Alibaba Cloud Dynamic Content Delivery Network (DCDN) collects log data on an hourly basis. You can download the daily log data of a domain name collected within the last 30 days. This topic describes how to download log data, the usage notes, and the log fields.

Usage notes

The traffic usage of accelerated domain names that is queried by using the monitoring or resource usage feature available in the Alibaba Cloud DCDN console or by calling API operations differs from that collected in logs. Typically, the traffic usage of accelerated domain names that is queried by using the monitoring or resource usage feature is 1.1 times that collected in logs. For more information, see Why is the actual billed network traffic different from the network traffic reported by the logging feature?

Usage notes

  • Log update delay: In most cases, log data is generated within 24 hours after an event occurs. In some cases, log data is generated after 24 hours.
  • Naming rule for logs: Accelerated domain name_year_month_day_start time_end time[extension field].gz. The extension field starts with an underscore (_). Example: aliyundoc.com_2018_10_30_000000_010000_xx.gz.
    Note Log names may not contain an extension field. Example: example.com_2018_10_30_000000_010000.gz.

Fields in access logs

  • Sample log entry
    [9/Jun/2015:01:58:09 +0800] 10.10.10.10 - 1542 "-" "GET http://www.aliyun.com/index.html" 200 191 2830 MISS "Mozilla/5.0 (compatible; AhrefsBot/5.0; +http://example.com/robot/)" "text/html" "quic/https/http"
  • Fields
    FieldDescription
    [9/Jun/2015:01:58:09 +0800]The start time of the log entry.
    10.10.10.10The IP address of the client that initiated the request.
    -The IP address of the proxy.
    1542The response time. Unit: milliseconds.
    "-"The Referer header in HTTP requests.
    GETThe request method.
    http://www.aliyun.com/index.htmlThe request URL.
    200The HTTP status code.
    191The size of the request. Unit: bytes.
    2830The size of the response. Unit: bytes.
    MISSThe cache hit status. Valid values:
    • HIT: The request results in a cache hit on DCDN nodes and the request does not need to be redirected to the origin server.
    • MISS: The request results in a cache miss on DCDN nodes and the request is redirected to L2 DCDN nodes or the origin server.
    Note DCDN collects log data from DCDN nodes, excluding back-to-origin information of L2 DCDN nodes. If the field value is MISS, back-to-origin information is not provided. Therefore, the log data does not show if a request that is a cache miss is redirected to the origin server.
    Mozilla/5.0(compatible; AhrefsBot/5.0; +http://example.com/robot/)The User-Agent header.
    text/htmlThe file type.
    quic/https/httpThe protocol over which the request was transmitted.
    Note Other fields:
    • DYNAMIC: Dynamic request.
    • CHARGE: The request is billed.
    • NOTLAST: A reserved field, which has no meaning.

Fields in WAF logs

  • Sample log entry
    [16/May/2023:10:36:09 +0800] HEAD "http" api.aliyun.com "/block" "_dyc=89e7639543f17ddbe77361c56b9952b9" "-" api.aliyun.com 3d30530216842045692847280e 403 "-" "curl/7.29.0" "-" 1.XX.XX.1 1.XX.XX.1 false "-" deny "custom_acl" 20000014
  • Fields
    FieldExampleDescription
    unixtime[16/May/2023:10:36:09 +0800]The time when the request was initiated.
    methodHEADThe request method.
    schemehttpThe protocol over which the request was sent.
    domainapi.aliyun.comThe domain name to which the request was sent.
    uri/blockThe requested resource.
    uri_param_dyc=89e7639543f17ddbe77361c56b9952b9The request parameters.
    content_type-The type of the requested content.
    matched_hostapi.aliyun.comThe domain name that is matched by Web Application Firewall (WAF). The domain name is added to WAF for protection.
    request_id3d30530216842045692847280eThe ID of the request.
    return_code403The HTTP status code returned.
    referer-The Referer header in the HTTP request.
    user_agentcurl/7.29.0The information about the proxy of the client.
    x_forwarded_for-The X-Forwarded-For (XFF) header. This field is used to identify the real IP address of the client that is connected to the web server by using an HTTP proxy or a load balancing service.
    client_ip1.XX.XX.1The real IP address of the client that sent the request.
    remote_addr1.XX.XX.1The IP address of the client.
    final_testFALSESpecifies that the monitoring mode is enabled.
    cookie-The HTTP Cookie header. This field contains information about the client.
    final_actiondenyThe executed protection action.
    • block: The request is blocked by the basic web protection module.
    • deny: The request is blocked by modules other than the basic web protection module.
    • captcha: common slider CAPTCHA verification is performed.
    • js: JavaScript verification is performed.
    • Empty string: The request is not blocked. No protection rule is triggered, a whitelist rule or monitor rule is triggered, or the request is allowed after the client passes the slider CAPTCHA verification or JavaScript verification.
    Note If a request triggers multiple protection policies at the same time, the value returned for this field indicates only the action that is performed. The following actions are listed in descending order of priority: block, slider CAPTCHA verification, dynamic token-based authentication, and JavaScript verification.
    final_plugincustom_aclThe matched protection module.
    • If final_action is not empty, this field has only one value and the value of this field is the name of the protection module that corresponds to the protection action (final_action) that is performed on the request.
    • If final_action is empty, this field can have multiple values and the values of this field are the names of the protection modules to which all protection rules are matched. If a matched module is not a basic web protection module or a whitelist module, and the module name contains a suffix "-T", the request matches the monitor rule of the module.
    Separate multiple values with commas (,). Protection modules:
    • whitelist: Rules of the whitelist module are matched.
    • waf: Rules of the basic web protection module are matched.
    • custom_acl: Rules of the custom rule module are matched.
    • ip_blacklist: Rules of the IP blacklist module are matched.
    • region_block: Rules of the region blacklist module are matched.
    • bot: Rules of the bot management module are matched.
    • anti_scan: Rules of the scan protection module are matched.
    final_rule_id20000014The matched protection rule.
    • If final_action is not empty, the value of this field is the ID of the protection rule that is applied to the request, which is the ID of the protection rule that corresponds to final_action.
    • If final_action is empty, this field contains the information about all protection rules that are matched. The information is in the following format: [module name]-[protection rule ID](-T). If a matched rule is a whitelist rule or a basic web protection rule, the information about the rule does not contain the suffix "-T". If a matched rule is a monitor rule of other protection modules, the information about the rule contains the suffix "-T".

    Separate multiple values with commas (,).

Procedure

  1. Log on to the DCDN console.
  2. In the left-side navigation pane, choose Data Center > Logs > Offline Log.
  3. On the Log Download tab, select a domain name and a date and click Query.
  4. Find the log file that you want to download and click Download in the Actions column.

Related API operations

DescribeDcdnDomainLog: queries the address where you can download offline logs of a specific domain name.