Fields included in full logs - Anti-DDoS - Alibaba Cloud Documentation Center

This topic describes the fields that are included in the full logs of Anti-DDoS Pro or Anti-DDoS Premium.

Field	Description	Example
__topic__	The topic of the log. The value is fixed as ddos_access_log, which indicates the logs of Anti-DDoS Pro or Anti-DDoS Premium.	ddos_access_log
body_bytes_sent	The size of the body in the request. Unit: bytes.	2
content_type	The content type of the response body.	application/x-www-form-urlencoded
host	The requested domain name.	api.aliyundoc.com
http_cookie	The request cookie.	k1=v1;k2=v2
http_referer	The referer of the request. If the referer does not exist, a hyphen (`-`) is returned.	http://aliyundoc.com
http_user_agent	The user agent of the request.	Dalvik/2.1.0 (Linux; U; Android 10; Android SDK built for x86 Build/QSR1.200715.002)
http_x_forwarded_for	The IP address of the upstream proxy.	192.0.XX.XX
https	Indicates whether the request is an HTTPS request. Valid values: true and false.	true
matched_host	The domain name that is matched, which can be a wildcard domain name. If no domain names are matched, a hyphen (`-`) is returned.	*.aliyundoc.com
real_client_ip	The originating IP address of the client. If no originating IP addresses are retrieved, a hyphen (`-`) is returned.	192.0.XX.XX
isp_line	The information about the Internet service provider (ISP) line, such as Border Gateway Protocol (BGP), China Telecom, or China Unicom.	China Telecom
remote_addr	The IP address from which the request is initiated.	192.0.XX.XX
remote_port	The ID of the port from which the request is initiated.	23713
request_length	The size of the request. Unit: bytes.	123
request_method	The HTTP method of the request.	GET
request_time_msec	The processing time of the request. Unit: milliseconds.	44
request_uri	The URI of the request.	/answers/377971214/banner
server_name	The name of the origin server that is matched. If no origin servers are matched, `default` is returned.	api.aliyundoc.com
status	The HTTP status code.	200
time	The time of the request.	2018-05-02T16:03:59+08:00
cc_action	The action that is triggered in an HTTP flood mitigation policy. Valid values: accept: The request is allowed. block: The request is blocked. challenge: Captcha verification is used to verify the source IP address of the request.	accept
cc_blocks	Indicates whether the request is blocked by an HTTP flood mitigation policy. Valid values: `1`: The request is blocked. Other values: The request is allowed. Note In some cases, a log does not contain this field. If a log does not contain the cc_blocks field, the `last_result` field is used to record whether the request is blocked by an HTTP flood mitigation policy.	1
last_result	The final action on the request. Valid values: `ok`: The request is allowed. `failed`: The request is not allowed. For example, the request is blocked, or the verification fails. Note In some cases, a log does not contain this field. If a log does not contain the last_result field, the `cc_blocks` field is used to record whether the request is blocked by an HTTP flood mitigation policy.	failed
cc_phase	The type of the mitigation policy. Valid values: Valid values for the Tengine engine: `gfbwip`: the blacklist and whitelist mitigation policy `gfcc`: the HTTP flood mitigation policy `gfacl`: the custom mitigation policy `gfglobal`: the global mitigation policy `gfareaban`: the location blacklist mitigation policy Valid values for the famax engine: `ipFilter`: the blacklist and whitelist mitigation policy `statProtect`: the HTTP flood mitigation policy `preciseProtect`: the custom mitigation policy `regionBLock`: the location blacklist mitigation policy	gfbwip
ua_browser	The identifier of the browser. Note In some cases, a log does not contain this field.	ie9
ua_browser_family	The series of the browser. Note In some cases, a log does not contain this field.	internet explorer
ua_browser_type	The type of the browser. Note In some cases, a log does not contain this field.	web_browser
ua_browser_version	The version of the browser. Note In some cases, a log does not contain this field.	9.0
ua_device_type	The type of the client. Note In some cases, a log does not contain this field.	computer
ua_os	The identifier of the operating system that runs on the client. Note In some cases, a log does not contain this field.	windows_7
ua_os_family	The series of the operating system that runs on the client. Note In some cases, a log does not contain this field.	windows
upstream_addr	The list of origin addresses that are separated by commas (,). Each address is in the IP:Port format.	192.0.XX.XX:443
upstream_ip	The origin IP address.	192.0.XX.XX
upstream_response_time	The response time of the back-to-origin request. Unit: seconds. Note If the famax engine of the previous version is used, the unit of this field is milliseconds.	0.044
upstream_status	The HTTP status code of the back-to-origin request.	200
user_id	The ID of the Alibaba Cloud account.	166688437215****
querystring	The query string in the request.	token=bbcd&abc=123
last_module	The type of mitigation policy for websites. Valid values: gfareaban: the location blacklist mitigation policy gfbwip: the blacklist and whitelist mitigation policy gfacl: the accurate access control mitigation policy gfcc: the HTTP flood mitigation policy gfglobal: the global mitigation policy	gfareaban
server_protocol	The protocol and version number of the origin server that are returned in the response to Anti-DDoS Pro or Anti-DDoS Premium back-to-origin requests.	HTTP/1.1
ssl_protocol	The SSL or TLS protocol and version that are used in the request.	TLSv1.2
ssl_cipher	The cipher suite that is used in the request.	ECDHE-RSA-AES128-GCM-SHA256
ssl_handshake_time	The period of time during which the client initiates a TLS handshake. Unit: milliseconds.	99
ssl_client_tls_fingerprinting_md5	The fingerprint of the client that is identified and calculated by the self-developed algorithms of Alibaba Cloud. The fingerprint is not the traditional JA3 fingerprint.	29e249d2fc3dc9b240c655918f83b886