Alibaba Cloud Dynamic Content Delivery Network (DCDN) logs domain access and Web Application Firewall (WAF) blocking events on an hourly basis. You can download the logs of a specific domain on a specific day within 30 days to your local PC for analysis.
Usage notes
The traffic usage of accelerated domain names that is queried by using the monitoring or resource usage feature available in the DCDN console or by calling API operations differs from that collected in logs. Typically, the traffic usage of accelerated domain names that is queried by using the monitoring or resource usage feature is 1.1 times that collected in logs. For more information, see Why is the traffic amount found by using the monitoring and usage analytics feature or the usage statistics feature different from the traffic amount that is logged?
In terms of resource monitoring, data is collected based on the region and ISP of client IP addresses. In terms of metering, fees are calculated based on the network traffic, bandwidth, and number of requests on DCDN points of presence (POPs) in each billable region. The resource monitoring data and the metering data may be slightly different due to different collection methods.
Log download
Log update delay: In most cases, log data is generated within 24 hours after an event occurs. In some cases, it may take longer.
Naming rule for log files: domainName_year_month_day_startTime_endTime[extension field].gz. The extension field starts with an underscore (_). Example:
aliyundoc.com_2018_10_30_000000_010000_xx.gz
.NoteNames of specific log files may not contain an extension field. Example:
aliyundoc.com_2018_10_30_000000_010000.gz
.
Fields in access logs
Sample log entry
[9/Jun/2015:01:58:09 +0800] 10.10.10.10 - 1542 "-" "GET http://www.aliyun.com/index.html" 200 191 2830 MISS "Mozilla/5.0 (compatible; AhrefsBot/5.0; +http://example.com/robot/)" "text/html"
Fields
Field
Description
[9/Jun/2015:01:58:09 +0800]
The end time of the request.
10.10.10.10
The first IP address in the X-Forwarded-For header that is carried in the request, which is client_ip. If the client does not use a proxy to connect to the point of presence (POP), the IP address is used by the client to connect to the POP.
NoteThe format of the X-Forwarded-For request header is
X-Forwarded-For: <client_ip>, <proxy_ip>
.If the client does not use a proxy to connect to the POP, the X-Forwarded-For request header contains only <client_ip>. In this case, the value of client_ip in logs may be a private IP address. A common reason is that the Internet service provider (ISP) allocates a private IP address to the client to reduce the usage of public IP addresses and reduce costs.
If the client uses a proxy to connect to the POP, the X-Forwarded-For request header contains <client_ip> and <proxy_ip>. In this case, the value of client_ip in logs may also be a private IP address. A common reason is that the ISP allocates a public IP address to the proxy and a private IP address to the client.
-
The second IP address in the X-Forwarded-For header that is carried in the request, which is proxy_ip. If the client does not use a proxy to connect to the Alibaba Cloud CDN POP, the value of this field is
-
.1542
The response time. Unit: milliseconds.
"-"
The Referer header in HTTP requests.
GET
The request method.
http://www.aliyun.com/index.html
The request URL.
200
The HTTP status code.
191
The size of the request. Unit: bytes.
2830
The size of the response. Unit: bytes.
MISS
The cache hit status. Valid values:
HIT: The request is a cache hit and does not need to be redirected to the origin server.
MISS: The request is a cache miss and must be redirected to L2 POPs or the origin server.
Alibaba Cloud CDN collects log data from POPs, except L2 POPs. If the field value is MISS, back-to-origin information is not provided. In this case, the log data does not show whether a cache-miss request is redirected to the origin server.
Mozilla/5.0 (compatible; AhrefsBot/5.0; +http://example.com/robot/)
The User-Agent header.
text/html
The file type.
NoteLogs of domain names for which you enable the global resource plan do not contain this field.
NoteOther fields:
DYNAMIC: dynamic request.
CHARGE: The request is billed.
NOTLAST: a reserved field, which has no meaning.
