Fields included in full logs - Anti-DDoS - Alibaba Cloud Documentation Center

This topic describes the fields that are included in the full logs of Anti-DDoS Proxy.

Basic Information

Field	Description	Example
__topic__	The topic of the log. The value is fixed as ddos_access_log, which indicates the logs of Anti-DDoS Proxy.	ddos_access_log
user_id	The Alibaba Cloud account ID.	166688437215****

HTTP requests

Field	Description	Example
body_bytes_sent	The size of the body in the request. Unit: bytes.	2
content_type	The content type of the response body.	application/x-www-form-urlencoded
host	The requested domain name.	api.aliyundoc.com
http_cookie	The request cookie.	k1=v1;k2=v2
http_referer	The referer of the request. If the referer does not exist, a hyphen (`-`) is returned.	http://aliyundoc.com
http_user_agent	The user agent of the request.	Dalvik/2.1.0 (Linux; U; Android 10; Android SDK built for x86 Build/QSR1.200715.002)
http_x_forwarded_for	The IP address of the upstream proxy.	192.0.XX.XX
https	Indicates whether the request is an HTTPS request. Valid values: true and false.	true
matched_host	The domain name that is matched, which can be a wildcard domain name. If no domain names are matched, a hyphen (`-`) is returned.	*.aliyundoc.com
real_client_ip	The originating IP address of the client. If no originating IP addresses are retrieved, a hyphen (`-`) is returned.	192.0.XX.XX
isp_line	The information about the Internet service provider (ISP) line, such as Border Gateway Protocol (BGP), China Telecom, or China Unicom.	China Telecom
remote_addr	The IP address from which the request is initiated.	192.0.XX.XX
remote_port	The ID of the port from which the request is initiated.	23713
request_length	The size of the request. Unit: bytes.	123
request_method	The HTTP method of the request.	GET
request_time_msec	The processing time of the request. Unit: milliseconds.	44
request_uri	The URI of the request.	/answers/377971214/banner
server_name	The name of the origin server that is matched. If no origin servers are matched, `default` is returned.	api.aliyundoc.com
status	The HTTP status code.	200
time	The time of the request.	2018-05-02T16:03:59+08:00
querystring	The query string in the request.	token=bbcd&abc=123
upstream_addr	The list of origin addresses that are separated by commas (,). Each address is in the IP:Port format.	192.0.XX.XX:443
upstream_ip	The origin IP address.	192.0.XX.XX
upstream_response_time	The response time of the back-to-origin request. Unit: seconds. Note If the famax engine of the previous version is used, the unit of this field is milliseconds.	0.044
upstream_status	The HTTP status code of the back-to-origin request.	200
vip_addr	The IP address of the Anti-DDoS Proxy instance.	203.107.XX.XX
http2_client_fingerprint	The original fingerprint of the HTTP/2 client.	2:0;4:2097152;3:100\|10485760\|0\|m,s,p,a
http2_client_fingerprint_md5	The HTTP/2 fingerprint. The HTTP/2 fingerprint is a 128-bit or 32-character MD5 hash value that is calculated based on the original fingerprint of the HTTP/2 client. The HTTP/2 fingerprint is used to analyze and identify different clients for more secure and efficient communication.	ad8424af1cc590e09f7b0c499bf7fcdb
ssl_client_ja3_fingerprinting	The JA3 fingerprint of the client is an original fingerprint that contains key parameters from TLS handshake, including information such as the TLS version, cipher suites, compression algorithms, and TLS extensions.	771,4865-49195-49196-49197,29,0
ssl_client_ja3_fingerprinting_md5	The MD5 hash value generated from the JA3 original fingerprint.	c1bd7c674bbec9f0f2474e3eee3564f4
ssl_client_ja4_fingerprinting	The JA4 fingerprint of the client is an original fingerprint that includes key parameters from TLS handshake, such as the TLS version, cipher suites, compression algorithms, TLS extensions, browser version, and operating system.	t13d1516h2_acb858a92679_e5627efa2ab1
ssl_client_ja4_fingerprinting_md5	The MD5 hash value generated from the JA4 original fingerprint.	8c3d99fb6ed08a39c799aad27b4854f4

Client Information

Field	Description	Example
ua_browser	The identifier of the browser. Note In some cases, a log does not contain this field.	ie9
ua_browser_family	The series of the browser. Note In some cases, a log does not contain this field.	internet explorer
ua_browser_type	The type of the browser. Note In some cases, a log does not contain this field.	web_browser
ua_browser_version	The version of the browser. Note In some cases, a log does not contain this field.	9.0
ua_device_type	The type of the client. Note In some cases, a log does not contain this field.	computer
ua_os	The identifier of the operating system that runs on the client. Note In some cases, a log does not contain this field.	windows_7
ua_os_family	The series of the operating system that runs on the client. Note In some cases, a log does not contain this field.	windows
server_protocol	The protocol and version number of the origin server that are returned in the response to Anti-DDoS Proxy back-to-origin requests.	HTTP/1.1
ssl_protocol	The SSL or TLS protocol and version that are used in the request.	TLSv1.2
ssl_cipher	The cipher suite that is used in the request.	ECDHE-RSA-AES128-GCM-SHA256
ssl_handshake_time	The period of time during which the client initiates a TLS handshake. Unit: milliseconds.	99

Mitigation settings

Field	Description	Example
cc_action	The action that is triggered in an HTTP flood mitigation rule. Valid values: accept: The request is allowed. block: The request is blocked. challenge: Captcha verification is used to verify the source IP address of the request. alarm: The request is recorded in logs and allowed.	accept
cc_blocks	Indicates whether the request is blocked by an HTTP flood mitigation rule. Valid values: `1`: The request is blocked. Other values: The request is allowed. Note In some cases, a log does not contain this field. If a log does not contain the cc_blocks field, the `last_result` field is used to record whether the request is blocked by an HTTP flood mitigation rule.	1
cc_phase	The type of the mitigation setting. Valid values: Valid values for the Tengine engine: `gfbwip`: a blacklist and whitelist feature `gfcc`: the HTTP flood mitigation feature `gfacl`: a custom mitigation policy `gfglobal`: a DDoS mitigation policy `gfareaban`: a location blacklist feature Valid values for the famax engine: `ipFilter`: a blacklist and whitelist feature `statProtect`: the HTTP flood mitigation feature `preciseProtect`: a custom mitigation policy `regionBLock`: a location blacklist feature	gfbwip
last_module	The type of mitigation setting for websites. Valid values: gfareaban: the location blacklist (domain names) feature gfbwip: the blacklist/whitelist (domain names) feature gfacl: an accurate access control rule gfcc: the HTTP flood mitigation feature gfglobal: a DDoS mitigation policy	gfareaban
last_owner	The name of the rule that is configured for websites. Rules include rules that are issued by Anti-DDoS Proxy and custom rules. Valid values of the rules that are issued by Anti-DDoS Proxy: Rule names that start with `smartcc_`: rules of the intelligent protection feature Rule names that start with `global`: rules of a DDoS mitigation policy Rule names that start with `gf_internal`: rules of the HTTP flood mitigation feature	global_th_4_C_****\|global
last_result	The final action on the request. Valid values: `ok`: The request is allowed. `failed`: The request is not allowed. For example, the request is blocked, or the verification fails. Note In some cases, a log does not contain this field. If a log does not contain the last_result field, the `cc_blocks` field is used to record whether the request is blocked by an HTTP flood mitigation rule.	failed