In the Anti-DDoS Pro console, you can enable DDos log collection function for the website.
- Enable Anti-DDoS Pro function, purchase Anti-DDoS Pro instances, and Online configuration.
- Enable Anti-DDoS Pro function, purchase Anti-DDoS Pro instances.
- Activate Log Service.
Log Service supports real-time collection of Alibaba Cloud Anti-DDoS Pro website access logs, CC attack logs, and supports real-time query and analysis of collected log data. The results of the query are displayed in the form of dashboards, and logs are used to analyze the access and attack behavior in real time, and assist the security department to formulate a protection strategy.
- Log on to the Anti-DDoS Pro console and select Full Log page. in the left-side navigation pane. Enter the
- If you are configuring DDoS log collection for the first time, follow the instructions on the page.
DDoS has permission to distribute DDoS logs to your Logstore after authorization.
- Select the website for which you want to enable DDoS log collection function and make sure the Status is on.
At this point, you have successfully enabled DDoS log collection for the current website. Log Service automatically creates a Logstore under your account. DDoS imports all the logs of the website that have this feature enabled into this Logstore. For Logstore default configurations, see Default configuration.
Table 1. Default configuration Default configuration item Configuration content Project By default,
ddos-pro-logstoreproject is created.
Logstore By default, Logstore is created. Logstore name is determined by the domain of the DDoS you purchased.
- DDoS instances in mainland China:
ddos-pro-project-Alibaba Cloud Account ID-cn-hangzhou.
- Other DDoS instances:
ddos-pro-project-Alibaba Cloud Account ID-ap-southeast-1
All logs generated by the DDoS log collection function are saved in this Logstore.
- If the DDoS region is in mainland China, the default project is saved in China East 1.
- If the DDoS region is outside mainland China, the default project is saved in Asia Pacific SE 1.
Shard By default, two shards are created and the Auto split shard feature is turned on. Log storage time The default storage time is three days, within the free quota. After three days logs are automatically deleted.
For longer storage time, you can customize the configurations. For more information, see the How to modify the storage time of the website log section in Billing method.
Dashboard By default, two dashboards are created:
ddos-pro-logstore_ddos_operation_center: Operation center
ddos-pro-logstore_ddos_access_center: Access center
You can query and analyze the collected logs in real time on the currentFull Log page. See the following figure for a log field description. In addition, Log Service creates two DDoS Operation center and Access center dashboards. You can also customize the dashboard configurations.
Field Description Example __topic__ The topic of the log is fixed to ddos_access_log. - body_bytes_sent Request to send the size of the Body. The unit is byte. 2 content_type Content type. application/x-www-form-urlencoded host Source website. api.zhihu.com http_cookie Request cookie. k1=v1;k2=v2 http_referer Request referer. If none, the
http://xyz.com http_user_agent User agent request. Dalvik/2.1.0 (Linux; U; Android 7.0; EDI-AL10 Build/HUAWEIEDISON-AL10) http_x_forwarded_for The upstream user IP that is redirected by the proxy. - https Whether the request is an HTTPS request, wherein:
- true: the request is an HTTPS request.
- false: the request is an HTTP request.
true matched_host The source website of the matching configuration may be a pan-domain name. If not matching, the
*.zhihu.com real_client_ip Access the customer real IP. If not available, the
126.96.36.199 isp_line Line information, such as BGP, telecommunication, Unicom. Telecommunication remote_addr Request client IP connection. 188.8.131.52 remote_port Request client port connection. 23713 request_length The length of the request. The unit is byte. 123 request_method The HTTP request method. GET request_time_msec Request time. The unit is microsecond. 44 request_uri Request path. /answers/377971214/banner server_name The matching host name. If not matching, the
api.abc.com status HTTP status code. 200 time Time. 2018-05-02T16:03:59+08:00 cc_action CC protection policy, such as none, challenge, pass, close, captcha, wait, logon, n. close cc_blocks Indicates whether CC protection is blocked, wherein:
- 1: Blocked.
- Other codes: Passed.
1 cc_phase CC protection policy, including seccookie, server_ip_blacklist, static_whitelist, server_header_blacklist, server_cookie_blacklist, server_args_blacklist, qps_overmax. server_ip_blacklist ua_browser Browser. ie9 ua_browser_family Browser series. Internet explorer ua_browser_type Browser type. web_browser ua_browser_version Browser version. 9.0 ua_device_type Client device type. computer ua_os Client operating system. windows_7 ua_os_family Client operating system series. windows upstream_addr Return source address list, the format is
IP:Port. Multiple addresses are separated by commas.
184.108.40.206:443 upstream_ip The actual return source address IP. 220.127.116.11 upstream_response_time The response time of the source. The unit is second. 0.044 upstream_status Return source request HTTP status. 200 user_id Alibaba Cloud user ID. 12345678
- DDoS instances in mainland China: