Real-time log description - Edge Security Acceleration - Alibaba Cloud Documentation Center

This topic describes the real-time log fields by account and website.

By account

Edge Routine logs

Category	Field	Data type	Description
General	AccountID	string	The ID of your Alibaba Cloud account.
	ClientRequestHost	string	The Host requested by the client.
	ClientRequestID	string	The unique identifier of the request.
	ClientRequestMethod	string	The HTTP method that the request uses.
	ClientRequestPath	string	The path of the request.
	LogTimestamp	Timestamp ISO8601	The timestamp when the log was generated. Example: 2024-01-01T00:00:00+08:00.
SubRequest	SubRequestID	string	The unique identifier of the subrequest.
	FetchStatus	string	The status information returned for Edge Routine requests.
	KvStatus	string	The status information returned for Edge KV requests.
	CacheStatus	string	The cache hit status returned for cache API requests.
	SubRequest2xxCount	int	The number of HTTP 2xx status codes returned for subrequests.
	SubRequest3xxCount	int	The number of HTTP 3xx status codes returned for subrequests.
	SubRequest4xxCount	int	The number of HTTP 4xx status codes returned for subrequests.
	SubRequest5xxCount	int	The number of HTTP 5xx status codes returned for subrequests.
	SubRequestOtherCount	int	The number of other HTTP status codes returned for subrequests.
EdgeRoutine	CodeVersion	string	The version of the code.
	ConsoleLog	string	The custom logs printed after the user calls console.alert() in JavaScript code.
	CPUTime	int	The CPU time consumed by the request. Unit: microseconds.
	Duration	int	The time consumed to execute a request in a routine. The time includes the wait time and I/O time of the subrequest. Unit: milliseconds.
	ErrorCode	int	The error code. A value of 0 indicates that no error occurred.
	ErrorMessage	string	The error description that corresponds to ErrorCode.
	EventType	string	The type of the event triggered by the routine.
	ResponseSize	int	The response size. Unit: bytes.
	ResponseStatus	int	The response status code.
	RoutineName	string	The routine name.
	RoutineSpec	string	The specifications of the routine.

