Anti-DDoS Pro and Anti-DDoS Premium are integrated with Alibaba Cloud Log Service to collect and analyze website access logs, including logs of HTTP flood attacks. Log Analysis is a value-added feature. You must make a purchase to activate this feature. After you activate Log Analysis, Log Service collects access logs of the website that is protected by Anti-DDoS Pro or Anti-DDoS Premium in real time. You can query and analyze the logs, and view log reports.
Background information
The Log Analysis feature of Anti-DDoS Pro or Anti-DDoS Premium is provided based on Alibaba Cloud Log Service. You can query and analyze logs on dashboards. This helps you flexibly analyze and monitor your website services. After you activate Log Analysis, you can consume and ship logs by using Log Service. This allows you to manage website access logs collected by Anti-DDoS Pro or Anti-DDoS Premium.
For more information, see What is Log Service?
Activate Log Analysis
Enable Log Analysis for a website
Use Log Analysis
After you enable Log Analysis for a domain name, you can query and analyze website access logs on the Log Analysis page and view log reports provided by Anti-DDoS Pro or Anti-DDoS Premium.
Category | Function | Description | Reference |
---|---|---|---|
Log Analysis | You can use query and analyze logs. | You can enter a query and analysis statement to query and analyze collected log data
in real time. The query and analysis statement consists of a search clause and an
analytics clause. The clauses are separated with a vertical bar (| ).
The following example statement queries the number of visits to a website:
For more example statements, see the "Common query statements" section in this topic. |
Query and analyze logs |
Charts | After you execute a query and analysis statement, the analysis results are presented in tables by default. You can select a line chart, column chart, or pie chart to present the results. | Overview | |
Monitoring and alerts | You can configure alerts based on the charts on a dashboard to monitor the service status in real time. | Alert overview | |
Log Reports | Log reports are presented on dashboards in real time. | You can query and analyze logs by using statements and save the charts of analysis
results to a dashboard.
Log Analysis provides two default dashboards: DDoS Access Center and DDoS Operation Center. You can also subscribe to a dashboard or send the dashboard to specific recipients by using emails or DingTalk messages. |
Scenarios
- Troubleshoot website access issues.
After Log Analysis is enabled for your domain name, you can query and analyze logs collected from your website in real time. You can use SQL statements to analyze website access logs. This allows you to troubleshoot and analyze access issues, and view information about read/write latency and the distribution of ISPs.
The following example statement queries access logs of your website:
__topic__: DDoS_access_log
- Track HTTP flood attacks.
Access logs record sources and distribution of HTTP flood attacks. You can query and analyze access logs in real time to identify the attack sources and implement protection strategies.
- The following example statement analyzes geographical distribution of HTTP flood attacks:
__topic__: DDoS_access_log and cc_blocks > 0| SELECT ip_to_country(if(real_client_ip='-', remote_addr, real_client_ip)) as country, count(1) as "Number of attacks" group by country
- The following example statement queries PVs of your website:
__topic__: DDoS_access_log | select count(1) as PV
- The following example statement analyzes geographical distribution of HTTP flood attacks:
- Analyze website operations.
Access logs record information about website traffic in real time. You can use SQL statements to analyze logs and obtain information about website operations in real time. For example, you can identify the most visited webpages, source IP addresses of the clients, the browsers that initiated the requests, and the distribution of clients.
The following example statement queries the traffic distribution from various ISPs:
__topic__: DDoS_access_log | select ip_to_provider(if(real_client_ip='-', remote_addr, real_client_ip)) as provider, round(sum(request_length)/1024.0/1024.0, 3) as mb_in group by provider having ip_to_provider(if(real_client_ip='-', remote_addr, real_client_ip)) <> '' order by mb_in desc limit 10
Common query statements
- Query types of blocked requests.
* | select cc_action,cc_phase,count(*) as t group by cc_action,cc_phase order by t desc limit 10
- Query the QPS.
* | select time_series(__time__,'15m','%H:%i','0') as time,count(*)/900 as QPS group by time order by time
- Query attacked domain names.
* and cc_blocks:1 | select cc_action,cc_phase,count(*) as t group by cc_action,cc_phase order by t desc limit 10
- Query attacked URLs.
* and cc_blocks:1 | select count(*) as times,host,request_path group by host,request_path order by times
- Query request details.
* | select date_format(date_trunc('second',__time__),'%H:%i:%s') as time,host,request_uri,request_method,status,upstream_status,querystring limit 10
- Query 5XX HTTP status codes.
* and status>499 | select host,status,upstream_status,count(*)as t group by host,status,upstream_status order by t desc
- Query the distribution of request latency.
* | SELECT count_if(upstream_response_time<20) as "<20", count_if(upstream_response_time<50 and upstream_response_time>20) as "<50", count_if(upstream_response_time<100 and upstream_response_time>50) as "<100", count_if(upstream_response_time<500 and upstream_response_time>100) as "<500", count_if(upstream_response_time<1000 and upstream_response_time>500) as "<1000", count_if(upstream_response_time>1000) as ">1000"