All Products
Search

This Product

    Dynamic Content Delivery Network:Download standard logs

    Document Center

    Dynamic Content Delivery Network:Download standard logs

    Last Updated:Apr 22, 2024

    Alibaba Cloud Dynamic Content Delivery Network (DCDN) logs domain access and Web Application Firewall (WAF) blocking events on an hourly basis. You can download the logs of a specific domain on a specific day within 30 days to your local PC for analysis.

    Usage notes

    • The traffic usage of accelerated domain names that is queried by using the monitoring or resource usage feature available in the DCDN console or by calling API operations differs from that collected in logs. Typically, the traffic usage of accelerated domain names that is queried by using the monitoring or resource usage feature is 1.1 times that collected in logs. For more information, see Why is the traffic amount found by using the monitoring and usage analytics feature or the usage statistics feature different from the traffic amount that is logged?

    • In terms of resource monitoring, data is collected based on the region and ISP of client IP addresses. In terms of metering, fees are calculated based on the network traffic, bandwidth, and number of requests on DCDN points of presence (POPs) in each billable region. The resource monitoring data and the metering data may be slightly different due to different collection methods.

    Log download

    • Log update delay: In most cases, log data is generated within 24 hours after an event occurs. In some cases, it may take longer.

    • Naming rule for log files: domainName_year_month_day_startTime_endTime[extension field].gz. The extension field starts with an underscore (_). Example: aliyundoc.com_2018_10_30_000000_010000_xx.gz.

      Note

      Names of specific log files may not contain an extension field. Example: aliyundoc.com_2018_10_30_000000_010000.gz.

    Fields in access logs

    • Sample log entry 

      [9/Jun/2015:01:58:09 +0800] 10.10.10.10 - 1542 "-" "GET http://www.aliyun.com/index.html" 200 191 2830 MISS "Mozilla/5.0 (compatible; AhrefsBot/5.0; +http://example.com/robot/)" "text/html"

    • Fields

      Field

      Description

      [9/Jun/2015:01:58:09 +0800]

      The end time of the request.

      10.10.10.10

      The first IP address in the X-Forwarded-For header that is carried in the request, which is client_ip. If the client does not use a proxy to connect to the point of presence (POP), the IP address is used by the client to connect to the POP.

      Note

      • The format of the X-Forwarded-For request header is X-Forwarded-For: <client_ip>, <proxy_ip>.

      • If the client does not use a proxy to connect to the POP, the X-Forwarded-For request header contains only <client_ip>. In this case, the value of client_ip in logs may be a private IP address. A common reason is that the Internet service provider (ISP) allocates a private IP address to the client to reduce the usage of public IP addresses and reduce costs.

      • If the client uses a proxy to connect to the POP, the X-Forwarded-For request header contains <client_ip> and <proxy_ip>. In this case, the value of client_ip in logs may also be a private IP address. A common reason is that the ISP allocates a public IP address to the proxy and a private IP address to the client.

      -

      The second IP address in the X-Forwarded-For header that is carried in the request, which is proxy_ip. If the client does not use a proxy to connect to the Alibaba Cloud CDN POP, the value of this field is -.

      1542

      The response time. Unit: milliseconds.

      "-"

      The Referer header in HTTP requests.

      GET

      The request method.

      http://www.aliyun.com/index.html

      The request URL.

      200

      The HTTP status code.

      191

      The size of the request. Unit: bytes.

      2830

      The size of the response. Unit: bytes.

      MISS

      The cache hit status. Valid values:

      • HIT: The request is a cache hit and does not need to be redirected to the origin server.

      • MISS: The request is a cache miss and must be redirected to L2 POPs or the origin server.

      Alibaba Cloud CDN collects log data from POPs, except L2 POPs. If the field value is MISS, back-to-origin information is not provided. In this case, the log data does not show whether a cache-miss request is redirected to the origin server.

      Mozilla/5.0 (compatible; AhrefsBot/5.0; +http://example.com/robot/)

      The User-Agent header.

      text/html

      The file type.

      Note

      Logs of domain names for which you enable the global resource plan do not contain this field.

      Note

      Other fields:

      • DYNAMIC: dynamic request.

      • CHARGE: The request is billed.

      • NOTLAST: a reserved field, which has no meaning.

