Instant logs are lightweight, easy to use, and do not require any additional configurations. With instant logs, you can view the access logs of specific websites in real time in the Edge Security Acceleration (ESA) console. This helps you pinpoint attacks, troubleshoot system faults, and debug or test network connectivity between clients and websites.
Start monitoring
Log on to the ESA console.
In the left-side navigation pane, click Websites.
On the Websites page, find the website that you want to manage, and click the website name or View Details in the Actions column.
In the left-side navigation tree of the website details page, choose Analytics and Logs > Instant Logs.
On the Instant Logs page, click Start Monitoring to collect logs.
You can add traffic filters to log only specific events. This enables precise and efficient troubleshooting.
After the monitoring stops, you can expand the monitoring logs and view log fields in detail, or click the export button on the right side to download data in JSON format to your local PC.
Instant log fields
Field | Data type | Description |
BotTag | string | The traffic type of the request. |
ClientASN | string | The autonomous system number (ASN) parsed from the client IP address. |
ClientCountryCode | string | The ISO-3166 Alpha-2 code parsed from the client IP address. |
ClientIP | string | The IP address of the client that is used to establish a connection with the ESA POP. |
ClientISP | string | The Internet service provider (ISP) information parsed from the client IP address. |
ClientRegionCode | string | The ISO-3166-2 code parsed from the client IP address. |
ClientRequestBytes | int | The size of the client request. Unit: bytes. |
ClientRequestHeaderRange | string | The value of the Range header carried by the client request. Example: bytes=0-100. |
ClientRequestHost | string | The Host requested by the client. |
ClientRequestID | string | The unique identifier of the request. |
ClientRequestMethod | string | The HTTP method that the request uses. |
ClientRequestPath | string | The path of the request. |
ClientRequestProtocol | string | The protocol used by the request. |
ClientRequestQuery | string | The Query information in the request. |
ClientRequestReferer | string | The Referer in the request. |
ClientRequestURI | string | The request URI. |
ClientRequestUserAgent | string | The User-Agent information in the request. |
ClientSrcPort | int | The port used to establish the connection between the client and the ESA POP. |
ClientSSLCipher | string | The SSL cipher suite of the client. |
ClientSSLProtocol | string | The SSL protocol version of the client. A hyphen (-) indicates that SSL is not used. |
ClientXRequestedWith | string | The X-Requested-With request header. |
EdgeCacheStatus | string | The cache status of the request. |
EdgeEndTimestamp | Timestamp ISO8601 | The timestamp when the ESA POP completes sending the response to the client. Example: 2024-01-01T00:00:00+08:00. |
EdgeRequestHost | string | The origin host from which the ESA POP retrieves content. |
EdgeResponseBodyBytes | int | The size of the response body that the ESA POP returns to the client. Unit: bytes. |
EdgeResponseBytes | int | The size of the response that the ESA POP returns to the client. Unit: bytes. |
EdgeResponseCompressionAlgo | string | The algorithm used to compress the response returned by the ESA POP. |
EdgeResponseCompressionRatio | float | The compression ratio of the response returned by the ESA POP. |
EdgeResponseContentType | string | The Content-Type information returned by the ESA POP. |
EdgeResponseStatusCode | int | The status code that the ESA POP returns to the client. |
EdgeResponseTime | int | The period of time that elapses from when the ESA POP receives the client request to when the client receives the origin response. Unit: ms |
EdgeServerID | string | The unique identifier of the ESA POP that the client accesses. |
EdgeServerIP | string | The IP address of the ESA POP. |
EdgeStartTimestamp | Timestamp ISO8601 | The timestamp when the ESA POP receives the request. Example: 2024-01-01T00:00:00+08:00. |
EdgeTimeToFirstByteMs | int | The period of time that elapses from when the ESA POP receives the client request to when the ESA POP returns the first byte of the response to the client. Unit: ms. |
OriginDNSResponseTimeMs | int | The period of time consumed to receive the domain name system (DNS)-resolved response from the origin server. Value -1 indicates that the POP does not pull content from the origin server. |
OriginIP | string | The IP address of the origin server from which the POP pulls content. A hyphen (-) indicates that the POP does not pull content from the origin server. |
OriginResponseDurationMs | int | The IP address of the origin server from which the POP pulls content. A hyphen (-) indicates that the POP does not pull content from the origin server. |
OriginResponseHeaderRange | string | The Range information returned by the origin server. A hyphen (-) indicates that the POP does not pull content from the origin server. |
OriginResponseHTTPExpires | string | The Expires information returned by the origin server. A hyphen (-) indicates that the POP does not pull content from the origin server. |
OriginResponseHTTPLastModified | string | The Last-Modified information returned by the origin server. A hyphen (-) indicates that the POP does not pull content from the origin server. |
OriginResponseStatusCode | int | The status code returned by the origin server. Value -1 indicates that the POP does not pull content from the origin server. |
OriginSSLProtocol | string | The SSL protocol version that ESA uses to pull content from the origin server. A hyphen (-) indicates that the POP does not pull content from the origin server. |
OriginTCPHandshakeDurationMs | int | The period of time consumed to complete the TCP handshake with the origin server when the POP attempts to pull content from the origin server. Value -1 indicates that the POP does not pull content from the origin server. Unit: ms. |
OriginTLSHandshakeDurationMs | int | The period of time consumed to complete the TLS handshake with the origin server when the POP attempts to pull content from the origin server. Value -1 indicates that the POP does not pull content from the origin server. Unit: ms. |
SecAction | string | The action performed on this request. |
SecActions | string | The actions performed on this request. |
SecRuleID | string | The ID of the executed protection rule for this request. |
SecRuleIDs | string | The IDs of all executed protection rules for this request. |
SecSource | string | The executed protection rule for this request. |
SecSources | string | All executed protection rules for this request. |
SiteName | string | The website name. |
SmartRoutingStatus | string | The status of the smart routing feature. 0: not used. 1: in use. |
TlsHash | string | The MD5 hash value of the SSL/TLS client fingerprint. |
SampleInterval | float | The sampling rate. Sampling rate = Number of sampled logs/Number of generated logs. For example, a sampling rate of 0.5 indicates that 2 logs are generated but only one is sampled. |
Usage notes
You can have only one active session per website at a time. Each session can last up to 60 minutes.
Instant logs can store up to 40 records at a time. The records are arranged in reverse chronological order, with newer records overwriting older ones.
The following operations can stop the monitoring. If you want to continue the monitoring after you perform the following operations, click Start Monitoring again.
If you expand the monitoring records, click Stop Monitoring, or click the export button
on the Instant Logs page, the monitoring stops, but the historical logs are retained on the page. If you add filter conditions, switch from the Instant Logs page to another page such as the Standard Logs page, or refresh the Instant Logs page, the monitoring stops and the historical logs are cleared.
Feature availability
Entrance | Pro | Premium | Enterprise | |
Instant logs | No | Yes | Yes | Yes |