All Products
Search

This Product

    Simple Log Service:Fields in logs

    Document Center

    Simple Log Service:Fields in logs

    Last Updated:Feb 24, 2025

    This topic describes all fields in the logs of Anti-DDoS Origin.

    The fields are classified into the following types based on features:

    • Event fields: record information about the events that occur on the protected assets. The events include traffic scrubbing, blackhole filtering, and traffic rerouting. The information includes the occurrence time and the status of the events.

    • Traffic detection fields: record information about the traffic that is generated on the protected assets. The information includes the transmission rate of inbound traffic and the packet forwarding rates of different types of data packets.

    • Traffic scrubbing fields: record information about the traffic that is denied or allowed by different mitigation policies during traffic scrubbing.

    Event fields

    Field

    Description

    Example value

    data_type

    The data type. Valid values:

    • Global_SC_Detection: indicates data about the traffic that is forwarded by the traffic scrubbing center of Anti-DDoS Proxy. The traffic is protected by an anti-DDoS diversion instance.

    • Global_SC_Mitigation: indicates data about the traffic that is scrubbed by the traffic scrubbing center of Anti-DDoS Proxy. The traffic is protected by an anti-DDoS diversion instance.

    • Regional_SC_Detection: indicates data about the inbound traffic of the region in which Alibaba Cloud assets reside.

    • Regional_SC_Mitigation: indicates data about the scrubbed traffic of the region in which Alibaba Cloud assets reside.

    • event: indicates data about attack events.

    Regional_SC_Mitigation

    event_time

    The time at which an event occurred. The value is a UNIX timestamp. Unit: seconds.

    1624434027

    event_type

    The type of an event. Valid values:

    • mitigation_begin: A traffic scrubbing event begins.

    • mitigation_ended: A traffic scrubbing event ends.

    • blackhole_begin: A blackhole filtering event begins.

    • blackhole_ended: A blackhole filtering event ends.

    mitigation_begin

    instance_id

    The ID of the Anti-DDoS Origin instance.

    ddosbgp-cn-n6w203qg****

    ip

    The IP address of an asset that is protected by the Anti-DDoS Origin instance.

    39.XX.XX.23

    kbps_in

    The bandwidth of inbound traffic. Unit: Kbit/s.

    1000

    new_con

    The number of new connections.

    1000

    pps_in

    The packet forwarding rate of inbound traffic. Unit: packets per second.

    1000

    qps

    The queries per second (QPS). Unit: QPS.

    1000

    scrubbing_center

    The region where the traffic scrubbing center resides. Valid values:

    • us_west: US (Virginia)

    • us_east: US (Silicon Valley)

    • frankfurt: Germany (Frankfurt)

    • hk: China (Hong Kong)

    • singapore: Singapore

    • malaysia: Malaysia (Kuala Lumpur)

    • uk: UK (London)

    • japan: Japan (Tokyo)

    • total_summary: all regions

    • assets_base_region: the region where the asset resides

    us_west

    subnet

    The CIDR block for traffic rerouting.

    1.XX.XX.1/24

    user_id

    The ID of the Alibaba Cloud account.

    170457416359****

    Traffic detection fields

    Field

    Description

    Example value

    Ip

    The source IP address.

    1.XX.XX.1

    Time

    The point in time at which the log entry about traffic detection was generated. The value is a UNIX timestamp. Unit: seconds.

    1624434027

    KbpsIn

    The bandwidth of inbound traffic at the point in time. Unit: Kbit/s.

    1000

    KbpsOut

    The bandwidth of outbound traffic at the point in time. Unit: Kbit/s.

    1000

    PpsIn

    The forwarding rate of all inbound packets at the point in time. Unit: packets per second.

    1000

    PpsOut

    The forwarding rate of all outbound packets at the point in time. Unit: packets per second.

    1000

    PpsInSyn

    The forwarding rate of inbound SYN packets at the point in time. Unit: packets per second.

    1000

    PpsInSynack

    The forwarding rate of inbound SYN-ACK packets at the point in time. Unit: packets per second.

    1000

    PpsInFin

    The forwarding rate of inbound FIN or RST packets at the point in time. Unit: packets per second.

    1000

    PpsInHttpReq

    The forwarding rate of inbound TCP packets at the point in time. Unit: packets per second. The TCP packets must meet all the following conditions:

    • The TCP packets are not SYN, SYN-ACK, FIN, or RST packets.

    • The source or destination port is 80, 3128, 8080, or 8088.

    • The TCP packets contain payloads. The first few bytes of the payloads in HTTP packets are GET, PUT, HEAD, or POST.

