This topic describes the supported fields of Anti-DDoS Pro log entries.
You can go to the Log Service page to query and analyze collected logs in real time. For more information about
log fields, see the following figure.
| Field | Description | Example |
|---|---|---|
| __topic__ | The topic of the log entry. The value of this field is fixed to ddos_access_log. | N/A |
| body_bytes_sent | The size of the body in the access request, in bytes. | 2 |
| content_type | The content type. | application/x-www-form-urlencoded |
| host | The source website. | api.zhihu.com |
| http_cookie | The request cookie. | k1=v1;k2=v2 |
| http_referer | The request referer. If no referer exists, a hyphen (-) is displayed.
|
http://xyz.com |
| http_user_agent | The User-Agent of the request. | Dalvik/2.1.0 (Linux; U; Android 7.0; EDI-AL10 Build/HUAWEIEDISON-AL10) |
| http_x_forwarded_for | The IP address of the upstream user redirected by proxy. | N/A |
| https | Indicates whether the request is an HTTPS request.
|
true |
| matched_host | The matching source site, which may be a wildcard domain name. If no match is found,
a hyphen (-) is displayed.
|
*.zhihu.com |
| real_client_ip | The real IP of the visitor. If no real IP is returned, a hyphen (-) is returned.
|
1.2.3.4 |
| isp_line | Line information, such as BGP, China Telecom, and China Unicom. | China Telecom |
| remote_addr | The IP address of the client that initiates the connection request. | 1.2.3.4 |
| remote_port | The port number of the client that initiates the connection request. | 23713 |
| request_length | The size of the request in bytes. | 123 |
| request_method | The HTTP method of the request. | GET |
| request_time_msec | The request time in ms. | 44 |
| request_uri | The request URI. | /answers/377971214/banner |
| server_name | The name of the matching host. If no match is found, the value is default.
|
api.abc.com |
| status | The HTTP status code. | 200 |
| time | The time when the log entry was generated. | 2018-05-02T16:03:59+08:00 |
| cc_action | The HTTP flood protection action. Valid values include none, challenge, pass, close, captcha, wait, and login. | close |
| cc_blocks | Indicates whether HTTP flood attacks are blocked. Valid values:
|
1 |
| cc_phase | The HTTP flood protection policy. Valid values include seccookie, server_ip_blacklist, static_whitelist, server_header_blacklist, server_cookie_blacklist, server_args_blacklist, and qps_overmax. | server_ip_blacklist |
| ua_browser | The browser. | ie9 |
| ua_browser_family | The browser series. | internet explorer |
| ua_browser_type | The browser type. | web_browser |
| ua_browser_version | The browser version. | 9.0 |
| ua_device_type | The type of the client device. | computer |
| ua_os | The operating system of the client. | windows_7 |
| ua_os_family | The operating system series of the client. | windows |
| upstream_addr | The list of origin addresses that are separated with commas (,). Each address is in
the format of IP:Port.
|
1.2.3.4:443 |
| upstream_ip | The real origin IP address. | 1.2.3.4 |
| upstream_response_time | The response time in seconds for the back-to-origin process. | 0.044 |
| upstream_status | The HTTP status of the back-to-origin request. | 200 |
| user_id | The user ID of the Alibaba Cloud account. | 12345678 |
| querystring | The request string. | token=bbcd&abc=123 |