L7 Access Logs
The following are detailed field descriptions for L7 Access Logs (Site Acceleration Log, Rate Limiting, CC Attack Protection Log, Custom Rule Log, Bot Management Log, Managed Rule Log).
Note
Real-time Log - Site Acceleration Log records Full L7 Request Log, including the feature of L7 Protection Blocked Log is in beta testing. If needed, please Contact Us.
Rate Limiting, CC Attack Protection Log, Custom Rule Log, and Bot Management Log are projected to be discontinued on July 31, 2024. It is recommended to use the Site Acceleration Log to obtain comprehensive L7 Protection Logs.
Field Description
General Fields
Field Name | Data Type | Description | Does this field support offline logs | Does this field support real-time logs |
EdgeEndTime | Timestamp ISO8601 | The time to complete the response to the client request. Example value: 2024-10-14T05:13:43Z, denoting 05:13:43, October 14, 2024 (UTC+0), which is equivalent to 13:13:43, October 14, 2024 (UTC+8 (Beijing time)). | ✕ | ✓ |
EdgeFunctionSubrequest | Integer | Indicates whether this log entry belongs to a subrequest initiated by an edge function, with the following values: 1: Subrequest initiated by an edge function. 0: Subrequest not initiated by an edge function. | ✓ | ✓ |
EdgeServerID | String | Unique identifier of the EdgeOne server accessed by the client. | ✓ | ✓ |
EdgeServerIP | String | IP address of the EdgeOne server obtained through DNS resolution of the Host. | ✓ | ✓ |
EdgeSeverRegion | String | Country/Region resolved from the IP address of the responding EdgeOne node, in the format as per: ISO 3166-1 alpha-2. | ✕ | ✓ |
LogTime | Timestamp ISO8601 | Time the log was generated.Example value: 2024-10-14T05:13:43Z. | ✕ | ✓ |
ParentRequestID | String | If this request is initiated using edge functions, record the parent request's RequestID; otherwise, record as "-". | ✓ | ✓ |
RequestID | String | Unique ID of the client request. | ✓ | ✓ |
Client information
Field Name | Data Type | Description | Does this field support offline logs | Does this field support real-time logs |
ClientDeviceType | String | Client request device type, values are: TV: Television Tablet: Tablet PC Mobile: Mobile Phone Desktop: Computer Other: Other | ✕ | ✓ |
ClientIP | String | Client IP connecting to EdgeOne nodes. | ✓ | ✓ |
ClientISP | String | ISP information resolved from Client IP. For data within the Chinese mainland, record as the ISP's Chinese name; For data in global availability zones (excluding the Chinese mainland), record as Autonomous System Number (ASN). | ✓ | ✓ |
ClientRegion | String | ✓ | ✓ | |
ClientState | String | Subdivision below the country level resolved from the Client IP. Currently supports only data within the Chinese mainland. Format standard: ISO-3166-2. | ✓ | ✓ |
Request information
Field Name | Data Type | Description | Does this field support offline logs | Does this field support real-time logs |
RemotePort | Integer | The EdgeOne node port that establishes a connection with the client under the TCP protocol. | ✓ | ✓ |
RequestBytes | Integer | Total traffic sent from the client to the EdgeOne node during the request process, based on the size of the request header, request body, and data sent during the SSL handshake. Unit: Byte. | ✓ | ✓ |
RequestHost | String | Client request host. | ✓ | ✓ |
RequestMethod | String | HTTP client request method, values are: GET POST HEAD PUT DELETE CONNECT OPTIONS TRACE PATCH | ✓ | ✓ |
RequestProtocol | String | Client request application layer protocol, values are: HTTP/1.0 HTTP/1.1 HTTP/2.0 HTTP/3 WebSocket | ✓ | ✓ |
RequestRange | String | Client request Range. | ✓ | ✓ |
RequestReferer | String | Client request Referer. | ✓ | ✓ |
RequestSSLProtocol | String | Client SSL(TLS) protocol used. If the value is "-", it means there was no SSL handshake. Possible values are: TLS1.0 TLS1.1 TLS1.2 TLS1.3 | ✕ | ✓ |
RequestStatus | String | Client request status. If using the WebSocket protocol, EdgeOne will periodically log it. This field can be used to determine the connection status. Possible values are: 0: not ended 1: Request successfully terminated 2: Under WebSocket protocol, indicates the first log entry of the connection 3: Under WebSocket protocol, indicates a log entry that is neither the first nor the last of the connection | ✓ | ✓ |
