Anti-DDoS Proxy records each HTTP request as a structured log entry. This page describes every field in the full log, including its description and an example value.
Basic information
| Field | Description | Example |
|---|---|---|
__topic__ | Log category. Always ddos_access_log. | ddos_access_log |
user_id | Alibaba Cloud account ID. | 166688437215**** |
HTTP requests
| Field | Description | Example |
|---|---|---|
body_bytes_sent | Size of the response body, in bytes. | 2 |
content_type | Content type of the response body. | application/x-www-form-urlencoded |
host | Requested domain name. | api.aliyundoc.com |
http_cookie | Cookie sent with the request. | k1=v1;k2=v2 |
http_referer | Referer header of the request. Returns - if the header is absent. | http://aliyundoc.com |
http_user_agent | User agent string of the request. | Dalvik/2.1.0 (Linux; U; Android 10; Android SDK built for x86 Build/QSR1.200715.002) |
http_x_forwarded_for | IP address of the upstream proxy. | 192.0.XX.XX |
https | Whether the request uses HTTPS. Valid values: true, false. | true |
matched_host | Domain name matched by Anti-DDoS Proxy, which can be a wildcard domain. Returns - if no domain is matched. | *.aliyundoc.com |
real_client_ip | Originating IP address of the client. Returns - if the address cannot be retrieved. | 192.0.XX.XX |
isp_line | Internet service provider (ISP) line, such as Border Gateway Protocol (BGP), China Telecom, or China Unicom. | China Telecom |
remote_addr | IP address from which the request is initiated. | 192.0.XX.XX |
remote_port | Port of the immediate request sender. | 23713 |
src_ip | IP address from which the request is initiated. | 192.0.XX.XX |
src_port | ID of the port from which the request is initiated. | 23713 |
request_length | Size of the request, in bytes. | 123 |
request_method | HTTP method of the request. | GET |
start_time | Time when Anti-DDoS Proxy returns the response to the client, as a Unix timestamp. | 1735553169000 |
request_time_msec | Total time for Anti-DDoS Proxy to receive the request, process it, and return the response, in milliseconds. | 44 |
request_uri | URI of the request. | /answers/377971214/banner |
server_name | Name of the matched origin server. Returns default if no origin server is matched. | api.aliyundoc.com |
status | HTTP status code of the response. | 200 |
time | Time when the request is initiated, in ISO 8601 format. | 2024-12-30T18:06:09+08:00 |
querystring | Query string of the request. | token=bbcd&abc=123 |
upstream_addr | Comma-separated list of origin server addresses, each in IP:Port format. | 192.0.XX.XX:443 |
upstream_ip | IP address of the origin server. | 192.0.XX.XX |
upstream_response_time | Response time of the back-to-origin request, in seconds. Note If the famax engine (previous version) is used, the unit is milliseconds. | 0.044 |
upstream_status | HTTP status code of the back-to-origin request. | 200 |
vip_addr | IP address of the Anti-DDoS Proxy instance. | 203.107.XX.XX |
http2_client_fingerprint | Raw HTTP/2 client fingerprint. | 2:0;4:2097152;3:100|10485760|0|m,s,p,a |
http2_client_fingerprint_md5 | MD5 hash (128-bit, 32 characters) derived from the raw HTTP/2 fingerprint. Used to identify and distinguish clients for analysis. | ad8424af1cc590e09f7b0c499bf7fcdb |
ssl_client_ja3_fingerprinting | Raw JA3 fingerprint of the TLS client, derived from TLS handshake parameters including TLS version, cipher suites, compression algorithms, and TLS extensions. | 771,4865-49195-49196-49197,29,0 |
ssl_client_ja3_fingerprinting_md5 | MD5 hash derived from the raw JA3 fingerprint. | c1bd7c674bbec9f0f2474e3eee3564f4 |
ssl_client_ja4_fingerprinting | Raw JA4 fingerprint of the TLS client, derived from TLS handshake parameters including TLS version, cipher suites, compression algorithms, TLS extensions, browser version, and operating system. | t13d1516h2_acb858a92679_e5627efa2ab1 |
