All Products
Search
Document Center

Anti-DDoS:Fields included in full logs

Last Updated:Feb 22, 2024

This topic describes the fields that are included in the full logs of Anti-DDoS Pro or Anti-DDoS Premium.

Parameter

Description

Example

__topic__

The topic of the log. The value is fixed as ddos_access_log, which indicates the logs of Anti-DDoS Pro or Anti-DDoS Premium.

ddos_access_log

body_bytes_sent

The size of the body in the request. Unit: bytes.

2

content_type

The content type of the response body.

application/x-www-form-urlencoded

host

The requested domain name.

api.aliyundoc.com

http_cookie

The request cookie.

k1=v1;k2=v2

http_referer

The referer of the request. If the referer does not exist, a hyphen (-) is returned.

http://aliyundoc.com

http_user_agent

The user agent of the request.

Dalvik/2.1.0 (Linux; U; Android 10; Android SDK built for x86 Build/QSR1.200715.002)

http_x_forwarded_for

The IP address of the upstream proxy.

192.0.XX.XX

https

Indicates whether the request is an HTTPS request. Valid values: true and false.

true

matched_host

The domain name that is matched, which can be a wildcard domain name. If no domain names are matched, a hyphen (-) is returned.

*.aliyundoc.com

real_client_ip

The originating IP address of the client. If no originating IP addresses are retrieved, a hyphen (-) is returned.

192.0.XX.XX

isp_line

The information about the Internet service provider (ISP) line, such as Border Gateway Protocol (BGP), China Telecom, or China Unicom.

China Telecom

remote_addr

The IP address from which the request is initiated.

192.0.XX.XX

remote_port

The ID of the port from which the request is initiated.

23713

request_length

The size of the request. Unit: bytes.

123

request_method

The HTTP method of the request.

GET

request_time_msec

The processing time of the request. Unit: milliseconds.

44

request_uri

The URI of the request.

/answers/377971214/banner

server_name

The name of the origin server that is matched. If no origin servers are matched, default is returned.

api.aliyundoc.com

status

The HTTP status code.

200

time

The time of the request.

2018-05-02T16:03:59+08:00

cc_action

The action that is triggered in an HTTP flood mitigation policy. Valid values include none, challenge, pass, close, captcha, wait, and login.

close

cc_blocks

Indicates whether the request is blocked by an HTTP flood mitigation policy. Valid values:

  • 1: indicates that the request is blocked.

  • Other values: indicate that the request is allowed.

Note

In some cases, a log does not contain this field. If a log does not contain the cc_blocks field, the last_result field is used to record whether the request is blocked by an HTTP flood mitigation policy.

1

last_result

The final action on the request. Valid values:

  • ok: The request is allowed.

  • failed: The request is not allowed. For example, the request is blocked, or the verification fails.

Note

In some cases, a log does not contain this field. If a log does not contain the last_result field, the cc_blocks field is used to record whether the request is blocked by an HTTP flood mitigation policy.

failed

cc_phase

The type of the mitigation policy. Valid values:

  • Valid values for the Tengine engine:

    • gfbwip: the blacklist and whitelist mitigation policy

    • gfcc: the HTTP flood mitigation policy

    • gfacl: the custom mitigation policy

    • gfglobal: the global mitigation policy

    • gfareaban: the location blacklist mitigation policy

  • Valid values for the famax engine:

    • ipFilter: the blacklist and whitelist mitigation policy

    • statProtect: the HTTP flood mitigation policy

    • preciseProtect: the custom mitigation policy

    • regionBLock: the location blacklist mitigation policy

gfbwip

ua_browser

The identifier of the browser.

Note

In some cases, a log does not contain this field.

ie9

ua_browser_family

The series of the browser.

Note

In some cases, a log does not contain this field.

internet explorer

ua_browser_type

The type of the browser.

Note

In some cases, a log does not contain this field.

web_browser

ua_browser_version

The version of the browser.

Note

In some cases, a log does not contain this field.

9.0

ua_device_type

The type of the client.

Note

In some cases, a log does not contain this field.

computer

ua_os

The identifier of the operating system that runs on the client.

Note

In some cases, a log does not contain this field.

windows_7

ua_os_family

The series of the operating system that runs on the client.

Note

In some cases, a log does not contain this field.

windows

upstream_addr

The list of origin addresses that are separated by commas (,). Each address is in the IP:Port format.

192.0.XX.XX:443

upstream_ip

The origin IP address.

192.0.XX.XX

upstream_response_time

The response time of the back-to-origin request. Unit: seconds.

Note

If the famax engine of the previous version is used, the unit of this field is milliseconds.

0.044

upstream_status

The HTTP status code of the back-to-origin request.

200

user_id

The ID of the Alibaba Cloud account that created the namespace.

166688437215****

querystring

The query string in the request.

token=bbcd&abc=123

last_module

The type of mitigation policy for websites. Valid values:

  • gfareaban: the location blacklist mitigation policy

  • gfbwip: the blacklist and whitelist mitigation policy

  • gfacl: the accurate access control mitigation policy

  • gfcc: the HTTP flood mitigation policy

  • gfglobal: the global mitigation policy

gfareaban