After you add your website to an Anti-DDoS Proxy instance, you can use the log analysis feature to collect and store the logs of your website, and then query and analyze the collected logs. This topic describes how to use the log analysis feature.
Usage notes
Before you use the log analysis feature, you need to know basic information about the feature, how to calculate the required log storage capacity, and log sampling descriptions. For more information, see Overview.
Prerequisites
An Anti-DDoS Proxy instance is purchased and your website is added to the instance. For more information, see Add one or more websites.
Simple Log Service is activated. If this is the first time you log on to the Simple Log Service console, you must activate Simple Log Service as prompted.
Step 1: Enable the log analysis feature
Log on to the Anti-DDoS Proxy console.
In the top navigation bar, select the region of your instance.
Anti-DDoS Proxy (Chinese Mainland): If your instance is an Anti-DDoS Proxy (Chinese Mainland) instance, select Chinese Mainland.
Anti-DDoS Proxy (Outside Chinese Mainland): If your instance is an Anti-DDoS Proxy (Outside Chinese Mainland), select Outside Chinese Mainland.
In the left-side navigation pane, choose
.On the Log Analysis page, click Buy Now.
On the Log Service page, configure the parameters, click Buy Now, and then complete the payment.
Parameter
Description
Edition
Select the instance type of Anti-DDoS Proxy.
Log Storage
Select the capacity to store logs. Unit: TB.
If log storage is large enough and within the validity period, logs are stored from the first day the feature is used. The logs that are generated within the following 180 consecutive days are stored. Logs from day 181 overwrite logs from day 1, which indicates that the logs generated only within the last 180 days are stored.
ImportantAfter the log storage is exhausted, new logs cannot be stored.
Duration
Select a validity period for the feature.
ImportantIf the log analysis feature expires, new logs cannot be stored.
Step 2: Authorize Anti-DDoS Proxy to store logs to Simple Log Service
Go back to the Log Analysis page and complete the authorization as prompted.
The system automatically creates the service-linked role AliyunDDoSCOOLogArchiveRole. Anti-DDoS Proxy uses this role to access Simple Log Service and store logs in the dedicated Logstore for Anti-DDoS Proxy.
Select a region for the dedicated Logstore for an Anti-DDoS Proxy (Outside Chinese Mainland) instance. The logs of the instance are stored in the region that you select.
You can select the Singapore or Indonesia (Jakarta) region.
ImportantAfter you select a region, you cannot directly change the region. To change the region, you can only disable the log analysis feature and re-enable the feature. However, after you disable the feature, the Logstore and all log data is deleted. Proceed with caution.
You do not need to select a region for the dedicated Logstore for an Anti-DDoS Proxy (Chinese Mainland) instance. By default, the logs of the instance are stored in the China (Hangzhou) region.
After you enable the log analysis feature, Anti-DDoS Proxy creates a Logstore for your instance in the specified region in Simple Log Service. Then, Anti-DDoS Proxy collects and delivers the log data of the instance to the Logstore.
Step 3: Enable the log collection feature
On the Log Analysis page, enable the log collection feature for the domain name of your website.
Enable the log collection feature for a domain name: Select a domain name from the Select Domain Names drop-down list and turn on Status.
Enable the log collection feature for multiple domain names at a time: Click Batch Configure in the upper-right corner of the page. In the Batch Configure panel, select multiple domain names and click Batch Enable.
After you enable the log collection feature, Simple Log Service automatically creates a dedicated project for Anti-DDoS Proxy. This dedicated project is used to manage the logs of Anti-DDoS Proxy.
You can view the dedicated project on the homepage of the Simple Log Service console. The name of the dedicated project for Anti-DDoS Proxy (Chinese Mainland) starts with ddoscoo-project
. The name of the dedicated project for Anti-DDoS Proxy (Outside Chinese Mainland) starts with ddosdip-project
. A dedicated project for Anti-DDoS Proxy contains the following resources:
A dedicated Logstore that is used to store the logs of Anti-DDoS Proxy. The name of the dedicated Logstore for Anti-DDoS Proxy (Chinese Mainland) starts with
ddoscoo-logstore
. The name of the dedicated Logstore for Anti-DDoS Proxy (Outside Chinese Mainland) starts withddosdip-logstore
.Two preset log dashboards that are used to display the Log Analysis results in charts. The dashboards are DDoS Access Center and DDoS Operation Center. The information in the dashboards is the same for both Anti-DDoS Proxy (Chinese Mainland) and Anti-DDoS Proxy (Outside Chinese Mainland).
Step 4: (Optional) Query and analyze logs
On the Log Analysis page, select a domain name from the Select Domain Names drop-down list.
On the Full Logs tab, specify a time range for the query.
NoteAnti-DDoS Proxy logs are retained for 180 days. By default, you can query logs only of the previous 180 days.
The query results may contain logs that are generated 1 minute earlier or later than the specified time range.
Enter a query statement in the search box, and then click Search & Analyze.
Each query statement consists of a search statement and an analytic statement. The search statement and the analytic statement are separated with a vertical bar (|). Format:
Search statement|Analytics statement
.Statement
Optional
Description
The query statement.
Yes
A search statement specifies search conditions, such as a keyword, a numeric value, a numeric value range, an asterisk (*), or a combination of search conditions.
If you specify a space or an asterisk (*) as the search statement, no conditions are used for searching, and all logs are returned. For more information, see Search syntax.
NoteFor more information about log fields, see Fields included in full logs.
Analytics statement
Yes
An analytic statement is used to aggregate and compute the data in search results or all logs.
If you leave the analytics statement empty, the search results are returned but analysis is not performed. For more information, see Log analysis overview.
NoteIn an analytics statement, the
from log
part is similar to thefrom <table name>
part in a standard SQL statement and can be omitted.By default, the first 100 log entries are returned. If you want to adjust this number, you can execute a LIMIT statement. For more information, see LIMIT clause.
After a query statement is executed, analysis results are automatically displayed in tables. The analysis results can also be displayed in a variety of charts, such as a line chart, column chart, or pie chart. You can choose a display method based on your business requirements. For more information, see Chart overview
You can also configure alert rules based on the charts in a dashboard to monitor service status in real time. For more information, see Overview.
Step 5: (Optional) Query log reports
Simple Log Service provides dashboards for you to analyze data in real time. After you query and analyze logs by using query and analysis statements, you can save the charts of analysis results to a dashboard. Simple Log Analysis provides two preset dashboards: DDoS Access Center and DDoS Operation Center.
On the Log Analysis page, select a domain name from the Select Domain Names drop-down list.
On the Log Reports tab, click Select Time Range to specify a time range.
NoteEach chart on the dashboard is generated based on the statistics within a specific time range. For example, the default time range is 1 hour for a website access chart and 1 week for an access trend chart. After you specify a time range, all charts on the current page are displayed based on the specified time range.
View the preset dashboards.
The log reports are displayed in different types of charts. For more information about the types of charts, see Chart overview.
DDoS Access Center: shows the basic website metrics, access trends, request source distribution, and other statistics such as access domain names and client types. The website metrics include PVs, UVs, inbound traffic, and peak bandwidth.
DDoS Access Center
DDoS Operation Center: shows the overall operations status of the website, including inbound and outbound traffic trends, requests and interception trends, attackers, and visited websites.
You can also click Subscribe in the upper-right corner of the Log Reports tab to subscribe dashboards and send dashboard data to specific recipients by using emails or DingTalk messages. For more information, see Add a Subscription.