All Products
Search
Document Center

Simple Log Service:Fields in logs

Last Updated:Apr 22, 2024

This topic describes all fields in the logs of Anti-DDoS Origin.

The fields are classified into the following types:
  • Event fields: record information about the events that occur on the protected assets. The events include traffic scrubbing, blackhole filtering, and on-demand protection. The information includes the time at which the events occurred and the status of the events.
  • Traffic detection fields: record information about the traffic that is generated on the protected assets. The information includes the transmission rate of inbound traffic and the packet forwarding rates of different types of data packets.
  • Traffic scrubbing fields: record information about the traffic that is denied or allowed by different mitigation policies during traffic scrubbing.

Event fields

FieldDescriptionExample value
data_typeThe data type. Valid values:
  • Global_SC_Detection: indicates data about the traffic that is forwarded by the traffic scrubbing center of Anti-DDoS. The traffic is protected by an on-demand instance.
  • Global_SC_Mitigation: indicates data about the traffic that is scrubbed by the scrubbing center of Anti-DDoS. The traffic is protected by an on-demand instance.
  • Regional_SC_Detection: indicates data about the inbound traffic of the region in which Alibaba Cloud assets reside.
  • Regional_SC_Mitigation: indicates data about the scrubbed traffic of the region in which Alibaba Cloud assets reside.
  • event: indicates data about attack events.
Regional_SC_Mitigation
event_timeThe time at which an event occurred. This value is a UNIX timestamp. Unit: seconds. 1624434027
event_typeThe type of an event. Valid values:
  • mitigation_begin: A traffic scrubbing event begins.
  • mitigation_ended: A traffic scrubbing event ends.
  • blackhole_begin: A blackhole filtering event begins.
  • blackhole_ended: A blackhole filtering event ends.
mitigation_begin
instance_idThe ID of the Anti-DDoS Origin instance. ddosbgp-cn-n6w203qg****
ipThe IP address of an asset that is protected by the Anti-DDoS Origin instance. 39.XX.XX.23
kbps_inThe bandwidth of inbound traffic. Unit: Kbit/s. 1000
new_conThe number of new connections. 1000
pps_inThe packet forwarding rate of inbound traffic. Unit: packets per second. 1000
qpsThe number of queries per second (QPS). Unit: QPS. 1000
scrubbing_centerThe region where the traffic scrubbing center resides. Valid values:
  • us_west: US (Virginia)
  • us_east: US (Silicon Valley)
  • frankfurt: Germany (Frankfurt)
  • hk: China (Hong Kong)
  • singapore: Singapore (Singapore)
  • malaysia: Malaysia (Kuala Lumpur)
  • uk: UK (London)
  • japan: Japan (Tokyo)
  • total_summary: all regions
  • assets_base_region: the region where the asset resides
us_west
subnetThe CIDR block for on-demand protection. 1.XX.XX.1/24
user_idThe ID of an Alibaba Cloud account. 170457416359****

Traffic detection fields

FieldDescriptionExample value
IpThe source IP address. 1.XX.XX.1
TimeThe point in time at which the log entry about traffic detection was generated. This value is a UNIX timestamp. Unit: seconds. 1624434027
KbpsInThe bandwidth of inbound traffic at the point in time. Unit: Kbit/s. 1000
KbpsOutThe bandwidth of outbound traffic at the point in time. Unit: Kbit/s. 1000
PpsInThe forwarding rate of all inbound packets at the point in time. Unit: packets per second. 1000
PpsOutThe forwarding rate of all outbound packets at the point in time. Unit: packets per second. 1000
PpsInSynThe forwarding rate of inbound SYN packets at the point in time. Unit: packets per second. 1000
PpsInSynackThe forwarding rate of inbound SYN-ACK packets at the point in time. Unit: packets per second. 1000
PpsInFinThe forwarding rate of inbound FIN or RST packets at the point in time. Unit: packets per second. 1000
PpsInHttpReqThe forwarding rate of inbound TCP packets at the point in time. Unit: packets per second. The TCP packets must meet all the following conditions:
  • The TCP packets are not SYN, SYN-ACK, FIN, or RST packets.
  • The destination port is 80, 3128, 8080, or 8088.
  • The TCP packets contain payloads. The first few bytes of the payloads in HTTP packets are GET, PUT, HEAD, or POST.
1000
PpsInHttpRespThe forwarding rate of inbound TCP packets at the point in time. Unit: packets per second. The TCP packets must meet all the following conditions:
  • The TCP packets are not SYN, SYN-ACK, FIN, or RST packets.
  • The destination port is 80, 3128, 8080, or 8088.
  • The TCP packets contain payloads. The first four bytes of the payloads in HTTP packets are HTTP.
1000
PpsInHttpFlagsThe forwarding rate of inbound TCP-ACK packets at the point in time. Unit: packets per second. The TCP-ACK packets are not SYN, SYN-ACK, FIN, or RST packets. 1000
PpsInIcmpThe forwarding rate of inbound ICMP packets at the point in time. Unit: packets per second. 1000
PpsInDnsThe forwarding rate of inbound DNS packets at the point in time. Unit: packets per second. The DNS packets are forwarded over UDP, and the source or destination port of the packets is 53. 1000
PpsInUdpriskThe forwarding rate of packets that use a vulnerable source UDP port at the point in time. Unit: packets per second. 1000
PpsInUdpunknownThe forwarding rate of inbound UDP packets at the point in time. Unit: packets per second. The forwarding rate of the UDP packets indicated by this field does not include that indicated by the PpsInDns field. The UDP packets are forwarded over UDP, but the source or destination port of the packets is not 53. 1000

