This topic describes the supported fields of Anti-DDoS Pro log entries.

You can go to the Log Service page to query and analyze collected logs in real time. For more information about log fields, see the following figure.
Field Description Example
__topic__ The topic of the log entry. The value of this field is fixed to ddos_access_log. N/A
body_bytes_sent The size of the body in the access request, in bytes. 2
content_type The content type. application/x-www-form-urlencoded
host The source website. api.zhihu.com
http_cookie The request cookie. k1=v1;k2=v2
http_referer The request referer. If no referer exists, a hyphen (-) is displayed. http://xyz.com
http_user_agent The User-Agent of the request. Dalvik/2.1.0 (Linux; U; Android 7.0; EDI-AL10 Build/HUAWEIEDISON-AL10)
http_x_forwarded_for The IP address of the upstream user redirected by proxy. N/A
https Indicates whether the request is an HTTPS request.
  • true: The request is an HTTPS request.
  • false: The request is an HTTP request.
true
matched_host The matching source site, which may be a wildcard domain name. If no match is found, a hyphen (-) is displayed. *.zhihu.com
real_client_ip The real IP of the visitor. If no real IP is returned, a hyphen (-) is returned. 1.2.3.4
isp_line Line information, such as BGP, China Telecom, and China Unicom. China Telecom
remote_addr The IP address of the client that initiates the connection request. 1.2.3.4
remote_port The port number of the client that initiates the connection request. 23713
request_length The size of the request in bytes. 123
request_method The HTTP method of the request. GET
request_time_msec The request time in ms. 44
request_uri The request URI. /answers/377971214/banner
server_name The name of the matching host. If no match is found, the value is default. api.abc.com
status The HTTP status code. 200
time The time when the log entry was generated. 2018-05-02T16:03:59+08:00
cc_action The HTTP flood protection action. Valid values include none, challenge, pass, close, captcha, wait, and login. close
cc_blocks Indicates whether HTTP flood attacks are blocked. Valid values:
  • 1: block
  • Other values: pass
1
cc_phase The HTTP flood protection policy. Valid values include seccookie, server_ip_blacklist, static_whitelist, server_header_blacklist, server_cookie_blacklist, server_args_blacklist, and qps_overmax. server_ip_blacklist
ua_browser The browser. ie9
ua_browser_family The browser series. internet explorer
ua_browser_type The browser type. web_browser
ua_browser_version The browser version. 9.0
ua_device_type The type of the client device. computer
ua_os The operating system of the client. windows_7
ua_os_family The operating system series of the client. windows
upstream_addr The list of origin addresses that are separated with commas (,). Each address is in the format of IP:Port. 1.2.3.4:443
upstream_ip The real origin IP address. 1.2.3.4
upstream_response_time The response time in seconds for the back-to-origin process. 0.044
upstream_status The HTTP status of the back-to-origin request. 200
user_id The user ID of the Alibaba Cloud account. 12345678
querystring The request string. token=bbcd&abc=123