Fields in WAF logs
Sample log entry
[16/May/2023:10:36:09 +0800] HEAD "http" api.aliyun.com "/block" "_dyc=89e7639543f17ddbe77361c56b9952b9" "-" api.aliyun.com 3d30530216842045692847280e 403 "-" "curl/7.29.0" "-" 1.XX.XX.1 1.XX.XX.1 false "-" deny "custom_acl" 20000014
Fields
Field
Example
Description
unixtime
[16/May/2023:10:36:09 +0800]
The request time.
method
HEAD
The HTTP request method.
scheme
http
The request protocol.
domain
api.aliyun.com
The domain name to which the request was sent.
uri
/block
The requested resource.
uri_param
_dyc=89e7639543f17ddbe77361c56b9952b9
The request parameters.
content_type
-
The type of the requested content.
matched_host
api.aliyun.com
The domain name that is matched by Web Application Firewall (WAF). The domain name is added to WAF for protection.
request_id
3d30530216842045692847280e
The request ID.
return_code
403
The HTTP status code returned.
referer
-
The Referer header in the HTTP request.
user_agent
curl/7.29.0
The information about the proxy of the client.
x_forwarded_for
-
The X-Forwarded-For (XFF) header. This field is used to identify the real IP address of the client that is connected to the web server by using an HTTP proxy or a load balancing service.
client_ip
1.XX.XX.1
The originating IP address of the client.
remote_addr
1.XX.XX.1
The IP address of the client.
final_test
FALSE
Specifies that the monitoring mode is enabled.
cookie
-
The HTTP Cookie header. This field contains information about the client.
final_action
deny
The executed protection action.
block: The request is blocked by the basic web protection module.
deny: The request is blocked by modules other than the basic web protection module.
captcha: common slider CAPTCHA verification is performed.
js: JavaScript verification is performed.
Empty string: The request is not blocked. No protection rule is triggered, a whitelist rule or monitor rule is triggered, or the request is allowed after the client passes the slider CAPTCHA verification or JavaScript verification.
NoteIf a request matches multiple protection modules at the same time, the field records only the action that is performed. The following actions are listed in descending order of priority: block, slider CAPTCHA verification, dynamic token-based authentication, and JavaScript verification.
final_plugin
custom_acl
The matched protection module.
If final_action is not empty, this field has only one value and the value of this field is the name of the protection module that corresponds to the protection action (final_action) that is performed on the request.
If final_action is empty, this field can have multiple values and the values of this field are the names of the protection modules to which all protection rules are matched. If a matched module is not a basic web protection module or a whitelist module, and the module name contains a suffix "-T", the request matches the monitor rule of the module.
Separate multiple values with commas (,). Protection modules:
whitelist: Rules of the whitelist module are matched.
waf: Rules of the basic web protection module are matched.
custom_acl: Rules of the custom rule module are matched.
ip_blacklist: Rules of the IP blacklist module are matched.
region_block: Rules of the region blacklist module are matched.
bot: Rules of the bot management module are matched.
anti_scan: Rules of the scan protection module are matched.
final_rule_id
20000014
The matched protection rule.
If final_action is not empty, the value of this field is the ID of the protection rule that is applied to the request, which is the ID of the protection rule that corresponds to final_action.
If final_action is empty, this field contains the information about all protection rules that are matched. The information is in the following format: [module name]-[protection rule ID](-T). If a matched rule is a whitelist rule or a basic web protection rule, the information about the rule does not contain the suffix "-T". If a matched rule is a monitor rule of other protection modules, the information about the rule contains the suffix "-T".
Separate multiple values with commas (,).
Procedure
Log on to the DCDN console.
In the left-side navigation pane, choose .
On the Log Download tab, select a domain name and a date and click Query.
Find the log file that you want to download and click Download in the Actions column.
Related API operations
DescribeDcdnDomainLog: queries the address where you can download standard logs of a specific domain.