ssl_client_ja4_fingerprinting_md5 | MD5 hash derived from the raw JA4 fingerprint. | 8c3d99fb6ed08a39c799aad27b4854f4 |
ssl_client_tls_fingerprinting_md5 | MD5 hash derived from the client TLS fingerprint. | 21d696a76962c9912d765a9372d8c773 |
cache_status | Whether the request hits the Anti-DDoS Proxy cache. Valid values: hit (found in cache), miss (not found in cache). | hit |
traceid | Globally unique identifier (GUID) assigned to each request in a distributed system. Persists through the entire request lifecycle and links log entries across services, enabling traceability and performance analysis. | ac11000117388144519311412e387f |
Client information
| Field | Description | Example |
|---|---|---|
ua_browser | Browser identifier. Note In some cases, a log does not contain this field. | ie9 |
ua_browser_family | Browser series. Note In some cases, a log does not contain this field. | internet explorer |
ua_browser_type | Browser type. Note In some cases, a log does not contain this field. | web_browser |
ua_browser_version | Browser version. Note In some cases, a log does not contain this field. | 9.0 |
ua_device_type | Client device type. Note In some cases, a log does not contain this field. | computer |
ua_os | Operating system identifier. Note In some cases, a log does not contain this field. | windows_7 |
ua_os_family | Operating system series. Note In some cases, a log does not contain this field. | windows |
server_protocol | Protocol and version returned by the origin server in response to back-to-origin requests. | HTTP/1.1 |
ssl_protocol | SSL or TLS protocol version used in the request. | TLSv1.2 |
ssl_cipher | Cipher suite used in the request. | ECDHE-RSA-AES128-GCM-SHA256 |
ssl_handshake_time | Duration of the TLS handshake initiated by the client, in milliseconds. | 99 |
Mitigation settings
| Field | Description | Example |
|---|---|---|
cc_action | Action taken by an HTTP flood mitigation rule. See cc_action values. | accept |
cc_blocks | Whether the request is blocked by an HTTP flood mitigation rule. 1 means blocked; any other value means allowed. If this field is absent, last_result records the outcome instead. | 1 |
cc_phase | Mitigation feature that processed the request. Values differ by engine version. See cc_phase values. | gfbwip |
last_module | Mitigation feature that made the final decision for the request. See last_module values. | gfareaban |
last_owner | Name of the rule that made the final decision. Anti-DDoS Proxy rule naming conventions: names starting with smartcc_ belong to intelligent protection rules, names starting with global belong to DDoS mitigation policy rules, and names starting with gf_internal belong to HTTP flood mitigation rules. | global_th_4_C_**** |
last_result | Final action taken on the request. ok means allowed; failed means not allowed (blocked or CAPTCHA verification failed). If this field is absent, cc_blocks records the outcome instead. | failed |
cc_action values
| Value | Description |
|---|---|
accept | The request is allowed. |
block | The request is blocked. |
challenge | CAPTCHA verification is triggered to verify the source IP address. |
alarm | The request is recorded in logs and allowed. |
cc_phase values
The value depends on which engine version your Anti-DDoS Proxy instance uses.
Tengine engine
| Value | Feature |
|---|---|
gfbwip | Blacklist and whitelist |
gfcc | HTTP flood mitigation |
gfacl | Custom mitigation policy |
gfglobal | DDoS mitigation policy |
gfareaban | Location blacklist |
Famax engine
| Value | Feature |
|---|---|
ipFilter | Blacklist and whitelist |
statProtect | HTTP flood mitigation |
preciseProtect | Custom mitigation policy |
regionBLock | Location blacklist |
last_module values
| Value | Feature |
|---|---|
gfareaban | Location blacklist |
gfbwip | Blacklist and whitelist |
gfacl | Accurate access control |
gfcc | HTTP flood mitigation |
gfglobal | DDoS mitigation policy |