This topic describes the fields that are included in the full logs of Anti-DDoS Proxy.
Basic Information
Field | Description | Example |
__topic__ | The topic of the log. The value is fixed as ddos_access_log, which indicates the logs of Anti-DDoS Proxy. | ddos_access_log |
user_id | The Alibaba Cloud account ID. | 166688437215**** |
HTTP requests
Field | Description | Example |
body_bytes_sent | The size of the body in the request. Unit: bytes. | 2 |
content_type | The content type of the response body. | application/x-www-form-urlencoded |
host | The requested domain name. | api.aliyundoc.com |
http_cookie | The request cookie. | k1=v1;k2=v2 |
http_referer | The referer of the request. If the referer does not exist, a hyphen ( | http://aliyundoc.com |
http_user_agent | The user agent of the request. | Dalvik/2.1.0 (Linux; U; Android 10; Android SDK built for x86 Build/QSR1.200715.002) |
http_x_forwarded_for | The IP address of the upstream proxy. | 192.0.XX.XX |
https | Indicates whether the request is an HTTPS request. Valid values: true and false. | true |
matched_host | The domain name that is matched, which can be a wildcard domain name. If no domain names are matched, a hyphen ( | *.aliyundoc.com |
real_client_ip | The originating IP address of the client. If no originating IP addresses are retrieved, a hyphen ( | 192.0.XX.XX |
isp_line | The information about the Internet service provider (ISP) line, such as Border Gateway Protocol (BGP), China Telecom, or China Unicom. | China Telecom |
remote_addr | The IP address from which the request is initiated. | 192.0.XX.XX |
remote_port | The ID of the port from which the request is initiated. | 23713 |
request_length | The size of the request. Unit: bytes. | 123 |
request_method | The HTTP method of the request. | GET |
request_time_msec | The processing time of the request. Unit: milliseconds. | 44 |
request_uri | The URI of the request. | /answers/377971214/banner |
server_name | The name of the origin server that is matched. If no origin servers are matched, | api.aliyundoc.com |
status | The HTTP status code. | 200 |
time | The time of the request. | 2018-05-02T16:03:59+08:00 |
querystring | The query string in the request. | token=bbcd&abc=123 |
upstream_addr | The list of origin addresses that are separated by commas (,). Each address is in the IP:Port format. | 192.0.XX.XX:443 |
upstream_ip | The origin IP address. | 192.0.XX.XX |
upstream_response_time | The response time of the back-to-origin request. Unit: seconds. Note If the famax engine of the previous version is used, the unit of this field is milliseconds. | 0.044 |
upstream_status | The HTTP status code of the back-to-origin request. | 200 |
vip_addr | The IP address of the Anti-DDoS Proxy instance. | 203.107.XX.XX |
http2_client_fingerprint | The original fingerprint of the HTTP/2 client. | 2:0;4:2097152;3:100|10485760|0|m,s,p,a |
http2_client_fingerprint_md5 | The HTTP/2 fingerprint. The HTTP/2 fingerprint is a 128-bit or 32-character MD5 hash value that is calculated based on the original fingerprint of the HTTP/2 client. The HTTP/2 fingerprint is used to analyze and identify different clients for more secure and efficient communication. | ad8424af1cc590e09f7b0c499bf7fcdb |
Client Information
Field | Description | Example |
ua_browser | The identifier of the browser. Note In some cases, a log does not contain this field. | ie9 |
ua_browser_family | The series of the browser. Note In some cases, a log does not contain this field. | internet explorer |
ua_browser_type | The type of the browser. Note In some cases, a log does not contain this field. | web_browser |
ua_browser_version | The version of the browser. Note In some cases, a log does not contain this field. | 9.0 |
ua_device_type | The type of the client. Note In some cases, a log does not contain this field. | computer |
ua_os | The identifier of the operating system that runs on the client. Note In some cases, a log does not contain this field. | windows_7 |
ua_os_family | The series of the operating system that runs on the client. Note In some cases, a log does not contain this field. | windows |
server_protocol | The protocol and version number of the origin server that are returned in the response to Anti-DDoS Proxy back-to-origin requests. | HTTP/1.1 |
ssl_protocol | The SSL or TLS protocol and version that are used in the request. | TLSv1.2 |
ssl_cipher | The cipher suite that is used in the request. | ECDHE-RSA-AES128-GCM-SHA256 |
ssl_handshake_time | The period of time during which the client initiates a TLS handshake. Unit: milliseconds. | 99 |
Mitigation settings
Field | Description | Example |
cc_action | The action that is triggered in an HTTP flood mitigation rule. Valid values:
| accept |
cc_blocks | Indicates whether the request is blocked by an HTTP flood mitigation rule. Valid values:
Note In some cases, a log does not contain this field. If a log does not contain the cc_blocks field, the | 1 |
cc_phase | The type of the mitigation setting. Valid values:
| gfbwip |
last_module | The type of mitigation setting for websites. Valid values:
| gfareaban |
last_owner | The name of the rule that is configured for websites. Rules include rules that are issued by Anti-DDoS Proxy and custom rules. Valid values of the rules that are issued by Anti-DDoS Proxy:
| global_th_4_C_****|global |
last_result | The final action on the request. Valid values:
Note In some cases, a log does not contain this field. If a log does not contain the last_result field, the | failed |