Real-time log field Description
This article introduces the field explanation of site acceleration logs and L4 proxy logs in real-time logs.
Note:
When a field has no value:
If the data type of the field is String and the field has no data, the field value is: "-".
If the data type of the field is Integer and the field has no data, the field value is: -1.
Site Acceleration Log
Name | Data Type | Description |
LogTime | Timestamp ISO8601 | Time when the log is generated |
RequestID | String | Unique ID of the client request |
ClientIP | String | Client IP |
ClientRegion | String | |
ClientState | String | The client IP parses out the country's lower-level administrative divisions. Currently only data within mainland China is supported. Format standard: ISO-3166 alpha-2 |
ClientISP | String | ISP information resolved from client IP. Data within mainland China is recorded under the ISP's Chinese name. Global Availability Zones (excluding mainland China) data is recorded as Autonomous System Number (ASN) |
RequestTime | Timestamp ISO8601 | Client request time, time zone: UTC +00:00 |
RequestStatus | Integer | Status of the client request, if using Websocket protocol, EdgeOne will periodically print logs, this field can be used to determine the connection status. Value options: 0:Not ended 1:Request ended normally 2:Ended abnormally |
RequestHost | String | Host of the client request |
RequestBytes | Integer | Size of the client request, unit: Byte |
RequestMethod | String | HTTP Method of the client request, value options: GET POST HHEAD PUT DELETE CONNECT OPTIONS TRACE PATCH |
RequestSSLProtocol | String | SSL (TLS) protocol used by the client, if the value is "-", there is no SSL handshake in the request; value options: TLS 1.0 TLS 1.1 TLS 1.2 TLS 1.3 |
ClientDeviceType | String | Device type of the client request, value options: TV Tablet Mobile Desktop Other |
RequestUrl | String | URL of the client request |
RequestUrlQueryString | String | Query parameter carried by the client request URL |
RequestUA | String | User-Agent information of the client request |
RequestRange | String | Range parameter information of the client request |
RequestReferer | String | Referer information of the client request |
RequestProtocol | String | Application layer protocol of the client request, value options: HTTP/1.0 HTTP/1.1 HTTP/2.0 HTTP/3 WebSocket |
RemotePort | Integer | Port for establishing a connection between the client and the node under the TCP protocol |
EdgeCacheStatus | String | Whether the client request hits the node cache, value options: hit: Resource provided by the node cache miss: Resource can be cached, but provided by the origin dynamic: Resource cannot be cached |
EdgeResponseStatusCode | Integer | Status code returned by the node response to the client |
EdgeResponseBytes | Integer | Size of the node response returned to the client, unit: Byte |
EdgeResponseBodyBytes | Integer | Body size of the node response returned to the client, unit: Byte |
EdgeResponseTime | Integer | Time consumed from the start of receiving the client request by EdgeOne to the end of the client receiving the server response; unit: ms |
EdgeInternalTime | Integer | Time consumed from the start of receiving the client request by EdgeOne to the first byte of the response to the client; unit: ms |
EdgeServerIP | String | EdgeOne server IP address obtained by DNS resolution of Host |
EdgeServerID | String | Unique identifier of the EdgeOne server accessed by the client |
EdgeSeverRegion | String | |
EdgeEndTime | Timestamp ISO8601 | Time to complete the response to the client request |
OriginDNSResponseDuration | Float | The duration taken to receive the DNS resolution response from the origin server. If there is no return to the origin, it is recorded as -1, unit: ms |
OriginIP | String | Origin IP accessed by the origin-pull, if not origin-pull, record as "-" |
OriginRequestHeaderSendDuration | Float | The duration taken to send the request header to the origin server is usually 0. If there is no return to the origin, it is recorded as -1, unit: ms |
OriginSSLProtocol | String | SSL protocol version used for requesting the origin, if not origin-pull, record as "-"; value options: TLS 1.0 TLS 1.1 TLS 1.2 TLS 1.3 |
OriginTCPHandshakeDuration | Float | Time consumed to complete the TCP handshake when requesting the origin, if not origin-pull, record as "-1", unit: ms; Note: 0 when the connection is reused |
