Global Accelerator (GA) can create access logs to record the traffic information of endpoints. You can analyze the traffic information to verify Access Control List (ACL) rules and troubleshoot network errors.

Introduction to access logs

You can configure GA to create access logs for one or more endpoint groups of a GA instance. The collected log data is delivered to the Logstores provided by Log Service in the regions where the endpoint groups are deployed. An access log contains the following information: the source IP address, source port, destination IP address, destination port, and acceleration region.

Architecture
The following table describes the access log information that you can query in the Log Service console.
Parameter Description
accelerator_region The acceleration region.
client_ip The IP address of the client, which is the source IP address.
client_port The port of the client, which is the source port.
egress_bytes The outbound traffic during the time period when traffic information is collected.
endpoint_group_id The ID of the endpoint group.
endpoint_group_region The region where the endpoint group is deployed.
endpoint_ip The IP address of the endpoint, which is the destination IP address.
endpoint_port The port of the endpoint, which is the destination port.
ga_id The ID of the GA instance.
ingress_bytes The inbound traffic during the time period when traffic information is collected.
listener_id The ID of the listener.
protocol The network transmission protocol that is used by the listener.
status The status of the response packet that is sent by GA.
time The time when the log entry is generated.
session_time The duration of the session, which starts from the time when GA receives the request and ends at the time when the last byte is sent to the client.
end_time The time when the session ends.
epg_region The region where the endpoint group is deployed.
The following parameters are available when HTTP and HTTPS listeners are used.
Parameter Description
http_host The Host header of the request.
http_referer The HTTP referer header of the request.
request_method The request method.
request_uri The URI of the request that is received by GA.

Scenarios

  • Troubleshooting

    You can troubleshoot issues based on the information in an access log.

    For example, you can check whether GA returns an expected response based on the status parameter in an access log and then locate the cause.

  • Business planning

    You can analyze an access log to make informed business decisions.

    For example, you can upgrade bandwidth plans in advance to meet your business requirements based on the traffic trend in the acceleration region. You can also view the hosts that access your application within a specified time period and prepare for application upgrades based on the http_host parameter in the access log.

Billing

You are not charged additional fees for using the access log feature. You need only to pay for Log Service. For more information, see Billing of Log Service.

Limits

  • The access log feature is supported only in regions where Log Service is available. For more information, see Supported regions.
  • Only standard GA instances support the access log feature. Basic GA instances do not support the access log feature. In this topic, a standard GA instance is used as an example.
  • You cannot collect the access log of an endpoint group if the endpoint group is deployed on a point of presence (PoP) node of Alibaba Cloud.
  • You cannot query the domain names of endpoints.
  • The access log feature is automatically enabled for GA instances that are created after January 8, 2022. If you want to enable the access log feature for GA instances that are created before January 8, 2022, submit a ticket to upgrade the GA instances.

Create an access log

Before you create an access log for a GA instance, make sure that you have added listeners and endpoint groups for the GA instance. For more information, see Add a listener.

  1. Log on to the Global Accelerator console.
  2. On the Instances page, click the ID of the GA instance that you want to manage.
  3. On the instance details page, click the Access Log tab.
  4. On the Access Log tab, click Create Access Log. In the Storage Configuration dialog box, set the following parameters and click OK.
    Create an access log
    Parameter Description
    Select Source Listener ID/Name Select a listener.
    Endpoint Group ID/Name Select a destination endpoint group.
    Storage Settings Region By default, the region where the endpoint group resides is selected.
    Project

    Log Service projects are used to isolate and manage resources.

    You can click Select Project and select an existing project. You can also click Create Project and create a project.

    Logstore

    Log Service Logstores are used to collect, store, and query log data.

    You can click Select Logstore and select an existing Logstore. You can also click Create Logstore and create a Logstore.

    Note When you perform this operation, the system checks whether the service-linked role AliyunServiceRoleForGaFlowlog is assigned to GA.
    • If the service-linked role AliyunServiceRoleForGaFlowlog does not exist, the system automatically creates the service-linked role and attaches the permission policy AliyunServiceRolePolicyForGaFlowlog to the service-linked role. This allows GA to access Log Service and deliver flow logs to Log Service.
    • If the service-linked role AliyunServiceRoleForGaFlowlog is assigned to GA, the system does not create it again.

    For more information, see AliyunServiceRoleForGaFlowlog.

    After you create the access log, you can find it on the Access Log tab. Access Log List

What to do next

Operation Description
View access logs
  1. On the Access Log tab, find the access log that you created and click View Log in the Actions column to go to the Log Service console.
  2. You can view and analyze the access log. For more information, see Examples.
Delete an access log
  1. On the Access Log tab, find the access log that you want to delete and click Delete in the Actions column.
  2. In the Delete Log message, click OK.

After Log Service collects an access log, you can download, deliver, and process the access log. You can also create alerts for the access log. For more information, see Common operations on logs of Alibaba Cloud services.

Examples

View a raw access log

On the Raw Logs tab of the Logstore page, you can view information about raw logs.

For example, you can click client_ip to view information about client IP addresses. View Access Logs

Query a specified access log

On the Logstore page, enter an SQL statement in the Search & Analyze search box to search for a specified access log.

For example, you can query the distribution of client IP addresses based on the order in the following figure. Heat Map
No. Description
1 Enter the following SQL statement to query the heat map of client IP addresses and view the top 10 regions where the clients are distributed. This helps you plan your business.
* | select  ip_to_geo(client_ip) as address, count(1) as count group by address order by count desc limit 10
2 Select a time range during which access logs are generated and click Search & Analyze.
3 On the Graph tab, click the Properties tab and then click the Heat Map icon to view the distribution of client IP addresses.