    1000

    PpsInHttpResp

    The forwarding rate of inbound TCP packets at the point in time. Unit: packets per second. The TCP packets must meet all the following conditions:

    • The TCP packets are not SYN, SYN-ACK, FIN, or RST packets.

    • The source or destination port is 80, 3128, 8080, or 8088.

    • The TCP packets contain payloads. The first four bytes of the payloads in HTTP packets are HTTP.

    1000

    PpsInHttpFlags

    The forwarding rate of inbound TCP-ACK packets at the point in time. Unit: packets per second. The TCP-ACK packets are not SYN, SYN-ACK, FIN, or RST packets.

    1000

    PpsInIcmp

    The forwarding rate of inbound ICMP packets at the point in time. Unit: packets per second.

    1000

    PpsInDns

    The forwarding rate of inbound DNS packets at the point in time. Unit: packets per second. The DNS packets are forwarded over UDP, and the source or destination port of the packets is 53.

    1000

    PpsInUdprisk

    The forwarding rate of packets that use a vulnerable source UDP port at the point in time. Unit: packets per second.

    1000

    PpsInUdpunknown

    The forwarding rate of inbound UDP packets at the point in time. Unit: packets per second. The forwarding rate of the UDP packets indicated by this field does not include that indicated by the PpsInDns field. The UDP packets are forwarded over UDP, but the source or destination port of the packets is not 53.

    1000

    Traffic scrubbing fields

    Field

    Description

    Example value

    instance_id

    The ID of the Anti-DDoS Origin instance.

    ddosbgp-cn-v641is26****

    time

    The point in time at which the log entry about traffic scrubbing was generated. The value is a UNIX timestamp. Unit: seconds.

    1624434027

    destination_ip

    The destination IP address.

    123.XX.XX.169

    port

    The destination port. Valid values:

    • all (default): indicates the data of all ports.

    • Specific port: indicates the data of a specific port, such as port 80.

    80

    total_traffic_in_bps

    The total number of bytes in all types of packets that are scrubbed. Unit: byte per second.

    8000

    total_traffic_drop_bps

    The total number of bytes of all types of packets that are scrubbed and discarded. Unit: byte per second.

    800

    total_traffic_in_pps

    The forwarding rate of all types of inbound packets. Unit: packets per second.

    1000

    total_traffic_drop_pps

    The forwarding rate of all types of packets that are discarded. Unit: packets per second.

    1000

    pps_types_in_tcp_pps

    The forwarding rate of inbound TCP packets. Unit: packets per second.

    100

    pps_types_in_udp_pps

    The forwarding rate of inbound UDP packets. Unit: packets per second.

    1000

    pps_types_in_icmp_pps

    The forwarding rate of inbound ICMP packets. Unit: packets per second.

    1000

    pps_types_in_syn_pps

    The forwarding rate of inbound SYN packets. Unit: packets per second.

    1000

    pps_types_in_ack_pps

    The forwarding rate of inbound ACK packets. Unit: packets per second.

    1000

    pps_types_in_synack_pps

    The forwarding rate of inbound SYN-ACK packets. Unit: packets per second.

    1000

    pps_types_in_finrst_pps

    The forwarding rate of inbound FIN or RST packets. Unit: packets per second.

    1000

    pps_types_in_dns_pps

    The forwarding rate of inbound DNS packets. Unit: packets per second.

    1000

    pps_types_drop_tcp_pps

    The forwarding rate of the TCP packets that are discarded. Unit: packets per second.

    1000

    pps_types_drop_udp_pps

    The forwarding rate of the UDP packets that are discarded. Unit: packets per second.

    1000

    pps_types_drop_icmp_pps

    The forwarding rate of the ICMP packets that are discarded. Unit: packets per second.

    1100

    pps_types_drop_syn_pps

    The forwarding rate of the SYN packets that are discarded. Unit: packets per second.

    1000

    pps_types_drop_ack_pps

    The forwarding rate of the ACK packets that are discarded. Unit: packets per second.

    1000

    pps_types_drop_synack_pps

    The forwarding rate of the SYN-ACK packets that are discarded. Unit: packets per second.

    1000

    pps_types_finrst

    The forwarding rate of the FIN or RST packets that are discarded. Unit: packets per second.

    1000

    pps_types_dns

    The forwarding rate of the DNS packets that are discarded. Unit: packets per second.

    1000

    policy_packet_checking_acct_pps

    The forwarding rate of the packets that are allowed by the default packet checking policy. Unit: packets per second.

    1000

    policy_packet_checking_drop_pps

    The forwarding rate of the packets that are denied by the default packet checking policy. Unit: packets per second.

