This topic describes how to enable and use the Log Analysis feature provided by Anti-DDoS Pro or Anti-DDoS Premium.
Prerequisites
- An Anti-DDoS Pro or Anti-DDoS Premium instance is purchased and your website is added
to Anti-DDoS Pro or Anti-DDoS Premium. For more information, see Add a website.
Before you can use Log Analysis to collect and store the logs of your website, and then query and analyze the collected logs, you must add the website to Anti-DDoS Pro or Anti-DDoS Premium.
- Log Service is activated.
If this is the first time you log on to the Log Service console, you must activate Log Service as prompted.
Step 1: Enable Log Analysis
Perform the following steps to enable Log Analysis:
After you enable the Log Analysis feature and complete authorization, you can start to use this feature on the Log Analysis page. Before you use this feature, you must enable log collection for the domain name of your website. For more information, see Step 2: Enable the log collection feature.
Step 2: Enable the log collection feature
By default, Anti-DDoS Pro and Anti-DDoS Premium do not collect logs of the added websites. Anti-DDoS Pro and Anti-DDoS Premium collect the logs of the websites and store the collected logs to the dedicated Logstores in Log Service only after you enable log collection for the domain names of the websites. Then, you can query and analyze the logs.
Perform the following steps to enable log collection for the domain name of a website:
Step 3: Use Log Analysis

The following table describes the features that are provided on the Log Analysis page. For more information, see Common operations on logs of Alibaba Cloud services.
Tab | Feature | Description | References |
---|---|---|---|
Log Analysis | Log query and analysis | You can query and analyze the collected log data in real time. A query and analysis
statement consists of a search clause and an analytics clause that are separated by
a vertical bar (| ).
For example, you can use the following statement to query the number of visits to a domain:
For more information about query and analysis statements, see Common query statements. |
Query and analyze logs |
Analysis results in charts | A query and analysis statement contains the syntax for analytics. After the statement is executed, analysis results are automatically displayed in tables. The analysis results can also be displayed in a variety of charts, such as a line chart, column chart, or pie chart. You can choose a display method based on your business requirements. | Chart overview | |
Monitoring and alerting | You can configure alert rules based on the charts in a dashboard to monitor service status in real time. | Alerting overview | |
Log Reports | Dashboard | Log Service provides dashboards for you to analyze data in real time. After you query
and analyze logs by using query and analysis statements, you can save the charts of
analysis results to a dashboard. Log Analysis provides two preset dashboards: DDoS Access Center and DDoS Operation Center.
You can also subscribe to dashboards and send dashboard data to specific recipients by using emails or DingTalk messages. |
Step 4: Manage the configurations

- Query the validity period of the Log Analysis feature. If Log Analysis is about to
expire, you can click Renew to extend the validity period of the feature.
Warning If Log Analysis expires, new logs cannot be stored. Seven days after Log Analysis expires, all existing logs are cleared.
- Query the usage of log storage. If log storage is to be exhausted, you can click Upgrade to expand log storage. Alternatively, you can click Clear to delete the logs that are no longer required.
The usage of log storage displayed in the Anti-DDoS Pro console is not updated in real time. The displayed usage does not include the usage from the last two hours.
Note We recommend that you check the usage of log storage at regular intervals when you use Log Analysis. When the usage of log storage exceeds 70%, expand the log storage to make sure that new logs can be stored. If a specific amount of log storage remains idle for a long period of time, you can reduce the log storage. - Change the duration to store logs. Logs are stored for 180 days by default. You can
click Details and set Storage Period to a value that ranges from 30 to 180 in the Details dialog box. Unit: days.
Common query statements
- Queries the type of attacks that are blocked.
* | select cc_action,cc_phase,count(*) as t group by cc_action,cc_phase order by t desc limit 10
- Queries the QPS.
* | select time_series(__time__,'15m','%H:%i','0') as time,count(*)/900 as QPS group by time order by time
- Queries the domain names that are attacked.
* and cc_blocks:1 | select cc_action,cc_phase,count(*) as t group by cc_action,cc_phase order by t desc limit 10
- Queries the URLs that are attacked.
* and cc_blocks:1 | select count(*) as times,host,request_path group by host,request_path order by times
- Queries the details about a request.
* | select date_format(date_trunc('second',__time__),'%H:%i:%s') as time,host,request_uri,request_method,status,upstream_status,querystring limit 10
- Queries the details about the 5XX status codes.
* and status>499 | select host,status,upstream_status,count(*)as t group by host,status,upstream_status order by t desc
- Queries the distribution of request latencies.
* | SELECT count_if(upstream_response_time<20) as "<20", count_if(upstream_response_time<50 and upstream_response_time>20) as "<50", count_if(upstream_response_time<100 and upstream_response_time>50) as "<100", count_if(upstream_response_time<500 and upstream_response_time>100) as "<500", count_if(upstream_response_time<1000 and upstream_response_time>500) as "<1000", count_if(upstream_response_time>1000) as ">1000"