This topic describes the fields that are included in the full logs of Anti-DDoS Pro or Anti-DDoS Premium.

Parameter Description Example
__topic__ The topic of the log. The value is fixed as ddos_access_log, which indicates the logs of Anti-DDoS Pro or Anti-DDoS Premium. ddos_access_log
body_bytes_sent The size of the body in the request. Unit: bytes. 2
content_type The type of the content. application/x-www-form-urlencoded
host The requested domain name. api.aliyundoc.com
http_cookie The request cookie. k1=v1;k2=v2
http_referer The referer of the request. If the referer does not exist, a hyphen (-) is returned. http://aliyundoc.com
http_user_agent The user agent of the request. Dalvik/2.1.0 (Linux; U; Android 10; Android SDK built for x86 Build/QSR1.200715.002)
http_x_forwarded_for The IP address of the upstream proxy. 192.0.XX.XX
https Indicates whether the request is an HTTPS request. Valid values: true and false. true
matched_host The domain name that is matched, which can be a wildcard domain name. If no domain names are matched, a hyphen (-) is returned. *.aliyundoc.com
real_client_ip The originating IP address of the client. If no originating IP addresses are retrieved, a hyphen (-) is returned. 192.0.XX.XX
isp_line The information about the Internet service provider (ISP) line, such as Border Gateway Protocol (BGP), China Telecom, or China Unicom. China Telecom
remote_addr The IP address from which the request is initiated. 192.0.XX.XX
remote_port The ID of the port from which the request is initiated. 23713
request_length The size of the request. Unit: bytes. 123
request_method The HTTP method of the request. GET
request_time_msec The processing time of the request. Unit: milliseconds. 44
request_uri The URI of the request. /answers/377971214/banner
server_name The name of the origin server that is matched. If no origin servers are matched, default is returned. api.aliyundoc.com
status The HTTP status code. 200
time The time of the request. 2018-05-02T16:03:59+08:00
cc_action The action that is triggered in an HTTP flood mitigation policy. Valid values include none, challenge, pass, close, captcha, wait, and login. close
cc_blocks Indicates whether the request is blocked by an HTTP flood mitigation policy. Valid values:
  • 1: indicates that the request is blocked.
  • Other values: indicate that the request is allowed.
Note In some cases, a log does not contain this field. If a log does not contain the cc_blocks field, the last_result field is used to record whether the request is blocked by an HTTP flood mitigation policy.
1
last_result The final action on the request. Valid values:
  • ok: The request is allowed.
  • failed: The request is not allowed. For example, the request is blocked, or the verification fails.
Note In some cases, a log does not contain this field. If a log does not contain the last_result field, the cc_blocks field is used to record whether the request is blocked by an HTTP flood mitigation policy.
failed
cc_phase The HTTP flood mitigation policy. Valid values: seccookie, server_ip_blacklist, static_whitelist, server_header_blacklist, server_cookie_blacklist, server_args_blacklist, and qps_overmax. server_ip_blacklist
ua_browser The identifier of the browser.
Note In some cases, a log does not contain this field.
ie9
ua_browser_family The series of the browser.
Note In some cases, a log does not contain this field.
internet explorer
ua_browser_type The type of the browser.
Note In some cases, a log does not contain this field.
web_browser
ua_browser_version The version of the browser.
Note In some cases, a log does not contain this field.
9.0
ua_device_type The type of the client.
Note In some cases, a log does not contain this field.
computer
ua_os The identifier of the operating system that runs on the client.
Note In some cases, a log does not contain this field.
windows_7
ua_os_family The series of the operating system that runs on the client.
Note In some cases, a log does not contain this field.
windows
upstream_addr The list of origin addresses that are separated by commas (,). Each address is in the IP:Port format. 192.0.XX.XX:443
upstream_ip The origin IP address. 192.0.XX.XX
upstream_response_time The response time of the back-to-origin request. Unit: seconds.
Note If the famax engine of the previous version is used, the unit of this field is milliseconds.
0.044
upstream_status The HTTP status code of the back-to-origin request. 200
user_id The ID of the Alibaba Cloud account. 166688437215****
querystring The query string in the request. token=bbcd&abc=123