Real-time log field Description

Download PDF

This article introduces the field explanation of site acceleration logs and L4 proxy logs in real-time logs.
Note:
When a field has no value:
If the data type of the field is String and the field has no data, the field value is: "-".
If the data type of the field is Integer and the field has no data, the field value is: -1.
Site Acceleration Log
Name
Data Type
Description
LogTime
Timestamp ISO8601
Time when the log is generated
RequestID
String
Unique ID of the client request
ClientIP
String
Client IP
ClientRegion
String
Country/region parsed from the client IP. Format standard: ISO-3166 alpha-2﻿
ClientState
String
The client IP parses out the country's lower-level administrative divisions. Currently only data within mainland China is supported. Format standard: ISO-3166 alpha-2﻿
ClientISP
String
ISP information resolved from client IP.
Data within mainland China is recorded under the ISP's Chinese name.
Global Availability Zones (excluding mainland China) data is recorded as Autonomous System Number (ASN)﻿
RequestTime
Timestamp ISO8601
Client request time, time zone: UTC +00:00
RequestStatus
Integer
Status of the client request, if using Websocket protocol, EdgeOne will periodically print logs, this field can be used to determine the connection status. Value options:
0:Not ended
1:Request ended normally
2:Ended abnormally
RequestHost
String
Host of the client request
RequestBytes
Integer
Size of the client request, unit: Byte
RequestMethod
String
HTTP Method of the client request, value options:
GET
POST
HHEAD
PUT
DELETE
CONNECT
OPTIONS
TRACE
PATCH
RequestSSLProtocol
String
SSL (TLS) protocol used by the client, if the value is "-", there is no SSL handshake in the request; value options:
TLS 1.0
TLS 1.1
TLS 1.2
TLS 1.3
ClientDeviceType
String
Device type of the client request, value options:
TV
Tablet
Mobile
Desktop
Other
RequestUrl
String
URL of the client request
RequestUrlQueryString
String
Query parameter carried by the client request URL
RequestUA
String
User-Agent information of the client request
RequestRange
String
Range parameter information of the client request
RequestReferer
String
Referer information of the client request
RequestProtocol
String
Application layer protocol of the client request, value options:
HTTP/1.0
HTTP/1.1
HTTP/2.0
HTTP/3
WebSocket
RemotePort
Integer
Port for establishing a connection between the client and the node under the TCP protocol
EdgeCacheStatus
String
Whether the client request hits the node cache, value options:
hit: Resource provided by the node cache
miss: Resource can be cached, but provided by the origin
dynamic: Resource cannot be cached
EdgeResponseStatusCode
Integer
Status code returned by the node response to the client
EdgeResponseBytes
Integer
Size of the node response returned to the client, unit: Byte
EdgeResponseBodyBytes
Integer
Body size of the node response returned to the client, unit: Byte
EdgeResponseTime
Integer
Time consumed from the start of receiving the client request by EdgeOne to the end of the client receiving the server response; unit: ms
EdgeInternalTime
Integer
Time consumed from the start of receiving the client request by EdgeOne to the first byte of the response to the client; unit: ms
EdgeServerIP
String
EdgeOne server IP address obtained by DNS resolution of Host
EdgeServerID
String
Unique identifier of the EdgeOne server accessed by the client
EdgeSeverRegion
String
Country of the responding EdgeOne node IP, format standard reference: ISO-3166 alpha-2﻿
EdgeEndTime
Timestamp ISO8601
Time to complete the response to the client request
OriginDNSResponseDuration
Float
The duration taken to receive the DNS resolution response from the origin server. If there is no return to the origin, it is recorded as -1, unit: ms
OriginIP
String
Origin IP accessed by the origin-pull, if not origin-pull, record as "-"
OriginRequestHeaderSendDuration
Float
The duration taken to send the request header to the origin server is usually 0. If there is no return to the origin, it is recorded as -1, unit: ms
OriginSSLProtocol
String
SSL protocol version used for requesting the origin, if not origin-pull, record as "-"; value options:
TLS 1.0
TLS 1.1
TLS 1.2
TLS 1.3
OriginTCPHandshakeDuration
Float
Time consumed to complete the TCP handshake when requesting the origin, if not origin-pull, record as "-1", unit: ms; Note: 0 when the connection is reused
OriginTLSHandshakeDuration
