams no longer need to learn query languages, open consoles, or write SPL - just ask, and the report is ready.