All Products
Search
Document Center

Anti-DDoS:Query and analyze logs

Last Updated:Feb 22, 2024

After you enable the log analysis feature for your domain name in the Anti-DDoS Pro or Anti-DDoS Premium console, you can query and analyze logs on the Log Analysis page in real time. This topic describes how to query and analyze Anti-DDoS Pro or Anti-DDoS Premium logs.

Log collection description

If the QPS of your service is within the specifications of the Anti-DDoS Pro or Anti-DDoS Premium instance, the system collects logs of all traffic. A smaller volume of traffic results in a higher collection accuracy. If the service traffic spikes, the system automatically adjusts the collection ratio. A larger volume of traffic results in a higher collection ratio.

Prerequisites

  • The domain name of your website is added to Anti-DDoS Pro or Anti-DDoS Premium. For more information, see Add one or more websites

  • The log analysis feature is enabled for the domain name. For more information, see Overview.

Procedure

  1. Log on to the Anti-DDoS Pro console.

  2. In the top navigation bar, select the region of your asset.

    • Anti-DDoS Proxy (Chinese Mainland): If your instance is an Anti-DDoS Pro instance, select Chinese Mainland.

    • Anti-DDoS Proxy (Outside Chinese Mainland): If your instance is an Anti-DDoS Premium instance, select Outside Chinese Mainland.

    You can switch the region to configure and manage Anti-DDoS Pro or Anti-DDoS Premium instances. Make sure that you select the required region when you use Anti-DDoS Pro or Anti-DDoS Premium.

  3. In the left-side navigation pane, choose Investigation > Log Analysis.

  4. Select the domain name whose logs you want to query.

    Note

    Make sure that Status is turned on for the domain name.

  5. Specify a time range for the query.

    You can select a relative time or a time frame. You can also specify a custom time range.

    Note
    • Anti-DDoS Pro and Anti-DDoS Premium logs are retained for 180 days. By default, you can query logs only of the previous 180 days.

    • The query results may contain logs that are generated 1 minute earlier or later than the specified time range.

  6. Enter a query statement in the search box.

    Each query statement consists of a search statement and an analytic statement. The search statement and the analytic statement are separated with a vertical bar (|). Format: Search statement|Analytics statement.

    Statement

    Optional

    Description

    Search statement

    Yes

    A search statement specifies search conditions, such as a keyword, a numeric value, a numeric value range, an asterisk (*), or a combination of search conditions.

    If you specify a space or an asterisk (*) as the search statement, no conditions are used for searching, and all logs are returned. For more information, see Search syntax.

    Note

    For more information about log fields, see Fields included in full logs.

    Analytics statement

    Yes

    An analytic statement is used to aggregate and compute the data in search results or all logs.

    If you leave the analytics statement empty, the search results are returned but analysis is not performed. For more information, see Log analysis overview.

    Note
    • In an analytics statement, the from log part is similar to the from <table name> part in a standard SQL statement and can be omitted.

    • By default, the first 100 logs are returned. You can change the number of logs that you want to return by using the LIMIT clause. For more information, see LIMIT clause.

  7. Click Search & Analyze to view the query and analysis results.

    You can view the results in a log distribution histogram on the Raw Logs tab or on the Graph tab. You can also configure alerts and saved searches. For more information, see Step 2: View query and analysis results.