By website

Access logs

Category	Field	Data type	Description
General	BotTag	string	The traffic type of the request.
	ClientRequestID	string	The unique identifier of the request.
	EdgeServerID	string	The unique identifier of the Edge Security Acceleration (ESA) POP that the client accesses.
	EdgeServerIP	string	The IP address of the ESA POP.
	EdgeStartTimestamp	Timestamp ISO8601	The timestamp when the ESA POP receives the request. Example: 2024-01-01T00:00:00+08:00.
	EdgeEndTimestamp	Timestamp ISO8601	The timestamp when the ESA POP completes sending the response to the client. Example: 2024-01-01T00:00:00+08:00.
	SiteName	string	The website name.
	SmartRoutingStatus	string	The status of the smart routing feature. 0: not used. 1: in use.
	TlsHash	string	The MD5 hash value of the SSL/TLS client fingerprint.
Client	ClientASN	string	The autonomous system number (ASN) parsed from the client IP address.
	ClientCountryCode	string	The ISO-3166 Alpha-2 code parsed from the client IP address.
	ClientIP	string	The IP address of the client that is used to establish a connection with the ESA POP.
	ClientISP	string	The Internet service provider (ISP) information parsed from the client IP address.
	ClientRegionCode	string	The ISO-3166-2 code parsed from the client IP address.
	ClientSSLCipher	string	The SSL cipher suite of the client.
	ClientSSLProtocol	string	The SSL protocol version of the client. A hyphen (-) indicates that SSL is not used.
	ClientSrcPort	int	The port used to establish a connection between the client and the ESA POP.
	ClientXRequestedWith	string	The X-Requested-With request header.
ClientRequest	ClientRequestBytes	int	The request size. Unit: bytes.
	ClientRequestHeaderRange	string	The Range request header. Example: bytes=0-100.
	ClientRequestHost	string	The Host requested by the client.
	ClientRequestMethod	string	The HTTP method that the request uses.
	ClientRequestPath	string	The path of the request.
	ClientRequestProtocol	string	The protocol used by the request.
	ClientRequestReferer	string	The Referer in the request.
	ClientRequestQuery	string	The Query information in the request
	ClientRequestScheme	string	The Scheme information in the request.
	ClientRequestURI	string	The request URI.
	ClientRequestUserAgent	string	The User-Agent information in the request.
Edge	EdgeCacheStatus	string	The cache status of the request.
	EdgeRequestHost	string	The origin host from which the ESA POP retrieves content.
	EdgeResponseBodyBytes	int	The size of the response body that the ESA POP returns to the client. Unit: bytes.
	EdgeResponseBytes	int	The size of the response that the ESA POP returns to the client. Unit: bytes.
	EdgeResponseCompressionAlgo	string	The algorithm used to compress the response returned by the ESA POP.
	EdgeResponseCompressionRatio	float	The compression ratio of the response returned by the ESA POP.
	EdgeResponseContentType	string	The Content-Type information returned by the ESA POP.
	EdgeResponseStatusCode	int	The status code that the ESA POP returns to the client.
	EdgeResponseTime	int	The time that the ESA POP took to response. Unit: ms.
	EdgeTimeToFirstByteMs	int	The period of time that elapses from when the ESA POP receives the client request to when the ESA POP returns the first byte of the response to the client. Unit: ms.
Origin	OriginDNSResponseTimeMs	int	The period of time consumed to receive the domain name system (DNS)-resolved response from the origin server. Value -1 indicates that the POP does not pull content from the origin server.
	OriginIP	string	The IP address of the origin server from which the ESA POP pulls content. A hyphen (-) indicates that the POP does not pull content from the origin server.
	OriginSSLProtocol	string	The SSL protocol version that ESA uses to pull content from the origin server. A hyphen (-) indicates that the POP does not pull content from the origin server.
	OriginTCPHandshakeDurationMs	int	The period of time consumed to complete the TCP handshake with the origin server when the POP attempts to pull content from the origin server. Value -1 indicates that the POP does not pull content from the origin server. Unit: ms.
	OriginTLSHandshakeDurationMs	int	The period of time consumed to complete the TLS handshake with the origin server when the POP attempts to pull content from the origin server. Value -1 indicates that the POP does not pull content from the origin server. Unit: ms.
OriginResponse	OriginResponseDurationMs	int	The period of time consumed by the origin server to return the first byte of the response to the POP. Value -1 indicates that the POP does not pull content from the origin server. Unit: ms.
	OriginResponseHTTPExpires	string	The Expires information returned by the origin server. A hyphen (-) indicates that the POP does not pull content from the origin server.
	OriginResponseHTTPLastModified	string	The Last-Modified information returned by the origin server. A hyphen (-) indicates that the POP does not pull content from the origin server.
	OriginResponseHeaderRange	string	The Range information returned by the origin server. A hyphen (-) indicates that the POP does not pull content from the origin server.
	OriginResponseStatusCode	int	The status code returned by the origin server. Value -1 indicates that the POP does not pull content from the origin server.
Security	SecAction	string	The action performed on this request.
	SecActions	string	The actions performed on this request.
	SecRuleID	string	The ID of the executed protection rule for this request.
	SecRuleIDs	string	The IDs of all executed protection rules for this request.
	SecSource	string	The executed protection rule for this request.
	SecSources	string	All executed protection rules for this request.