Traffic scrubbing fields

FieldDescriptionExample value
instance_idThe ID of the Anti-DDoS Origin instance. ddosbgp-cn-v641is26****
timeThe point in time at which the log entry about traffic scrubbing was generated. This value is a UNIX timestamp. Unit: seconds. 1624434027
destination_ipThe destination IP address. 123.XX.XX.169
portThe destination port. Valid values:
  • all (default): indicates the data of all ports
  • Specific port: indicates the data of a specific port, such as port 80
80
total_traffic_in_bpsThe total number of bytes in all types of packets that are scrubbed. Unit: byte per second. 8000
total_traffic_drop_bpsThe total number of bytes of all types of packets that are scrubbed and discarded. Unit: byte per second. 800
total_traffic_in_ppsThe forwarding rate of all types of inbound packets. Unit: packets per second. 1000
total_traffic_drop_ppsThe forwarding rate of all types of packets that are discarded. Unit: packets per second. 1000
pps_types_in_tcp_ppsThe forwarding rate of inbound TCP packets. Unit: packets per second. 100
pps_types_in_udp_ppsThe forwarding rate of inbound UDP packets. Unit: packets per second. 1000
pps_types_in_icmp_ppsThe forwarding rate of inbound ICMP packets. Unit: packets per second. 1000
pps_types_in_syn_ppsThe forwarding rate of inbound SYN packets. Unit: packets per second. 1000
pps_types_in_ack_ppsThe forwarding rate of inbound ACK packets. Unit: packets per second. 1000
pps_types_in_synack_ppsThe forwarding rate of inbound SYN-ACK packets. Unit: packets per second. 1000
pps_types_in_finrst_ppsThe forwarding rate of inbound FIN or RST packets. Unit: packets per second. 1000
pps_types_in_dns_ppsThe forwarding rate of inbound DNS packets. Unit: packets per second. 1000
pps_types_drop_tcp_ppsThe forwarding rate of the TCP packets that are discarded. Unit: packets per second. 1000
pps_types_drop_udp_ppsThe forwarding rate of the UDP packets that are discarded. Unit: packets per second. 1000
pps_types_drop_icmp_ppsThe forwarding rate of the ICMP packets that are discarded. Unit: packets per second. 1100
pps_types_drop_syn_ppsThe forwarding rate of the SYN packets that are discarded. Unit: packets per second. 1000
pps_types_drop_ack_ppsThe forwarding rate of the ACK packets that are discarded. Unit: packets per second. 1000
pps_types_drop_synack_ppsThe forwarding rate of the SYN-ACK packets that are discarded. Unit: packets per second. 1000
pps_types_finrstThe forwarding rate of the FIN or RST packets that are discarded. Unit: packets per second. 1000
pps_types_dnsThe forwarding rate of the DNS packets that are discarded. Unit: packets per second. 1000
policy_packet_checking_acct_ppsThe forwarding rate of the packets that are allowed by the default packet checking policy. Unit: packets per second. 1000
policy_packet_checking_drop_ppsThe forwarding rate of the packets that are denied by the default packet checking policy. Unit: packets per second. 1000
policy_dns_retransmission_authentication_drop_ppsThe forwarding rate of the packets that are denied by the default first-packet-dropping policy of a domain name. Unit: packets per second. 1000
policy_dns_retransmission_authentication_acct_ppsThe forwarding rate of the packets that are allowed by the default first-packet-dropping policy of a domain name. Unit: packets per second. 100
policy_source_ip_authentication_succeed_ppsThe forwarding rate of the packets that pass the check by the default source IP address-based authentication policy. Unit: packets per second. 1000
policy_source_ip_authentication_checked_ppsThe forwarding rate of the packets that are being checked by the default source IP address-based authentication policy Unit: packets per second. 1000
policy_source_ip_authentication_acct_ppsThe forwarding rate of the packets that are allowed by the default source IP address-based authentication policy. Unit: packets per second. 1000
policy_source_ip_authentication_drop_ppsThe forwarding rate of the packets that are denied by the default source IP address-based authentication policy. Unit: packets per second. 1000
