In the Anti-DDoS Pro console, you can enable DDos log collection function for the website.

Prerequisites

  1. Enable Anti-DDoS Pro function, purchase Anti-DDoS Pro instances, and Online configuration.
  2. Enable Anti-DDoS Pro function, purchase Anti-DDoS Pro instances.
  3. Activate Log Service.

Background information

Log Service supports real-time collection of Alibaba Cloud Anti-DDoS Pro website access logs, CC attack logs, and supports real-time query and analysis of collected log data. The results of the query are displayed in the form of dashboards, and logs are used to analyze the access and attack behavior in real time, and assist the security department to formulate a protection strategy.

Procedure

  1. Log on to the Anti-DDoS Pro console and select Log > Full Log in the left-side navigation pane. Enter the Full Log page.
  2. If you are configuring DDoS log collection for the first time, follow the instructions on the page. 
    DDoS has permission to distribute DDoS logs to your Logstore after authorization.
  3. Select the website for which you want to enable DDoS log collection function and make sure the Status is on.
    Figure 1. Enable the function

    At this point, you have successfully enabled DDoS log collection for the current website. Log Service automatically creates a Logstore under your account. DDoS imports all the logs of the website that have this feature enabled into this Logstore. For Logstore default configurations, see Default configuration.

    Table 1. Default configuration
    Default configuration item Configuration content
    Project By default, ddos-pro-logstore project is created.
    Logstore By default, Logstore is created. Logstore name is determined by the domain of the DDoS you purchased.
    • DDoS instances in mainland China: ddos-pro-project-Alibaba Cloud Account ID-cn-hangzhou.
    • Other DDoS instances: ddos-pro-project-Alibaba Cloud Account ID-ap-southeast-1

    All logs generated by the DDoS log collection function are saved in this Logstore.

    Region
    • If the DDoS region is in mainland China, the default project is saved in China East 1.
    • If the DDoS region is outside mainland China, the default project is saved in Asia Pacific SE 1.
    Shard By default, two shards are created and the Auto split shard feature is turned on.
    Log storage time The default storage time is three days, within the free quota. After three days logs are automatically deleted.

    For longer storage time, you can customize the configurations. For more information, see the How to modify the storage time of the website log section in Billing method.

    Dashboard By default, two dashboards are created:
    • ddos-pro-logstore_ddos_operation_center: Operation center
    • ddos-pro-logstore_ddos_access_center: Access center
    For more information about dashboards, see Log Report.

    You can query and analyze the collected logs in real time on the currentFull Log page. See the following figure for a log field description.  In addition, Log Service creates two DDoS Operation center and Access center dashboards. You can also customize the dashboard configurations.

    Field  Description  Example
    __topic__   The topic of the log is fixed to ddos_access_log. -
    body_bytes_sent Request to send the size of the Body. The unit is byte. 2
    content_type Content type. application/x-www-form-urlencoded
    host Source website. api.zhihu.com
    http_cookie Request cookie. k1=v1;k2=v2
    http_referer Request referer. If none, the - is displayed. http://xyz.com
    http_user_agent  User agent request. Dalvik/2.1.0 (Linux; U; Android 7.0; EDI-AL10 Build/HUAWEIEDISON-AL10)
    http_x_forwarded_for The upstream user IP that is redirected by the proxy. -
    https Whether the request is an HTTPS request, wherein:
    • true: the request is an HTTPS request.
    • false: the request is an HTTP request.
    true
    matched_host The source website of the matching configuration may be a pan-domain name. If not matching, the - is displayed. *.zhihu.com
    real_client_ip Access the customer real IP. If not available, the - is displayed. 1.2.3.4
    isp_line Line information, such as BGP, telecommunication, Unicom. Telecommunication
    remote_addr Request client IP connection. 1.2.3.4
    remote_port Request client port connection. 23713
    request_length The length of the request. The unit is byte. 123
    request_method The HTTP request method. GET
    request_time_msec Request time. The unit is microsecond. 44
    request_uri Request path. /answers/377971214/banner
    server_name The matching host name. If not matching, the default is displayed. api.abc.com
    status HTTP status code. 200
    time Time. 2018-05-02T16:03:59+08:00
    cc_action CC protection policy, such as none, challenge, pass, close, captcha, wait, logon, n. close
    cc_blocks Indicates whether CC protection is blocked, wherein:
    • 1: Blocked.
    • Other codes: Passed.
    1
    cc_phase CC protection policy, including seccookie, server_ip_blacklist, static_whitelist, server_header_blacklist, server_cookie_blacklist, server_args_blacklist, qps_overmax. server_ip_blacklist
    ua_browser Browser. ie9
    ua_browser_family Browser series. Internet explorer
    ua_browser_type Browser type. web_browser
    ua_browser_version Browser version. 9.0
    ua_device_type Client device type. computer
    ua_os Client operating system. windows_7
    ua_os_family Client operating system series. windows
    upstream_addr Return source address list, the format is IP:Port. Multiple addresses are separated by commas. 1.2.3.4:443
    upstream_ip The actual return source address IP.  1.2.3.4
    upstream_response_time The response time of the source. The unit is second. 0.044
    upstream_status Return source request HTTP status. 200
    user_id Alibaba Cloud user ID. 12345678 

What to do next

  • Click Log Analysis, Query Analysis on the collected log data.
  • Click Log Report to view the built-in dashboard.
  • Click Advanced Management to go to Log Service console to query and collect statistics, stream consumption, and set alarms for the collected log data.