RequestTime | Timestamp ISO8601 | Time when the EdgeOne node received the client request, timezone: UTC +00:00.Example value: 2024-10-14T05:13:43Z. | ✓ | ✓ |
RequestUA | String | Client request User-Agent. | ✓ | ✓ |
RequestUrl | String | Client request URL Path, excluding query parameters. | ✓ | ✓ |
RequestUrlQueryString | String | A query string that is carried in the client request URL. | ✓ | ✓ |
Response information
Field Name | Data Type | Description | Does this field support offline logs | Does this field support real-time logs |
EdgeCacheStatus | String | Whether the client request hits the node cache, values include: hit: resource provided by node cache miss: resource can be cached, but provided by origin server dynamic: resource cannot be cached other: unrecognized cache status | ✓ | ✓ |
EdgeInternalTime | Integer | Time consumption from when EdgeOne receives the client-initiated request to when the first byte is responded to the client; unit: ms. | ✓ | ✓ |
EdgeResponseBodyBytes | Integer | Response body size returned to the client by the nodes, unit: Byte. | ✓ | ✓ |
EdgeResponseBytes | Integer | Total traffic returned by the node to the client, based on the size of the response header, response body, and data sent by the EdgeOne node during the SSL handshake. Unit: Byte. | ✓ | ✓ |
EdgeResponseStatusCode | Integer | Response status code returned to the client by the nodes. | ✓ | ✓ |
EdgeResponseTime | Integer | Time consumed from when EdgeOne receives the client-initiated request to when the client receives the server-side response. Unit: ms. | ✓ | ✓ |
Real Server Information
Field Name | Data Type | Description | Does this field support offline logs | Does this field support real-time logs |
OriginDNSResponseDuration | Float | Time consumed to receive the DNS Resolution response from the origin server. If there is no origin retrieval, it is recorded as -1. Unit: ms. | ✕ | ✓ |
OriginIP | String | The IP of the origin server accessed for origin retrieval. If there is no origin retrieval, it is recorded as "-". | ✕ | ✓ |
OriginRequestHeaderSendDuration | Float | Time consumed to send the request header to the origin server. It is generally 0. If there is no origin retrieval, it is recorded as -1. Unit: ms. | ✕ | ✓ |
OriginResponseHeaderDuration | Float | Time consumed from sending the request header to the origin server to receiving the response header from the origin server. If there is no origin retrieval, it is recorded as -1. Unit: ms. | ✕ | ✓ |
OriginResponseStatusCode | Integer | origin server Response Status Code, if there is no origin retrieval, record as -1. | ✕ | ✓ |
OriginSSLProtocol | String | SSL protocol version used for the request to the origin server. If there is no origin retrieval, it is recorded as "-"; possible values: TLS1.0 TLS1.1 TLS1.2 TLS1.3 | ✕ | ✓ |
OriginTCPHandshakeDuration | Float | Time consumed to complete the TCP handshake when requesting the origin server. If there is no origin retrieval, it is recorded as -1. Unit: ms;Note: It is 0 when the connection is reused. | ✕ | ✓ |
OriginTLSHandshakeDuration | Float | Time consumed to complete the TLS handshake when requesting the origin server. If there is no origin retrieval or the origin-pull protocol is HTTP, it is recorded as -1. Unit: ms; Note: It is 0 when the connection is reused. | ✕ | ✓ |
Security Protection related fields
Field Name | Data Type | Description | Does this field support offline logs | Does this field support real-time logs |
BotCharacteristic | String | EO Bot Intelligent Analysis Engine has identified the characteristics of this request, only available for domains with the Bot Intelligent Analysis feature enabled in Bot Management. | ✕ | ✓ |
BotClassAccountTakeOver | String | Based on recent IP Intelligence Data, the Client IP request poses a risk level for malicious login attacks. The values are: high: High Risk medium: Medium Risk low: Low Risk -: No historical data or domain has not enabled the Client Reputation feature | ✕ | ✓ |