    1000

    policy_dns_retransmission_authentication_drop_pps

    The forwarding rate of the packets that are denied by the default first-packet-dropping policy of a domain name. Unit: packets per second.

    1000

    policy_dns_retransmission_authentication_acct_pps

    The forwarding rate of the packets that are allowed by the default first-packet-dropping policy of a domain name. Unit: packets per second.

    100

    policy_source_ip_authentication_succeed_pps

    The forwarding rate of the packets that pass the check by the default source IP address-based authentication policy. Unit: packets per second.

    1000

    policy_source_ip_authentication_checked_pps

    The forwarding rate of the packets that are being checked by the default source IP address-based authentication policy. Unit: packets per second.

    1000

    policy_source_ip_authentication_acct_pps

    The forwarding rate of the packets that are allowed by the default source IP address-based authentication policy. Unit: packets per second.

    1000

    policy_source_ip_authentication_drop_pps

    The forwarding rate of the packets that are denied by the default source IP address-based authentication policy. Unit: packets per second.

    1000

    policy_source_ip_rate_limitation_drop_syn_pps

    The forwarding rate of the SYN packets that are denied by the default source IP address-based rate limiting policy. Unit: packets per second.

    1000

    policy_source_ip_rate_limitation_drop_con_max_pps

    The forwarding rate of the packets that are denied by the default source IP address-based rate limiting policy for concurrent connections. The packets are denied because the number of concurrent connections initiated from the source IP addresses exceeds the maximum number of concurrent connections allowed in the policy. Unit: packets per second.

    1000

    policy_source_ip_rate_limitation_drop_con_rate_pps

    The forwarding rate of the packets that are denied by the default source IP address-based rate limiting policy for concurrent connections. The packets are denied because the connection rate of concurrent connections initiated from the source IP addresses exceeds the maximum connection rate allowed in the policy. Unit: packets per second.

    1000

    policy_source_ip_rate_limitation_drop_udp_rate_pps

    The forwarding rate of the packets that are denied by the default source IP address-based rate limiting policy for UDP packets. Unit: packets per second.

    1000

    policy_source_ip_rate_limitation_drop_tcpack_rate_pps

    The forwarding rate of the packets that are denied by the default source IP address-based rate limiting policy for ACK packets. Unit: packets per second.

    1000

    policy_source_ip_rate_limitation_drop_tcpsynack_rate_pps

    The forwarding rate of the packets that are denied by the default source IP address-based rate limiting policy for SYN-ACK packets. Unit: packets per second.

    1000

    policy_destination_ip_rate_limitation_drop_syn_rate

    The forwarding rate of the SYN packets that are denied by the default destination IP address-based rate limiting policy. Unit: packets per second.

    1000

    policy_destination_ip_rate_limitation_drop_udp_rate

    The bandwidth of the UDP packets that are denied by the default destination IP address-based rate limiting policy. Unit: packets per second.

    1000

    policy_destination_ip_rate_limitation_drop_ack_rate

    The bandwidth of the ACK packets that are denied by the default destination IP address-based rate limiting policy. Unit: packets per second.

    1000

    policy_destination_ip_rate_limitation_drop_icmp_rate

    The bandwidth of the ICMP packets that are denied by the default destination IP address-based rate limiting policy. Unit: packets per second.

    1000

    policy_destination_ip_rate_limitation_drop_other_rate

    The forwarding rate of the packets that are denied by the default destination IP address-based rate limiting policy. Unit: packets per second. The packets exclude UDP, ICMP, TCP-SYN, TCP-SYN-ACK, and TCP-ACK packets.

    1000

    policy_destination_ip_rate_limitation_drop_synack_rate

    The forwarding rate of the SYN-ACK packets that are denied by the default destination IP address-based rate limiting policy. Unit: packets per second.

    1000

    policy_layer_4_filter_l4_filiter_drop_pps

    The forwarding rate of the packets that are denied by all fingerprint filtering policies. Unit: packets per second. You can customize the fingerprint filtering policies in Mitigation Settings.

    1000

    policy_layer_4_filter_l4_filiter_acct_num

    The forwarding rate of the packets that are allowed by all the policies in the module of fingerprint filtering policies. Unit: packets per second. You can customize the module of fingerprint filtering policies in Mitigation Settings.

    1000

    policy_layer_4_filter_l4_filite_drop_rule_1_pps

    The forwarding rate of the packets that are denied by the first fingerprint filtering policy in the module of fingerprint filtering policies. Unit: packets per second. You can customize the fingerprint filtering policy in Mitigation Settings.