    Fields in WAF logs

    • Sample log entry 

      [16/May/2023:10:36:09 +0800] HEAD "http" api.aliyun.com "/block" "_dyc=89e7639543f17ddbe77361c56b9952b9" "-" api.aliyun.com 3d30530216842045692847280e 403 "-" "curl/7.29.0" "-" 1.XX.XX.1 1.XX.XX.1 false "-" deny "custom_acl" 20000014

    • Fields

      Field

      Example

      Description

      unixtime

      [16/May/2023:10:36:09 +0800]

      The request time.

      method

      HEAD

      The HTTP request method.

      scheme

      http

      The request protocol.

      domain

      api.aliyun.com

      The domain name to which the request was sent.

      uri

      /block

      The requested resource.

      uri_param

      _dyc=89e7639543f17ddbe77361c56b9952b9

      The request parameters.

      content_type

      -

      The type of the requested content.

      matched_host

      api.aliyun.com

      The domain name that is matched by Web Application Firewall (WAF). The domain name is added to WAF for protection.

      request_id

      3d30530216842045692847280e

      The request ID.

      return_code

      403

      The HTTP status code returned.

      referer

      -

      The Referer header in the HTTP request.

      user_agent

      curl/7.29.0

      The information about the proxy of the client.

      x_forwarded_for

      -

      The X-Forwarded-For (XFF) header. This field is used to identify the real IP address of the client that is connected to the web server by using an HTTP proxy or a load balancing service.

      client_ip

      1.XX.XX.1

      The originating IP address of the client.

      remote_addr

      1.XX.XX.1

      The IP address of the client.

      final_test

      FALSE

      Specifies that the monitoring mode is enabled.

      cookie

      -

      The HTTP Cookie header. This field contains information about the client.

      final_action

      deny

      The executed protection action.

      • block: The request is blocked by the basic web protection module.

      • deny: The request is blocked by modules other than the basic web protection module.

      • captcha: common slider CAPTCHA verification is performed.

      • js: JavaScript verification is performed.

      • Empty string: The request is not blocked. No protection rule is triggered, a whitelist rule or monitor rule is triggered, or the request is allowed after the client passes the slider CAPTCHA verification or JavaScript verification.

      Note

      If a request matches multiple protection modules at the same time, the field records only the action that is performed. The following actions are listed in descending order of priority: block, slider CAPTCHA verification, dynamic token-based authentication, and JavaScript verification.

      final_plugin

      custom_acl

      The matched protection module.

      • If final_action is not empty, this field has only one value and the value of this field is the name of the protection module that corresponds to the protection action (final_action) that is performed on the request.

      • If final_action is empty, this field can have multiple values and the values of this field are the names of the protection modules to which all protection rules are matched. If a matched module is not a basic web protection module or a whitelist module, and the module name contains a suffix "-T", the request matches the monitor rule of the module.

      Separate multiple values with commas (,). Protection modules:

      • whitelist: Rules of the whitelist module are matched.

      • waf: Rules of the basic web protection module are matched.

      • custom_acl: Rules of the custom rule module are matched.

      • ip_blacklist: Rules of the IP blacklist module are matched.

      • region_block: Rules of the region blacklist module are matched.

      • bot: Rules of the bot management module are matched.

      • anti_scan: Rules of the scan protection module are matched.

      final_rule_id

      20000014

      The matched protection rule.

      • If final_action is not empty, the value of this field is the ID of the protection rule that is applied to the request, which is the ID of the protection rule that corresponds to final_action.

      • If final_action is empty, this field contains the information about all protection rules that are matched. The information is in the following format: [module name]-[protection rule ID](-T). If a matched rule is a whitelist rule or a basic web protection rule, the information about the rule does not contain the suffix "-T". If a matched rule is a monitor rule of other protection modules, the information about the rule contains the suffix "-T".

      Separate multiple values with commas (,).

    Procedure

    1. Log on to the DCDN console.

    2. In the left-side navigation pane, choose Data Center > Logs > Offline Log.

    3. On the Log Download tab, select a domain name and a date and click Query.

    4. Find the log file that you want to download and click Download in the Actions column.

    Related API operations

    DescribeDcdnDomainLog: queries the address where you can download standard logs of a specific domain.