Alibaba Cloud Server Load Balancer (SLB) distributes traffic among multiple ECS instances to improve the service capabilities of your applications. You can use SLB to prevent single point of failures (SPOFs) and improve the availability of your applications.

The access log feature of SLB can be applied to HTTP- and HTTPS-based Layer 7 load balancing. Access logs can contain about 30 fields such as the time when a request is received, the IP address of the client, processing latency, request URI, backend server (ECS instance) address, and returned status code. As an Internet access point, SLB needs to distribute a large number of access requests. You can use access logs to analyze the behaviors and geographical distribution of client users, and troubleshoot issues.

Note The access log feature can only be applied to Layer 7 load balancing. This feature is available in all regions.


  • Simple: The access log feature enables developers and operations and maintenance (O&M) personnel to break free from tedious and time-consuming log processing so that they can concentrate on business development and technical research.
  • Massive: Access logs are directly proportional to request PVs of SLB instances. Typically, a large amount of data needs to be processed. Therefore, you must consider performance and cost issues when you process access logs. SLB can analyze 100 million logs in one second and has obvious cost advantages compared with open source solutions.
  • Real-time: Scenarios such as DevOps, monitoring, and alerting require real-time log data. Traditional methods cannot meet this requirement. For example, performing ETL in Hive requires a long time. During this process, a lot of work is required for data integration. The access log feature of SLB combines the powerful big data computing capability of Alibaba Cloud Log Service to analyze and process real-time data in seconds.
  • Elastic: You can enable or disable the access log feature based on SLB instances. You can set the storage period as needed and dynamically scale the Logstore capacity to meet business growth requirements.

Configure Log Service to collect SLB Layer 7 access logs


  1. SLB and Log Service are activated. An SLB instance, a Log Service project, and and a Logstore are created. The Log Service project and the Logstore must belong to the same region. For more information about how to create an SLB instance, see Create an SLB instance.
    Note Only Layer 7 load balancing supports the access log feature. This feature is now available in all regions.
  2. If you log on to the console as a RAM user, you must first use your Alibaba Cloud account to authorize the RAM user. For more information, see Authorize a RAM user to use access logs.


  1. Log on to the Log Service console, and then click the target project name.
  2. Click the Import Data button. On the Import Data page that appears, select SLB Layer-7 Access Logs.
  3. Select a Logstore.

    Select an existing Logstore, or create a new project or Logstore.

  4. Create a dispatch rule as prompted. Click Configure SLB to go to the SLB console.
    1. In the left-side navigation pane, choose Logs > Access Logs.
    2. Find the target SLB instance and click Configure Logging next to the instance.
      Note Make sure that the project and the SLB instance are in the same region.
      Figure 1. Log settings
      Log settings
    3. Specify the project and Logstore and then click OK.
    4. After the configuration is complete, close the dialog box. Return to the data import wizard and click Next.
  5. Configure query and analysis.

    Log Service provides several preset indexes for querying SLB access logs. For more information about the related fields, see Field description. Confirm the settings and click Next.

    Note By default, the system creates two dashboards whose names start with Logstore names: {LOGSTORE}-slb_layer7_access_center and {LOGSTORE}-slb_layer7_operation_center. After the configuration is complete, you can view the dashboards on the Dashboard page.

What to do next

  • Real-time log query

    You can use any keywords to query logs. Both exact query and fuzzy matching are supported. Log query can be used for troubleshooting or statistical query.

  • Preset analysis reports

    Log Service predefines two dashboards for your SLB logs: access_center and operation_center. access_center displays access details and operation_center displays the overview information. The displayed information includes top clients that send the most access requests, distribution of request status codes, top URIs that send the most access requests, trends of request packet traffic, and statistics on backend server response time.

  • Custom analysis charts

    You can perform ad-hoc queries based on any log data and save the results as charts to meet your statistical and business requirements.

  • Log monitoring alert

    You can perform custom analysis on SLB request logs and save the result as a query. You can also set an alert based on the query. When real-time log computing results exceed the defined threshold, the system sends an alert.

Field description

Field Description
body_bytes_sent The number of bytes of the HTTP message body sent to the client.
client_ip The IP address of the request client.
host The hostname. Obtain the value from the request parameters first. If no value is obtained, obtain it from the host header. If the value still cannot be obtained, use the IP address of the backend server that processes the request as the hostname.
http_host The host header in the request message.
http_referer The HTTP referer header in the request message received by the proxy.
http_user_agent The HTTP user-agent header in the request message received by the proxy.
http_x_forwarded_for The x-forwarded-for content in the request message received by the proxy.
http_x_real_ip The actual IP address of the client.
read_request_time The time when the proxy reads the request message. Unit: ms.
request_length The length of the request message, including the start-line, HTTP headers, and HTTP body.
request_method The request method.
request_time The interval between the time when the proxy receives the first request message and the time when the proxy returns a response message. Unit: seconds.
request_uri The URI of the request message received by the proxy.
scheme The request schema. Valid values: "http" and "https".
server_protocol The HTTP version received by the proxy, such as "HTTP/1.0" or "HTTP/1.1".
slb_vport The listening port of the SLB instance.
slbid The ID of the SLB instance.
ssl_cipher The cipher suite used, such as ECDHE-RSA-AES128-GCM-SHA256.
ssl_protocol The protocol used to establish an SSL connection, such as TLSv1.2.
status The status of the proxy response message.
tcpinfo_rtt The TCP RTT of the client. Unit: microseconds.
time The time when the log entry was created.
upstream_addr The IP address and port number of the backend server.
upstream_response_time The total time taken by the SLB instance to establish a connection to the backend server, receive data, and then close the connection. Unit: seconds.
upstream_status The response status code of the backend server received by the proxy.
vip_addr The virtual IP address.
write_response_time The time when the proxy writes the response message. Unit: ms.