    1000

    policy_layer_4_filter_l4_filite_drop_rule_2_pps

    The forwarding rate of the packets that are denied by the second fingerprint filtering policy in the module of fingerprint filtering policies. Unit: packets per second. You can customize the fingerprint filtering policy in Mitigation Settings.

    1000

    policy_layer_4_filter_l4_filite_drop_rule_3_pps

    The forwarding rate of the packets that are denied by the third fingerprint filtering policy in the module of fingerprint filtering policies. Unit: packets per second. You can customize the fingerprint filtering policy in Mitigation Settings.

    1000

    policy_layer_4_filter_l4_filite_drop_rule_4_pps

    The forwarding rate of the packets that are denied by the fourth fingerprint filtering policy in the module of fingerprint filtering policies. Unit: packets per second. You can customize the fingerprint filtering policy in Mitigation Settings.

    1000

    policy_layer_4_filter_l4_filite_drop_rule_5_pps

    The forwarding rate of the packets that are denied by the fifth fingerprint filtering policy in the module of fingerprint filtering policies. Unit: packets per second. You can customize the fingerprint filtering policy in Mitigation Settings.

    1000

    policy_layer_4_filter_l4_filite_drop_rule_6_pps

    The forwarding rate of the packets that are denied by the sixth fingerprint filtering policy in the module of fingerprint filtering policies. Unit: packets per second. You can customize the fingerprint filtering policy in Mitigation Settings.

    1000

    policy_layer_4_filter_l4_filite_drop_rule_7_pps

    The forwarding rate of the packets that are denied by the seventh fingerprint filtering policy in the module of fingerprint filtering policies. Unit: packets per second. You can customize the fingerprint filtering policy in Mitigation Settings.

    1000

    policy_layer_4_filter_l4_filite_drop_rule_8_pps

    The forwarding rate of the packets that are denied by the eighth fingerprint filtering policy in the module of fingerprint filtering policies. Unit: packets per second. You can customize the fingerprint filtering policy in Mitigation Settings.

    1000

    policy_dns_domain_authentication_succ_domain_pps

    The forwarding rate of the packets that pass the check based on the default domain-based authentication policy. Unit: packets per second.

    1000

    policy_dns_domain_authentication_fail_domain_pps

    The forwarding rate of the packets that fail the check based on the default domain-based authentication policy. Unit: packets per second.

    1000

    policy_dns_domain_authentication_drop_pps

    The forwarding rate of the packets that are denied by the default domain-based authentication policy. Unit: packets per second.

    1000

    policy_dns_domain_authentication_acct_pps

    The forwarding rate of the packets that are allowed by the default domain-based authentication policy. Unit: packets per second.

    1000

    policy_syn_cookie_succ_check_pps

    The forwarding rate of the packets that pass the check based on the default SYN cookie-based policy. Unit: packets per second.

    1000

    policy_syn_cookie_fail_check_pps

    The forwarding rate of the packets that fail the check based on the default SYN cookie-based policy. Unit: packets per second.

    1000

    policy_syn_cookie_drop_pps

    The forwarding rate of the packets that are denied by the default SYN cookie-based policy. Unit: packets per second.

    1000

    policy_syn_cookie_rebound_check_pps

    The forwarding rate of the packets that are reversely verified by the default SYN cookie-based policy. Unit: packets per second.

    1000

    policy_syn_cookie_acct_pps

    The forwarding rate of the packets that are allowed by the default SYN cookie-based policy. Unit: packets per second.

    1000

    policy_udp_defense_drop_pps

    The forwarding rate of the packets that are denied by the default UDP protection policy. Unit: packets per second.

    1000

    policy_antiothertcp_drop_pps

    The forwarding rate of the packets that are denied by other default TCP protection policies. Unit: packets per second.

    1000

    policy_antiothertcp_acct_pps

    The forwarding rate of the packets that are allowed by other default TCP protection policies. Unit: packets per second.

    1000

    policy_antitcp_drop_tcp_pps

    The forwarding rate of all TCP packets that are denied by the default TCP protection policy. Unit: packets per second.

    1000

    policy_antitcp_drop_ack_pps

    The forwarding rate of all ACK packets that are denied by the default TCP protection policy. Unit: packets per second.

    1000

    policy_retransmission_authentication_acct_pps

    The forwarding rate of the packets that are allowed by the default first-packet-dropping policy. Unit: packets per second.

    1000

    policy_retransmission_authentication_drop_pps

    The forwarding rate of the packets that are denied by the default first-packet-dropping policy. Unit: packets per second.

    1000