Log fields - Data Collection| Alibaba Cloud Documentation Center

This topic describes the fields of Anti-DDoS Pro log entries.


Log field	Description
__topic__	The topic of a log entry. Valid value: ddos_access_log.
body_bytes_sent	The size of a request body. Unit: bytes.
content_type	The content type of a request.
host	The origin server.
http_cookie	The cookie of a request.
http_referer	The referer of a request. If an HTTP header does not contain a referer, a hyphen (-) is displayed.
http_user_agent	The user agent of a request.
http_x_forwarded_for	The IP address of an upstream user. The IP address is forwarded by a proxy server.
https	Indicates whether a request is an HTTPS request. Valid values: true: The request is an HTTPS request. false: The request is an HTTP request.
matched_host	The matched origin server, which can be a wildcard domain name. If no origin server is matched, a hyphen (-) is displayed.
real_client_ip	The real IP address of a client. If no real IP address can be obtained, a hyphen (-) is displayed.
isp_line	The information of an Internet service provider (ISP) line, for example, BGP, China Telecom, or China Unicom.
remote_addr	The IP address of a client that sends an access request.
remote_port	The port number of a client that sends an access request.
request_length	The size of a request. Unit: bytes.
request_method	The HTTP method of a request.
request_time_msec	The duration in which a request is processed. Unit: milliseconds.
request_uri	The uniform resource identifier (URI) of a request.
server_name	The name of a matched server. If no server name is matched, default is displayed.
status	The HTTP status code.
time	The time when a request is sent.
cc_action	The action performed to protect against HTTP flood attacks. The action can be captcha, challenge, close, login, none, pass, or wait.
cc_blocks	Indicates whether a request is blocked by an HTTP flood protection policy. If the value is 1, the request is blocked. If the value is not 1, the request is allowed. If this field does not exist, the last_result field is displayed to indicate whether the request is blocked by an HTTP flood protection policy.
last_result	Indicates whether a request is blocked by an HTTP flood protection policy. Valid values: ok: The request is allowed. failed: The request is blocked, or the verification fails. If this field does not exist, the last_result field is displayed to indicate whether the request is blocked by an HTTP flood protection policy.
cc_phase	The HTTP flood protection policy, for example, qps_overmax, seccookie, server_args_blacklist, server_cookie_blacklist, server_header_blacklist, server_ip_blacklist, or static_whitelist.
ua_browser	The browser. This field may not exist.
ua_browser_family	The family of a browser. This field may not exist.
ua_browser_type	The type of a browser. This field may not exist.
ua_browser_version	The version of a browser. This field may not exist.
ua_device_type	The type of a client. This field may not exist.
ua_os	The operating system of a client. This field may not exist.
ua_os_family	The family of the operating system that runs on a client. This field may not exist.
upstream_addr	The list of back-to-origin IP addresses that are separated by commas (,). Each IP address is in the IP:Port format.
upstream_ip	The real IP address of an origin server.
upstream_response_time	The response time of a back-to-origin process. Unit: seconds.
upstream_status	The HTTP status code of a back-to-origin request.
user_id	The ID of an Alibaba Cloud account.
querystring	The string of a request.