This topic describes the fields of access logs in Anti-DDoS Pro, Anti-DDoS Premium, and Anti-DDoS Origin.
Anti-DDoS Pro
| Log field | Description |
|---|---|
| __topic__ | The topic of a log entry. Valid value: ddoscoo_access_log. |
| owner_id | The ID of an Alibaba Cloud account. |
| body_bytes_sent | The size of a request body. Unit: bytes. |
| cc_action | The action that is performed based on an HTTP flood protection policy. The action can be none, challenge, pass, close, captcha, wait, or login. |
| cc_phase | The HTTP flood protection policy that is matched. The policy can be seccookie, server_ip_blacklist, static_whitelist, server_header_blacklist, server_cookie_blacklist, server_args_blacklist, or qps_overmax. |
| cc_blocks | Indicates whether a request is blocked by an HTTP flood protection policy. Valid values:
|
| content_type | The content type of a request. |
| host | The origin server. |
| http_cookie | The Cookie HTTP header. |
| http_referer | The Referer HTTP header. If an HTTP header does not contain a referer, a hyphen (-) is displayed. |
| http_user_agent | The User-Agent HTTP header. |
| http_x_forwarded_for | The IP address of an upstream user. The IP address is forwarded by a proxy server. |
| https | Indicates whether a request is an HTTPS request. Valid values:
|
| isp_line | The information of an Internet service provider (ISP) line, for example, BGP, China Telecom, or China Unicom. |
| matched_host | The matched origin server, which can be a wildcard domain name. If no origin server is matched, a hyphen (-) is displayed. |
| real_client_ip | The real IP address of a client. If no real IP address can be obtained, a hyphen (-) is displayed. |
| remote_addr | The IP address of a client that sends an access request. |
| remote_port | The port number of a client that sends an access request. |
| request_length | The size of a request. Unit: bytes. |
| request_method | The HTTP method of a request. |
| request_time_msec | The duration in which a request is processed. Unit: milliseconds. |
| request_uri | The uniform resource identifier (URI) of a request. |
| server_name | The name of a matched server. If no server name is matched, default is displayed. |
| status | The HTTP status code. |
| time | The time when a request is sent. |
| ua_browser | The browser. |
| ua_browser_family | The family to which a browser belongs. |
| ua_browser_type | The type of a browser. |
| ua_device_type | The type of a client. |
| ua_os | The operating system of a client. |
| ua_os_family | The family of the operating system that runs on a client. |
| upstream_addr | The list of back-to-origin IP addresses. Each IP address is in the IP:Port format. Multiple IP addresses are separated by commas (,). |
| upstream_ip | The real IP address of an origin server. |
| upstream_response_time | The response time of a back-to-origin process. Unit: seconds. |
| upstream_status | The HTTP status code of a back-to-origin request. |
Anti-DDoS Premium
| Log field | Description |
|---|---|
| __topic__ | The topic of a log entry. Valid value: ddosdip_access_log. |
| owner_id | The ID of an Alibaba Cloud account. |
| body_bytes_sent | The size of a request body. Unit: bytes. |
| cc_action | The action that is performed based on an HTTP flood protection policy. The action can be none, challenge, pass, close, captcha, wait, or login. |
| cc_phase | The HTTP flood protection policy that is matched. The policy can be seccookie, server_ip_blacklist, static_whitelist, server_header_blacklist, server_cookie_blacklist, server_args_blacklist, or qps_overmax. |
| cc_blocks | Indicates whether a request is blocked by an HTTP flood protection policy. Valid values:
|
| content_type | The content type of a request. |
| host | The origin server. |
| http_cookie | The Cookie HTTP header. |
| http_referer | The Referer HTTP header. If an HTTP header does not contain a referer, a hyphen (-) is displayed. |
| http_user_agent | The User-Agent HTTP header. |
| http_x_forwarded_for | The IP address of an upstream user. The IP address is forwarded by a proxy server. |
| https | Indicates whether a request is an HTTPS request. Valid values:
|
| isp_line | The information of an ISP line, for example, BGP, China Telecom, or China Unicom. |
| matched_host | The matched origin server, which can be a wildcard domain name. If no origin server is matched, a hyphen (-) is displayed. |
| real_client_ip | The real IP address of a client. If no real IP address can be obtained, a hyphen (-) is displayed. |
| remote_addr | The IP address of a client that sends an access request. |
| remote_port | The port number of a client that sends an access request. |
| request_length | The size of a request. Unit: bytes. |
| request_method | The HTTP method of a request. |
| request_time_msec | The duration in which a request is processed. Unit: milliseconds. |
| request_uri | The URI of a request. |
| server_name | The name of a matched server. If no server name is matched, default is displayed. |
| status | The HTTP status code. |
| time | The time when a request is sent. |
| ua_browser | The browser. |
| ua_browser_family | The family to which a browser belongs. |
| ua_browser_type | The type of a browser. |
| ua_device_type | The type of a client. |
| ua_os | The operating system of a client. |
| ua_os_family | The family of the operating system that runs on a client. |
| upstream_addr | The list of back-to-origin IP addresses. Each IP address is in the IP:Port format. Multiple IP addresses are separated by commas (,). |
| upstream_ip | The real IP address of an origin server. |
| upstream_response_time | The response time of a back-to-origin process. Unit: seconds. |
| upstream_status | The HTTP status code of a back-to-origin request. |
Anti-DDoS Origin
| Log field | Description |
|---|---|
| __topic__ | The topic of a log entry. Valid value: ddosbqp_access_log. |
| data_type | The type of a log entry. |
| event_type | The type of an event. |
| ip | The IP address from which the request is sent. |
| subnet | The CIDR block of the instance that is rerouted. |
| event_time | The date when an event occurs, for example, 2020-01-01. |
| qps | The number of queries per second when an event occurs. |
| pps_in | The rate of inbound traffic when an event occurs. Unit: packets per second (pps). |
| new_con | The new connection that is established when an event occurs. |
| kbps_in | The rate of inbound traffic when an event occurs. Unit: bit/s. |
| instance_id | The ID of an instance. |
| time | The time when a log is generated, for example, 2020-07-17 10:00:30. |
| destination_ip | The IP address of a destination server. |
| port | The destination port. |
| total_traffic_in_bps | The rate of total inbound traffic. Unit: bit/s. |
| total_traffic_drop_bps | The rate of total inbound traffic that is dropped. Unit: bit/s. |
| total_traffic_in_pps | The rate of total inbound traffic. Unit: pps. |
| total_traffic_drop_pps | The rate of total inbound traffic that is dropped. Unit: pps. |
| pps_types_in_tcp_pps | The rate of inbound TCP traffic that is measured by protocol. Unit: pps. |
| pps_types_in_udp_pps | The rate of inbound UDP traffic that is measured by protocol. Unit: pps. |
| pps_types_in_icmp_pps | The rate of inbound ICMP traffic that is measured by protocol. Unit: pps. |
| pps_types_in_syn_pps | The rate of inbound SYN traffic that is measured by protocol. Unit: pps. |
| pps_types_in_ack_pps | The rate of inbound ACK traffic that is measured by protocol. Unit: pps |
| user_id | The ID of an Alibaba Cloud account. |