This topic describes the fields of Anti-DDoS Pro log entries.

Log field Description
__topic__ The topic of a log entry. Valid value: ddos_access_log.
body_bytes_sent The size of a request body. Unit: bytes.
content_type The content type of a request.
host The origin server.
http_cookie The cookie of a request.
http_referer The referer of a request. If an HTTP header does not contain a referer, a hyphen (-) is displayed.
http_user_agent The user agent of a request.
http_x_forwarded_for The IP address of an upstream user. The IP address is forwarded by a proxy server.
https Indicates whether a request is an HTTPS request. Valid values:
  • true: The request is an HTTPS request.
  • false: The request is an HTTP request.
matched_host The matched origin server, which can be a wildcard domain name. If no origin server is matched, a hyphen (-) is displayed.
real_client_ip The real IP address of a client. If no real IP address can be obtained, a hyphen (-) is displayed.
isp_line The information of an Internet service provider (ISP) line, for example, BGP, China Telecom, or China Unicom.
remote_addr The IP address of a client that sends an access request.
remote_port The port number of a client that sends an access request.
request_length The size of a request. Unit: bytes.
request_method The HTTP method of a request.
request_time_msec The duration in which a request is processed. Unit: milliseconds.
request_uri The uniform resource identifier (URI) of a request.
server_name The name of a matched server. If no server name is matched, default is displayed.
status The HTTP status code.
time The time when a request is sent.
cc_action The action performed to protect against HTTP flood attacks. The action can be captcha, challenge, close, login, none, pass, or wait.
cc_blocks Indicates whether a request is blocked by an HTTP flood protection policy.
  • If the value is 1, the request is blocked.
  • If the value is not 1, the request is allowed.

If this field does not exist, the last_result field is displayed to indicate whether the request is blocked by an HTTP flood protection policy.

last_result Indicates whether a request is blocked by an HTTP flood protection policy. Valid values:
  • ok: The request is allowed.
  • failed: The request is blocked, or the verification fails.

If this field does not exist, the last_result field is displayed to indicate whether the request is blocked by an HTTP flood protection policy.

cc_phase The HTTP flood protection policy, for example, qps_overmax, seccookie, server_args_blacklist, server_cookie_blacklist, server_header_blacklist, server_ip_blacklist, or static_whitelist.
ua_browser The browser.

This field may not exist.

ua_browser_family The family of a browser.

This field may not exist.

ua_browser_type The type of a browser.

This field may not exist.

ua_browser_version The version of a browser.

This field may not exist.

ua_device_type The type of a client.

This field may not exist.

ua_os The operating system of a client.

This field may not exist.

ua_os_family The family of the operating system that runs on a client.

This field may not exist.

upstream_addr The list of back-to-origin IP addresses that are separated by commas (,). Each IP address is in the IP:Port format.
upstream_ip The real IP address of an origin server.
upstream_response_time The response time of a back-to-origin process. Unit: seconds.
upstream_status The HTTP status code of a back-to-origin request.
user_id The ID of an Alibaba Cloud account.
querystring The string of a request.