policy_source_ip_rate_limitation_drop_syn_ppsThe forwarding rate of the SYN packets that are denied by the default source IP address-based throttling policy. Unit: packets per second. 1000
policy_source_ip_rate_limitation_drop_con_max_ppsThe forwarding rate of the packets that are denied by the default source IP address-based throttling policy for concurrent connections. The packets are denied because the number of concurrent connections initiated from the source IP addresses exceeds the maximum number of concurrent connections allowed in the policy. Unit: packets per second. 1000
policy_source_ip_rate_limitation_drop_con_rate_ppsThe forwarding rate of the packets that are denied by the default source IP address-based throttling policy for concurrent connections. The packets are denied because the connection rate of concurrent connections initiated from the source IP addresses exceeds the maximum connection rate allowed in the policy. Unit: packets per second. 1000
policy_source_ip_rate_limitation_drop_udp_rate_ppsThe forwarding rate of the packets that are denied by the default source IP address-based throttling policy for UDP packets. Unit: packets per second. 1000
policy_source_ip_rate_limitation_drop_tcpack_rate_ppsThe forwarding rate of the packets that are denied by the default source IP address-based throttling policy for ACK packets. Unit: packets per second. 1000
policy_source_ip_rate_limitation_drop_tcpsynack_rate_ppsThe forwarding rate of the packets that are denied by the default source IP address-based throttling policy for SYN-ACK packets. Unit: packets per second. 1000
policy_destination_ip_rate_limitation_drop_syn_rateThe forwarding rate of the SYN packets that are denied by the default source IP address-based throttling policy Unit: packets per second. 1000
policy_destination_ip_rate_limitation_drop_udp_rateThe bandwidth of the UDP packets that are denied by the default destination IP address-based throttling policy. Unit: packets per second. 1000
policy_destination_ip_rate_limitation_drop_ack_rateThe bandwidth of the ACK packets that are denied by the default destination IP address-based throttling policy. Unit: packets per second. 1000
policy_destination_ip_rate_limitation_drop_icmp_rateThe bandwidth of the ICMP packets that are denied by the default destination IP address-based throttling policy. Unit: packets per second. 1000
policy_destination_ip_rate_limitation_drop_other_rateThe forwarding rate of the packets that are denied by the default destination IP address-based throttling policy. Unit: packets per second. The packets exclude UDP, ICMP, TCP-SYN, TCP-SYN-ACK, and TCP-ACK packets. 1000
policy_destination_ip_rate_limitation_drop_synack_rateThe forwarding rate of the SYN-ACK packets that are denied by the default destination IP address-based throttling policy. Unit: packets per second. 1000
policy_layer_4_filter_l4_filiter_drop_ppsThe forwarding rate of the packets that are denied by all fingerprint filtering policies. Unit: packets per second. You can customize the fingerprint filtering policies in Mitigation Settings. 1000
policy_layer_4_filter_l4_filiter_acct_numThe forwarding rate of the packets that are allowed by all the policies in the module of fingerprint filtering policies. Unit: packets per second. You can customize the module of fingerprint filtering policies in Mitigation Settings. 1000
policy_layer_4_filter_l4_filite_drop_rule_1_ppsThe forwarding rate of the packets that are denied by the first fingerprint filtering policy in the module of fingerprint filtering policies. Unit: packets per second. You can customize the fingerprint filtering policy in Mitigation Settings. 1000
policy_layer_4_filter_l4_filite_drop_rule_2_ppsThe forwarding rate of the packets that are denied by the second fingerprint filtering policy in the module of fingerprint filtering policies. Unit: packets per second. You can customize the fingerprint filtering policy in Mitigation Settings. 1000
policy_layer_4_filter_l4_filite_drop_rule_3_ppsThe forwarding rate of the packets that are denied by the third fingerprint filtering policy in the module of fingerprint filtering policies. Unit: packets per second. You can customize the fingerprint filtering policy in Mitigation Settings. 1000
