This topic describes the fields of access logs in Anti-DDoS Pro, Anti-DDoS Premium, and Anti-DDoS Origin.

Anti-DDoS Pro

Log fieldDescription
__topic__The topic of a log entry. Valid value: ddoscoo_access_log.
owner_idThe ID of an Alibaba Cloud account.
body_bytes_sentThe size of a request body. Unit: bytes.
cc_actionThe action that is performed based on an HTTP flood protection policy. The action can be none, challenge, pass, close, captcha, wait, or login.
cc_phaseThe HTTP flood protection policy that is matched. The policy can be seccookie, server_ip_blacklist, static_whitelist, server_header_blacklist, server_cookie_blacklist, server_args_blacklist, or qps_overmax.
cc_blocksIndicates whether a request is blocked by an HTTP flood protection policy. Valid values:
  • If the value is 1, the request is blocked.
  • If the value is not 1, the request is passed.
content_typeThe content type of a request.
hostThe origin server.
http_cookieThe Cookie HTTP header.
http_refererThe Referer HTTP header. If an HTTP header does not contain a referer, a hyphen (-) is displayed.
http_user_agentThe User-Agent HTTP header.
http_x_forwarded_forThe IP address of an upstream user. The IP address is forwarded by a proxy server.
httpsIndicates whether a request is an HTTPS request. Valid values:
  • true: The request is an HTTPS request.
  • false: The request is an HTTP request.
isp_lineThe information of an Internet service provider (ISP) line, for example, BGP, China Telecom, or China Unicom.
matched_hostThe matched origin server, which can be a wildcard domain name. If no origin server is matched, a hyphen (-) is displayed.
real_client_ipThe real IP address of a client. If no real IP address can be obtained, a hyphen (-) is displayed.
remote_addrThe IP address of a client that sends an access request.
remote_portThe port number of a client that sends an access request.
request_lengthThe size of a request. Unit: bytes.
request_methodThe HTTP method of a request.
request_time_msecThe duration in which a request is processed. Unit: milliseconds.
request_uriThe uniform resource identifier (URI) of a request.
server_nameThe name of a matched server. If no server name is matched, default is displayed.
statusThe HTTP status code.
timeThe time when a request is sent.
ua_browserThe browser.
ua_browser_familyThe family to which a browser belongs.
ua_browser_typeThe type of a browser.
ua_device_typeThe type of a client.
ua_osThe operating system of a client.
ua_os_familyThe family of the operating system that runs on a client.
upstream_addrThe list of back-to-origin IP addresses. Each IP address is in the IP:Port format.

Multiple IP addresses are separated by commas (,).

upstream_ipThe real IP address of an origin server.
upstream_response_timeThe response time of a back-to-origin process. Unit: seconds.
upstream_statusThe HTTP status code of a back-to-origin request.

Anti-DDoS Premium

Log fieldDescription
__topic__The topic of a log entry. Valid value: ddosdip_access_log.
owner_idThe ID of an Alibaba Cloud account.
body_bytes_sentThe size of a request body. Unit: bytes.
cc_actionThe action that is performed based on an HTTP flood protection policy. The action can be none, challenge, pass, close, captcha, wait, or login.
cc_phaseThe HTTP flood protection policy that is matched. The policy can be seccookie, server_ip_blacklist, static_whitelist, server_header_blacklist, server_cookie_blacklist, server_args_blacklist, or qps_overmax.
cc_blocksIndicates whether a request is blocked by an HTTP flood protection policy. Valid values:
  • If the value is 1, the request is blocked.
  • If the value is not 1, the request is passed.
content_typeThe content type of a request.
hostThe origin server.
http_cookieThe Cookie HTTP header.
http_refererThe Referer HTTP header. If an HTTP header does not contain a referer, a hyphen (-) is displayed.
http_user_agentThe User-Agent HTTP header.
http_x_forwarded_forThe IP address of an upstream user. The IP address is forwarded by a proxy server.
httpsIndicates whether a request is an HTTPS request. Valid values:
  • true: The request is an HTTPS request.
  • false: The request is an HTTP request.
isp_lineThe information of an ISP line, for example, BGP, China Telecom, or China Unicom.
matched_hostThe matched origin server, which can be a wildcard domain name. If no origin server is matched, a hyphen (-) is displayed.
real_client_ipThe real IP address of a client. If no real IP address can be obtained, a hyphen (-) is displayed.
remote_addrThe IP address of a client that sends an access request.
remote_portThe port number of a client that sends an access request.
request_lengthThe size of a request. Unit: bytes.
request_methodThe HTTP method of a request.
request_time_msecThe duration in which a request is processed. Unit: milliseconds.
request_uriThe URI of a request.
server_nameThe name of a matched server. If no server name is matched, default is displayed.
statusThe HTTP status code.
timeThe time when a request is sent.
ua_browserThe browser.
ua_browser_familyThe family to which a browser belongs.
ua_browser_typeThe type of a browser.
ua_device_typeThe type of a client.
ua_osThe operating system of a client.
ua_os_familyThe family of the operating system that runs on a client.
upstream_addrThe list of back-to-origin IP addresses. Each IP address is in the IP:Port format.

Multiple IP addresses are separated by commas (,).

upstream_ipThe real IP address of an origin server.
upstream_response_timeThe response time of a back-to-origin process. Unit: seconds.
upstream_statusThe HTTP status code of a back-to-origin request.

Anti-DDoS Origin

Log fieldDescription
__topic__The topic of a log entry. Valid value: ddosbqp_access_log.
data_typeThe type of a log entry.
event_typeThe type of an event.
ipThe IP address from which the request is sent.
subnetThe CIDR block of the instance that is rerouted.
event_timeThe date when an event occurs, for example, 2020-01-01.
qpsThe number of queries per second when an event occurs.
pps_inThe rate of inbound traffic when an event occurs. Unit: packets per second (pps).
new_conThe new connection that is established when an event occurs.
kbps_inThe rate of inbound traffic when an event occurs. Unit: bit/s.
instance_idThe ID of an instance.
timeThe time when a log is generated, for example, 2020-07-17 10:00:30.
destination_ipThe IP address of a destination server.
portThe destination port.
total_traffic_in_bpsThe rate of total inbound traffic. Unit: bit/s.
total_traffic_drop_bpsThe rate of total inbound traffic that is dropped. Unit: bit/s.
total_traffic_in_ppsThe rate of total inbound traffic. Unit: pps.
total_traffic_drop_ppsThe rate of total inbound traffic that is dropped. Unit: pps.
pps_types_in_tcp_ppsThe rate of inbound TCP traffic that is measured by protocol. Unit: pps.
pps_types_in_udp_ppsThe rate of inbound UDP traffic that is measured by protocol. Unit: pps.
pps_types_in_icmp_ppsThe rate of inbound ICMP traffic that is measured by protocol. Unit: pps.
pps_types_in_syn_ppsThe rate of inbound SYN traffic that is measured by protocol. Unit: pps.
pps_types_in_ack_ppsThe rate of inbound ACK traffic that is measured by protocol. Unit: pps
user_idThe ID of an Alibaba Cloud account.