Firewall logs

Category	Field	Data type	Description
General	Action	string	The executed protection action. Valid values: block: blocks the request. captcha: performs slider CAPTCHA. js: performs JavaScript validation. sigchl: performs dynamic token challenge. observe: observes the request. pass: allows the request. Empty string: does not perform any actions.
	ClientRequestID	string	The unique identifier of the request.
	Datetime	Timestamp ISO8601	The timestamp when the ESA POP receives the request. Example: 2024-01-01T00:00:00+08:00.
	ManagedRuleType	string	The type of the protection rule that corresponds to the managed rule. xss: a rule that defends against cross-site scripting (XSS) attacks. code_exec: a rule that defends against code execution attacks. webshell: a rule that defends against webshell uploads. sqli: a rule that defends against SQL injection. lfilei: a rule that defends against local file inclusion. rfilei: a rule that defends against remote file inclusion. crlf: a rule that defends against carriage return line feed (CRLF) injection. other: other protection rules. Empty string: No protection rule is matched or the executed rule is not a managed rule.
	RuleID	string	The ID of the matched protection rule.
	Source	string	The matched protection rule. Valid values: http_whitelist: a whitelist rule. http_managed: a managed rule. http_custom: a custom rule. http_ratelimit: a rate limiting rule. http_bot: a bot management rule. http_anti_scan: a scan protection rule. http_deep_learning: a deep learning and protection rule. http_ddos: an HTTP DDoS attack protection rule. http_security_level: the security level. Empty string: No protection rule is matched.
	TlsHash	string	The MD5 hash value of the SSL/TLS client fingerprint.
Client	ClientASN	string	The ASN parsed from the client IP address.
	ClientCountryCode	string	The ISO-3166 Alpha-2 code parsed from the client IP address.
	ClientIP	string	The IP address of the client that is used to establish a connection with the ESA POP.
	ClientISP	string	The ISP information parsed from the client IP address.
ClientRequest	ClientRequestHost	string	The Host requested by the client.
	ClientRequestMethod	string	The HTTP method that the request uses.
	ClientRequestPath	string	The path of the request.
	ClientRequestProtocol	string	The protocol used by the request.
	ClientRequestReferer	string	The Referer in the request.
	ClientRequestQuery	string	The Query information in the request.
	ClientRequestScheme	string	The Scheme request header.
	ClientRequestURI	string	The request URI.
	ClientRequestUserAgent	string	The User-Agent information contained in the request.
Edge	EdgeResponseContentType	string	The Content-Type information returned by the ESA POP.
Edge	EdgeResponseStatusCode	int	The status code that the ESA POP returns to the client.
OriginResponse	OriginResponseStatusCode	int	The status code returned by the origin server. Value -1 indicates that the POP does not pull content from the origin server.

TCP/UDP proxy logs

Category	Field	Data type	Description
General	BlockRuleID	string	The ID of the rule that is triggered to block requests. If this field is left empty, no requests are blocked.
	ConnectTimeStamp	Timestamp ISO8601	The timestamp when the connection was established. Example: 2024-01-01T00:00:00+08:00.
	DisconnetTimeStamp	Timestamp ISO8601	The timestamp when the connection was disconnected. Example: 2024-01-01T00:00:00+08:00.
	DomainName	string	The domain name for which you add a TCP/UDP proxied application.
	EdgeServerIP	string	The IP address of the ESA POP.
	LogTimeStamp	Timestamp ISO8601	The timestamp when the log was generated. Example: 2024-01-01T00:00:00+08:00.
	ProxyProtocol	string	The version of the proxy protocol. Valid values: off, v1, and v2.
	SessionID	string	The globally unique session ID.
	SiteName	string	The website name.
	Status	int	The status code that is returned when a session ends.
Client	ClientASN	string	The ASN parsed from the client IP address.
	ClientBytes	int	The volume of data received from the client. Unit: bytes.
	ClientCountryCode	string	The ISO-3166 Alpha-2 code parsed from the client IP address.
	ClientIP	string	The IP address of the client that is used to establish a connection with the ESA POP.
	ClientISP	string	The ISP information parsed from the client IP address.
	ClientPort	int	The port of the client.
	ClientProto	string	The transmission protocol used by the client.
Origin	OriginBytes	int	The volume of data received from the origin server. Unit: bytes.
	OriginIP	string	The IP address of the origin server.
	OriginPort	int	The port of the origin server.
	OriginProto	string	The transmission protocol used by the origin server.