Once you enable the real-time log feature, Dynamic Content Delivery Network (DCDN) starts to generate real-time logs. The tables in this topic describe the fields that you may encounter when analyzing different types of real-time logs.
The tables in this topic provide an extensive number of fields available in real-time logs. To avoid unnecessary costs, we recommend that you select the log fields to ship out of DCDN based on your business requirements.
If real-time logs that you collect are of the same type, all log delivery projects share a set of fields. Field modifications that are made for a project take effect globally. For example, the domain field is selected by default for access logs. If a user removes the domain field for a project, the field is immediately removed from other delivery projects of access logs.
Usage notes
Before you transfer Domain A from Account 1 to Account 2, you need to disable real-time log delivery for Domain A in Account 1. After Domain A is transferred to Account 2, you can enable real-time log delivery for Domain A in Account 2. If you do not perform the preceding operations, real-time logs are still delivered to Account 1. This incurs charges to Account 1.
Access logs
Once you enable the access log delivery feature, DCDN starts to generate access logs. The following table describes the fields available in access log entries.
Field | Description | Indexed by Simple Log Service | Used for built-in visualized analysis |
unixtime | The time when the request was initiated. | Yes | Yes |
domain | The domain name to which the request was sent. | Yes | Yes |
method | The request method. | Yes | Yes |
scheme | The protocol over which the request was sent. | Yes | No |
uri | The requested resource. | Yes | Yes |
uri_param | The request parameters. | Yes | No |
client_ip | The real IP address of the client that made the request. The first IP address in the | Yes | Yes |
proxy_ip | The IP address of the proxy. The second IP address in the | Yes | No |
remote_ip | The public IP address of the client that is connected to a DCDN point of presence (POP). | Yes | No |
remote_port | The port to which a POP sends requests over the Internet. | Yes | No |
refer_protocol | The protocol in the HTTP Referer header. | Yes | No |
refer_domain | The domain name in the HTTP Referer header. | Yes | Yes |
refer_uri | The URI in the HTTP Referer header. | Yes | No |
refer_param | The parameters in the HTTP Referer header. | Yes | No |
request_size | The request size, including the request body and the request header. Unit: bytes. | Yes | No |
request_time | The response time. Unit: milliseconds. | Yes | Yes |
response_size | The response size. Unit: bytes. | Yes | No |
return_code | The HTTP status code returned. | Yes | Yes |
sent_http_content_range | The value of the Range header in the response, which is configured on the origin server. Example: bytes=0-99/200. | Yes | No |
server_addr | The IP address of the POP that responded to the request. | Yes | No |
server_port | The port on the POP that responded to the request. | Yes | No |
body_bytes_sent | The size of the request body. Unit: bytes. | Yes | No |
content_type | The type of the requested resource. | Yes | No |
hit_info | The cache hit result. The cache hit results of requests for live streaming resources or dynamic content are not included. Valid values:
| Yes | Yes |
http_range | The value of the Range header in the request. Example: bytes=0-100. | Yes | No |
user_agent | The information about the proxy of the client. | Yes | Yes |
user_info | The information about the client. | Yes | No |
uuid | The request ID. | Yes | No |
via_info | The HTTP Via header. | Yes | No |
xforwordfor | The X-Forwarded-For header in the request. | Yes | No |
EdgeRoutine logs
Once you enable the EdgeRoutine log delivery feature, DCDN starts to generate EdgeRoutine logs. The following table describes the fields available in EdgeRoutine log entries.
Field | Description | Indexed by Simple Log Service | Used for built-in visualized analysis |
console_alert | The custom log printed after you call console.alert() in JavaScript code. | Yes | Yes |
error_code | The error code. 0 indicates that no error occurred. | Yes | Yes |
error_message | The error description that corresponds to error_code. | Yes | Yes |
fetch_status | The status of the subrequest. | Yes | Yes |
fetch_uuid | The UUID of the subrequest. | Yes | Yes |
http_2xx | The number of 2xx status codes returned for subrequests. | Yes | Yes |
http_3xx | The number of 3xx status codes returned for subrequests. | Yes | Yes |
http_4xx | The number of 4xx status codes returned for subrequests. | Yes | Yes |
http_5xx | The number of 5xx status codes returned for subrequests. | Yes | Yes |
http_status_other | The number of other status codes returned for subrequests. | Yes | Yes |
host | The HOST header of the request. | Yes | Yes |
in_method | The HTTP method used by the request. | Yes | Yes |
in_path | The request path. | Yes | Yes |
out_size | The response size. | Yes | Yes |
out_status | The response status code. | Yes | Yes |
code_ver | The version number of the code. | Yes | Yes |
routine_spec | The specifications of the routine. | Yes | Yes |
total_cpu_time_μs | The CPU time consumed by the request. Unit: microseconds. | Yes | Yes |
total_real_time_ms | The time consumed to execute the request in a routine. The time includes the wait time and I/O time of subrequests. Unit: milliseconds. | Yes | Yes |
uuid | The EagleTraceID of the request. | Yes | Yes |
UnixTime | The timestamp of the request. | Yes | Yes |
WAF logs
Once you enable Web Application Firewall (WAF) log delivery feature, DCDN starts to generate WAF logs. The following table describes the fields available in WAF log entries.
Field | Description | Indexed by Simple Log Service | Example |
unixtime | The time when the request was initiated. | Yes | 1640966400 |
domain | The domain name to which the request was sent. | Yes | api.aliyun.com |
method | The request method. | Yes | GET |
scheme | The protocol over which the request was sent. | Yes | http |
uri | The requested resource. | Yes | /news/search.php |
uri_param | The request parameters. | Yes | title=tm_content%3Darticle&pid=123 |
content_type | The type of the requested content. | Yes | application/x-www-form-urlencoded |
matched_host | The domain name that is protected by WAF. | Yes | *.aliyun.com |
request_id | The request ID. | Yes | 792a121e16405968501823589e |
return_code | The HTTP status code returned. | Yes | 200 |
referer | The Referer field in the HTTP request. | Yes | http://example.com |
user_agent | The information about the proxy of the client. | Yes | Dalvik/2.1.0 (Linux; U; Android 10; Android SDK built for x86 Build/QSR1.200715.002) |
x_forwarded_for | The X-Forwarded-For (XFF) header. This field is used to identify the originating IP address of the client that is connected to the web server by using an HTTP proxy or a load balancing service. | Yes | 101.XX.XX.120 |
client_ip | The originating IP address of the client. | Yes | 1.XX.XX.1 |
final_test | Indicates that the monitoring mode is enabled. | Yes | FALSE |
cookie | The HTTP Cookie header. This field contains information about the client. | Yes | k1=v1;k2=v2 |
final_action | The executed protection action.
Note If a request triggers multiple protection modules at the same time, the field is recorded and includes only the final action that is performed. The following actions are listed in descending order of priority: block, slider CAPTCHA verification, dynamic token-based authentication, and JavaScript verification. | Yes | block |
final_plugin | The module to which the matched protection rule belongs.
This field may have multiple values that are separated by commas (,). Valid values:
| Yes |
|
final_rule_id | The ID of the matched protection rule.
This field may have multiple values that are separated by commas (,). | Yes |
|
remote_addr | The IP address of the client. | Yes | 1.XX.XX.1 |