Anti-DDoS Pro provides the full log feature that supports a wide array of fields.

You can query and analyze collected logs in real time on the Full Log page. The following table describes the fields supported by full log.
Field Description Example
__topic__ The topic of the log entry. The value of this field is fixed to ddos_access_log. -
body_bytes_sent The size of the body in the access request. The body is measured in bytes. 2
content_type The type of the content. application/x-www-form-urlencoded
host The source website. api.abc.com
http_cookie The request cookie. k1=v1;k2=v2
http_referer The request referer. If no referer exists, a hyphen (-) is displayed. http://xyz.com
http_user_agent The User-Agent of the request. Dalvik/2.1.0 (Linux; U; Android 7.0; EDI-AL10 Build/HUAWEIEDISON-AL10)
http_x_forwarded_for The IP address of the upstream user redirected by a proxy. -
https Indicates whether the request is an HTTPS request.
  • true: The request is an HTTPS request.
  • false: The request is an HTTP request.
true
matched_host The matching origin site, which may be a wildcard domain name. If no match is found, a hyphen (-) is displayed. *.zhihu.com
real_client_ip The real IP address of the visitor. If the real IP address cannot be obtained, a hyphen (-) is returned. 1.2.3.4
isp_line The information about the ISP line, such as BGP, China Telecom, and China Unicom. China Telecom
remote_addr The IP address of the client that initiates the connection request. 1.2.3.4
remote_port The port number of the client that initiates the connection request. 23713
request_length The size of the request, which is measured in bytes. 123
request_method The HTTP method of the request. GET
request_time_msec The processing time of the request. The time is measured in milliseconds. 44
request_uri The request URI. /answers/377971214/banner
server_name The name of the matching host. If no match is found, the value is default. api.abc.com
status The HTTP status code. 200
time The time when the log entry is generated. 2018-05-02T16:03:59+08:00
cc_action The anti-HTTP flood protection action. Valid values include none, challenge, pass, close, captcha, wait, and login. close
cc_blocks Indicates whether the request is blocked by anti-HTTP flood protection.
  • 1: The request is blocked.
  • Other values: The request is allowed.
Note In some cases, log entries may not contain this field. The last_result field is used instead to record whether a request is blocked by anti-HTTP flood protection.
1
last_result Indicates whether a request is blocked by anti-HTTP flood protection.
  • ok: The request is allowed.
  • failed: The request is blocked, or the verification fails.
Note In some cases, log entries may not contain this field. The cc_blocks field is used instead to record whether a request is blocked by anti-HTTP flood protection.
failed
cc_phase The anti-HTTP flood protection policy. Valid values include seccookie, server_ip_blacklist, static_whitelist, server_header_blacklist, server_cookie_blacklist, server_args_blacklist, and qps_overmax. server_ip_blacklist
ua_browser The browser.
Note In some cases, log entries may not contain this field.
ie9
ua_browser_family The browser series.
Note In some cases, log entries may not contain this field.
internet explorer
ua_browser_type The browser type.
Note In some cases, log entries may not contain this field.
web_browser
ua_browser_version The browser version.
Note In some cases, log entries may not contain this field.
9.0
ua_device_type The type of the client device.
Note In some cases, log entries may not contain this field.
computer
ua_os The operating system of the client.
Note In some cases, log entries may not contain this field.
windows_7
ua_os_family The operating system series of the client.
Note In some cases, log entries may not contain this field.
windows
upstream_addr The list of origin addresses that are separated with commas (,). Each address follows the IP:Port format. 1.2.3.4:443
upstream_ip The real origin IP address. 1.2.3.4
upstream_response_time The response time of the back-to-origin process. The time is measured in seconds. 0.044
upstream_status The HTTP status code of the back-to-origin request. 200
user_id The ID of the Alibaba Cloud account. 12345678
querystring The request string. token=bbcd&abc=123