Float
Time consumed to complete the TLS handshake when requesting the origin, if not origin-pull, record as "-1", unit: ms; Note: 0 when the connection is reused
OriginResponseHeaderDuration
Float
Time consumed from sending the request header to the origin to receiving the response header from the origin, if not origin-pull, record as "-1", unit: ms
OriginResponseStatusCode
Integer
Origin response status code, if not origin-pull, record as "-1"
BotClassAttacker
String
Risk level of the client IP with attack behavior (such as DDoS, high-frequency malicious requests, site attacks, etc.) based on recent intelligence data, "-" corresponds to no historical data, other value options:
high: corresponding to high risk
medium: corresponding to medium risk
low: corresponding to low risk
BotClassProxy
String
Risk level of the client IP with suspicious proxy ports open and used as network proxies (including Proxy) based on recent intelligence data, "-" corresponds to no historical data, other value options:
high: corresponding to high risk
medium: corresponding to medium risk
low: corresponding to low risk
BotClassScanner
String
Based on recent intelligence data, the risk level of the client IP requesting scans for known vulnerabilities is as follows: "-" corresponds to no historical data, and other values are:
high: corresponding to high risk
medium: corresponding to medium risk
low: corresponding to low risk
BotClassAccountTakeOver
String
Based on recent intelligence data, the risk level of the client IP requesting malicious account cracking and initiating account takeover attacks is as follows: "-" corresponds to no historical data, and other values are:
high: corresponding to high risk
medium: corresponding to medium risk
low: corresponding to low risk
BotClassMaliciousBot
String
Based on recent intelligence data, the risk level of the client IP requesting malicious bots, hotlinking, and brute force cracking behaviors is as follows: "-" corresponds to no historical data, and other values are:
high: corresponding to high risk
medium: corresponding to medium risk
low: corresponding to low risk
Note：
In the site acceleration log, using the WebSocket protocol for long connections, EdgeOne will periodically record logs and record a log at the end of the final request. You can identify requests by the RequestID field, and logs with the same RequestID represent the same connection; you can also determine the connection status at the time of log recording through the RequestStatus.
L4 Proxy Log
Name
Data Type
Description
ServiceID
String
Unique identifier ID for L4 proxy service
SessionID
String
Unique identifier ID for TCP connection or UDP session
ConnectTimeStamp
Timestamp ISO8601
Connection establishment time; default UTC +0 timezone
DisconnetTimeStamp
Timestamp ISO8601
Disconnection time; default UTC +0 timezone
DisconnetReason
String
Disconnection reason;
Format is "direction: reason"
Direction values:
up: origin direction
down: Client direction
Reason values:
net_exception_peer_error: read/write peer returns error
net_exception_peer_close: peer has closed connection
create_peer_channel_exception: failed to create channel to next hop
channel_eof_exception: channel has ended (at the end of the request, the node that ends the request sends channel_eof to the adjacent node to inform that the request has ended)
net_exception_closed: connection is closed
net_exception_timeout: read/write timeout
ClientRealIP
String
Client real IP
ClientRegion
String
2-letter country/region code of the client, in accordance with ISO-3166 alpha-2 standard
EdgeIP
String
IP address of the accessed EdgeOne server
ForwardProtocol
String
TCP/UDP forwarding protocol configured by the customer
ForwardPort
Integer
Forwarding port configured by the customer
SentBytes
Integer
Inbound traffic generated from the last log record time to this log record time, unit: Byte
ReceivedBytes
Integer
Outbound traffic generated from the last log record time to this log record time, unit: Byte
LogTimeStamp
Timestamp ISO8601
Log generation time; default UTC +0 timezone
Note：
In the case of TCP long connections, EdgeOne will periodically record logs and record the last log when the connection ends. You can determine whether the connection is disconnected by whether the DisconnetReason field is empty; you can also use the SessionID to identify the connection, and logs with the same SessionID record the behavior of the same connection.
