When an attack occurs or you need to investigate blocked requests, the Log Analysis page lets you run custom queries against Anti-DDoS Pro and Anti-DDoS Premium traffic logs — from raw traffic distribution to aggregated analytics — across any time window within the last 180 days. Unlike the attack overview dashboard, which shows prebuilt summaries, Log Analysis gives you direct access to the underlying log data so you can drill into specific incidents, diagnose false positives, or monitor protection behavior over time.
How log collection works
When your service QPS stays within the instance's specifications, the system collects logs for all traffic. A smaller volume of traffic results in a higher collection accuracy. If traffic spikes, the system automatically adjusts the collection ratio — a larger volume of traffic results in a higher collection ratio.
Prerequisites
Before you begin, make sure you have:
A website domain added to Anti-DDoS Pro or Anti-DDoS Premium. See Add one or more websites.
The log analysis feature enabled for the domain. See Overview.
Query logs
Log on to the Anti-DDoS Pro console.
In the top navigation bar, select the region that matches your instance:
Anti-DDoS Proxy (Chinese Mainland): select Chinese Mainland for Anti-DDoS Pro instances.
Anti-DDoS Proxy (Outside Chinese Mainland): select Outside Chinese Mainland for Anti-DDoS Premium instances.
In the left-side navigation pane, choose Investigation > Log Analysis.
Select the domain name whose logs you want to query.
Make sure Status is turned on for the domain name.
Specify a time range. Choose a relative time, a predefined time frame, or a custom time range.
Logs are retained for 180 days. Queries cover the previous 180 days by default. Results may include logs generated up to 1 minute outside the specified range.
Enter a query statement in the search box. A query statement has two optional parts separated by a vertical bar (
|):Part Optional Description Search statement Yes Filters logs by keyword, numeric value, range, or wildcard ( *). A space or*returns all logs. See Search syntax and Fields included in full logs.Analytics statement Yes Aggregates or computes data from the search results or all logs. If left blank, raw search results are returned without analysis. The from logclause (equivalent toFROM <table>in SQL) can be omitted. By default, the first 100 logs are returned. Use theLIMITclause to change this. See Log analysis overview and LIMIT clause.Search statement | Analytics statementClick Search & Analyze. Results appear in a log distribution histogram on the Raw Logs tab or as visualizations on the Graph tab. From here, you can also configure alerts and save searches for later use. See View query and analysis results.
What's next
Fields included in full logs — understand what each log field means and how to use it in queries.
Search syntax — construct precise search statements.
Log analysis overview — write analytics statements to aggregate and visualize traffic data.