OriginTLSHandshakeDuration | Float | Time consumed to complete the TLS handshake when requesting the origin, if not origin-pull, record as "-1", unit: ms; Note: 0 when the connection is reused |
OriginResponseHeaderDuration | Float | Time consumed from sending the request header to the origin to receiving the response header from the origin, if not origin-pull, record as "-1", unit: ms |
OriginResponseStatusCode | Integer | Origin response status code, if not origin-pull, record as "-1" |
BotClassAttacker | String | Risk level of the client IP with attack behavior (such as DDoS, high-frequency malicious requests, site attacks, etc.) based on recent intelligence data, "-" corresponds to no historical data, other value options: high: corresponding to high risk medium: corresponding to medium risk low: corresponding to low risk |
BotClassProxy | String | Risk level of the client IP with suspicious proxy ports open and used as network proxies (including Proxy) based on recent intelligence data, "-" corresponds to no historical data, other value options: high: corresponding to high risk medium: corresponding to medium risk low: corresponding to low risk |
BotClassScanner | String | Based on recent intelligence data, the risk level of the client IP requesting scans for known vulnerabilities is as follows: "-" corresponds to no historical data, and other values are: high: corresponding to high risk medium: corresponding to medium risk low: corresponding to low risk |
BotClassAccountTakeOver | String | Based on recent intelligence data, the risk level of the client IP requesting malicious account cracking and initiating account takeover attacks is as follows: "-" corresponds to no historical data, and other values are: high: corresponding to high risk medium: corresponding to medium risk low: corresponding to low risk |
BotClassMaliciousBot | String | Based on recent intelligence data, the risk level of the client IP requesting malicious bots, hotlinking, and brute force cracking behaviors is as follows: "-" corresponds to no historical data, and other values are: high: corresponding to high risk medium: corresponding to medium risk low: corresponding to low risk |
Note:
In the site acceleration log, using the WebSocket protocol for long connections, EdgeOne will periodically record logs and record a log at the end of the final request. You can identify requests by the
RequestID
field, and logs with the same RequestID
represent the same connection; you can also determine the connection status at the time of log recording through the RequestStatus
.L4 Proxy Log
Name | Data Type | Description |
ServiceID | String | Unique identifier ID for L4 proxy service |
SessionID | String | Unique identifier ID for TCP connection or UDP session |
ConnectTimeStamp | Timestamp ISO8601 | Connection establishment time; default UTC +0 timezone |
DisconnetTimeStamp | Timestamp ISO8601 | Disconnection time; default UTC +0 timezone |
DisconnetReason | String | Disconnection reason; Format is "direction: reason" Direction values: up: origin direction down: Client direction Reason values: net_exception_peer_error: read/write peer returns error net_exception_peer_close: peer has closed connection create_peer_channel_exception: failed to create channel to next hop channel_eof_exception: channel has ended (at the end of the request, the node that ends the request sends channel_eof to the adjacent node to inform that the request has ended) net_exception_closed: connection is closed net_exception_timeout: read/write timeout |
ClientRealIP | String | Client real IP |
ClientRegion | String | |
EdgeIP | String | IP address of the accessed EdgeOne server |
ForwardProtocol | String | TCP/UDP forwarding protocol configured by the customer |
ForwardPort | Integer | Forwarding port configured by the customer |
SentBytes | Integer | Inbound traffic generated from the last log record time to this log record time, unit: Byte |
ReceivedBytes | Integer | Outbound traffic generated from the last log record time to this log record time, unit: Byte |
LogTimeStamp | Timestamp ISO8601 | Log generation time; default UTC +0 timezone |
Note:
In the case of TCP long connections, EdgeOne will periodically record logs and record the last log when the connection ends. You can determine whether the connection is disconnected by whether the
DisconnetReason
field is empty; you can also use the SessionID
to identify the connection, and logs with the same SessionID
record the behavior of the same connection.