policy_layer_4_filter_l4_filite_drop_rule_4_ppsThe forwarding rate of the packets that are denied by the fourth fingerprint filtering policy in the module of fingerprint filtering policies. Unit: packets per second. You can customize the fingerprint filtering policy in Mitigation Settings. 1000
policy_layer_4_filter_l4_filite_drop_rule_5_ppsThe forwarding rate of the packets that are denied by the fifth fingerprint filtering policy in the module of fingerprint filtering policies. Unit: packets per second. You can customize the fingerprint filtering policy in Mitigation Settings. 1000
policy_layer_4_filter_l4_filite_drop_rule_6_ppsThe forwarding rate of the packets that are denied by the sixth fingerprint filtering policy in the module of fingerprint filtering policies. Unit: packets per second. You can customize the fingerprint filtering policy in Mitigation Settings. 1000
policy_layer_4_filter_l4_filite_drop_rule_7_ppsThe forwarding rate of the packets that are denied by the seventh fingerprint filtering policy in the module of fingerprint filtering policies. Unit: packets per second. You can customize the fingerprint filtering policy in Mitigation Settings. 1000
policy_layer_4_filter_l4_filite_drop_rule_8_ppsThe forwarding rate of the packets that are denied by the eighth fingerprint filtering policy in the module of fingerprint filtering policies. Unit: packets per second. You can customize the fingerprint filtering policy in Mitigation Settings. 1000
policy_dns_domain_authentication_succ_domain_ppsThe forwarding rate of the packets that pass the check based on the default domain-based authentication policy. Unit: packets per second. 1000
policy_dns_domain_authentication_fail_domain_ppsThe forwarding rate of the packets that fail the check based on the default domain-based authentication policy. Unit: packets per second. 1000
policy_dns_domain_authentication_drop_ppsThe forwarding rate of the packets that are denied by the default domain-based authentication policy. Unit: packets per second. 1000
policy_dns_domain_authentication_acct_ppsThe forwarding rate of the packets that are allowed by the default domain-based authentication policy. Unit: packets per second. 1000
policy_syn_cookie_succ_check_ppsThe forwarding rate of the packets that pass the check based on the default SYN cookie-based policy. Unit: packets per second. 1000
policy_syn_cookie_fail_check_ppsThe forwarding rate of the packets that fail the check based on the default SYN cookie-based policy. Unit: packets per second. 1000
policy_syn_cookie_drop_ppsThe forwarding rate of the packets that are denied by the default SYN cookie-based policy. Unit: packets per second. 1000
policy_syn_cookie_rebound_check_ppsThe forwarding rate of the packets that are reversely verified by the default SYN cookie-based policy. Unit: packets per second. 1000
policy_syn_cookie_acct_ppsThe forwarding rate of the packets that are allowed by the default SYN cookie-based policy. Unit: packets per second. 1000
policy_udp_defense_drop_ppsThe forwarding rate of the packets that are denied by the default UDP protection policy. Unit: packets per second. 1000
policy_antiothertcp_drop_ppsThe forwarding rate of the packets that are denied by other default TCP protection policies. Unit: packets per second. 1000
policy_antiothertcp_acct_ppsThe forwarding rate of the packets that are allowed by other default TCP protection policies. Unit: packets per second. 1000
policy_antitcp_drop_tcp_ppsThe forwarding rate of all TCP packets that are denied by the default TCP protection policy. Unit: packets per second. 1000
policy_antitcp_drop_ack_ppsThe forwarding rate of all ACK packets that are denied by the default TCP protection policy. Unit: packets per second. 1000
policy_retransmission_authentication_acct_ppsThe forwarding rate of the packets that are allowed by the default first-packet-dropping policy. Unit: packets per second. 1000
policy_retransmission_authentication_drop_ppsThe forwarding rate of the packets that are denied by the default first-packet-dropping policy. Unit: packets per second. 1000