﻿

Name	Data Type	Description
LogTime	Timestamp ISO8601	Time when the log is generated
RequestID	String	Unique ID of the client request
ClientIP	String	Client IP
ClientRegion	String	Country/region parsed from the client IP. Format standard: ISO-3166 alpha-2
ClientState	String	The client IP parses out the country's lower-level administrative divisions. Currently only data within mainland China is supported. Format standard: ISO-3166 alpha-2
ClientISP	String	ISP information resolved from client IP. Data within mainland China is recorded under the ISP's Chinese name. Global Availability Zones (excluding mainland China) data is recorded as Autonomous System Number (ASN)
RequestTime	Timestamp ISO8601	Client request time, time zone: UTC +00:00
RequestStatus	Integer	Status of the client request, if using Websocket protocol, EdgeOne will periodically print logs, this field can be used to determine the connection status. Value options: 0:Not ended 1:Request ended normally 2:Ended abnormally
RequestHost	String	Host of the client request
RequestBytes	Integer	Size of the client request, unit: Byte
RequestMethod	String	HTTP Method of the client request, value options: GET POST HHEAD PUT DELETE CONNECT OPTIONS TRACE PATCH
RequestSSLProtocol	String	SSL (TLS) protocol used by the client, if the value is "-", there is no SSL handshake in the request; value options: TLS 1.0 TLS 1.1 TLS 1.2 TLS 1.3
ClientDeviceType	String	Device type of the client request, value options: TV Tablet Mobile Desktop Other
RequestUrl	String	URL of the client request
RequestUrlQueryString	String	Query parameter carried by the client request URL
RequestUA	String	User-Agent information of the client request
RequestRange	String	Range parameter information of the client request
RequestReferer	String	Referer information of the client request
RequestProtocol	String	Application layer protocol of the client request, value options: HTTP/1.0 HTTP/1.1 HTTP/2.0 HTTP/3 WebSocket
RemotePort	Integer	Port for establishing a connection between the client and the node under the TCP protocol
EdgeCacheStatus	String	Whether the client request hits the node cache, value options: hit: Resource provided by the node cache miss: Resource can be cached, but provided by the origin dynamic: Resource cannot be cached
EdgeResponseStatusCode	Integer	Status code returned by the node response to the client
EdgeResponseBytes	Integer	Size of the node response returned to the client, unit: Byte
EdgeResponseBodyBytes	Integer	Body size of the node response returned to the client, unit: Byte
EdgeResponseTime	Integer	Time consumed from the start of receiving the client request by EdgeOne to the end of the client receiving the server response; unit: ms
EdgeInternalTime	Integer	Time consumed from the start of receiving the client request by EdgeOne to the first byte of the response to the client; unit: ms
EdgeServerIP	String	EdgeOne server IP address obtained by DNS resolution of Host
EdgeServerID	String	Unique identifier of the EdgeOne server accessed by the client
EdgeSeverRegion	String	Country of the responding EdgeOne node IP, format standard reference: ISO-3166 alpha-2
EdgeEndTime	Timestamp ISO8601	Time to complete the response to the client request
OriginDNSResponseDuration	Float	The duration taken to receive the DNS resolution response from the origin server. If there is no return to the origin, it is recorded as -1, unit: ms
OriginIP	String	Origin IP accessed by the origin-pull, if not origin-pull, record as "-"
OriginRequestHeaderSendDuration	Float	The duration taken to send the request header to the origin server is usually 0. If there is no return to the origin, it is recorded as -1, unit: ms
OriginSSLProtocol	String	SSL protocol version used for requesting the origin, if not origin-pull, record as "-"; value options: TLS 1.0 TLS 1.1 TLS 1.2 TLS 1.3
OriginTCPHandshakeDuration	Float	Time consumed to complete the TCP handshake when requesting the origin, if not origin-pull, record as "-1", unit: ms; Note: 0 when the connection is reused
OriginTLSHandshakeDuration	Float	Time consumed to complete the TLS handshake when requesting the origin, if not origin-pull, record as "-1", unit: ms; Note: 0 when the connection is reused
OriginResponseHeaderDuration	Float	Time consumed from sending the request header to the origin to receiving the response header from the origin, if not origin-pull, record as "-1", unit: ms
OriginResponseStatusCode	Integer	Origin response status code, if not origin-pull, record as "-1"
BotClassAttacker	String	Risk level of the client IP with attack behavior (such as DDoS, high-frequency malicious requests, site attacks, etc.) based on recent intelligence data, "-" corresponds to no historical data, other value options: high: corresponding to high risk medium: corresponding to medium risk low: corresponding to low risk
BotClassProxy	String	Risk level of the client IP with suspicious proxy ports open and used as network proxies (including Proxy) based on recent intelligence data, "-" corresponds to no historical data, other value options: high: corresponding to high risk medium: corresponding to medium risk low: corresponding to low risk
BotClassScanner	String	Based on recent intelligence data, the risk level of the client IP requesting scans for known vulnerabilities is as follows: "-" corresponds to no historical data, and other values are: high: corresponding to high risk medium: corresponding to medium risk low: corresponding to low risk
BotClassAccountTakeOver	String	Based on recent intelligence data, the risk level of the client IP requesting malicious account cracking and initiating account takeover attacks is as follows: "-" corresponds to no historical data, and other values are: high: corresponding to high risk medium: corresponding to medium risk low: corresponding to low risk
BotClassMaliciousBot	String	Based on recent intelligence data, the risk level of the client IP requesting malicious bots, hotlinking, and brute force cracking behaviors is as follows: "-" corresponds to no historical data, and other values are: high: corresponding to high risk medium: corresponding to medium risk low: corresponding to low risk