BotClassAttacker | String | Based on recent IP Intelligence Data, the Client IP request poses a risk level for attacks (e.g., DDoS, high-frequency malicious requests, site attacks). The values are: high: High Risk medium: Medium Risk low: Low Risk -: No historical data or domain has not enabled the Client Reputation feature | ✕ | ✓ |
BotClassMaliciousBot | String | Based on recent IP Intelligence Data, the Client IP request poses a risk level for malicious crawlers, volume brushing, and brute force attacks. The values are: high: High Risk medium: Medium Risk low: Low Risk -: No historical data or domain has not enabled the Client Reputation feature | ✕ | ✓ |
BotClassProxy | String | Based on recent IP Intelligence Data, the Client IP request opens a suspicious proxy port and is used as a Network Proxy (including Second-level IP Dialing). The risk levels are: high: High Risk medium: Medium Risk low: Low Risk -: No historical data or domain has not enabled the Client Reputation feature | ✕ | ✓ |
BotClassScanner | String | Based on recent IP Intelligence Data, the Client IP request shows Scanner Behavior of exploiting known vulnerabilities. The risk levels are: high: High Risk medium: Medium Risk low: Low Risk -: No historical data or domain has not enabled the Client Reputation feature | ✕ | ✓ |
BotTag | String | The EO Bot Intelligent Analysis Engine comprehensively evaluates requests based on factors such as request rate and the IP Intelligence Database, only available for domains with the Bot Intelligent Analysis feature enabled in Bot Management. The values are: evil_bot:Malicious Bot Requests suspect_bot:Suspected Bot Requests good_bot:Normal Bot Request normal:Normal Request -:Unclassified | ✕ | ✓ |
JA3Hash | String | Used to analyze the JA3 fingerprint’s MD5 hash value for SSL/TLS clients. Provided only for domains with Bot Management enabled. | ✕ | ✓ |
SecurityAction | String | Final disposition action after request hits security rules, with possible values: -:Unknown/Not Hit Monitor:Observation JSChallenge:JavaScript Challenge Deny:Block Allow:Allow BlockIP:IP Ban Redirect:Redirect ReturnCustomPage:Return to Custom Page ManagedChallenge:Hosted Challenge Silence:Silence LongDelay:Response after a long delay ShortDelay:Response after a short delay | ✕ | ✓ |
SecurityModule | String | The name of the security module that finally handles the request, corresponding to SecurityAction , possible values include:-:Unknown/Not Hit CustomRule: Web Protection - Custom Rules RateLimitingCustomRule: Web Protection - Rate Limiting Rules ManagedRule: Web Protection - Managed Rules L7DDoS: Web Protection - CC Attack Protection BotManagement: Bot Management - Basic Bot Management BotClientReputation: Bot Management - Client Profile Analytics BotBehaviorAnalysis: Bot Management - Intelligent Bot Analysis BotCustomRule: Bot Management - Custom Bot Rules BotActiveDetection: Bot Management - Proactive Feature Recognition | ✕ | ✓ |
SecurityRuleID | String | ID of the security rule for final request handling, corresponding to SecurityAction. | ✕ | ✓ |
Log Example
Below is an example of a single L7 access log by default. You can customize the EdgeOne log output format according to the specific requirements of the downstream log analysis system. For more details, see Custom Log Output Format.
{"ClientState": "CN-LN","BotTag": "normal","EdgeSeverRegion": "US","RequestID": "13719873400522703510","RequestMethod": "GET","RequestUrlQueryString": "-","LogTime": "2024-10-13T23:30:39Z","RequestUrl": "/app/","RequestBodyBytes": 0,"SecurityRuleID": "-","OriginRequestHeaderSendDuration": 0.001,"EdgeResponseTime": 379,"ParentRequestID": "-","RequestSSLProtocol": "-","RequestTime": "2024-10-13T23:30:39Z","EdgeResponseStatusCode": 404,"ClientIP": "0.0.0.0","BotCharacteristic": "-","SecurityAction": "-","EdgeEndTime": "2024-10-13T23:30:39Z","RequestRange": "-","BotClassScanner": "-","BotClassProxy": "-","ClientDeviceType": "Desktop","RequestHost": "chatgpt.skyrun.vip","OriginSSLProtocol": "-","EdgeResponseBodyBytes": 548,"RequestProtocol": "HTTP/1.1","EdgeServerID": "b3da9837137ad37f8e430b1d6de51dc5-d41d8cd98f00b204e9800998ecf8427e","EdgeCacheStatus": "miss","EdgeFunctionSubrequest": 0,"EdgeResponseBytes": 825,"OriginTCPHandshakeDuration": 182.485,"SecurityModule": "-","EdgeInternalTime": 378,"RequestBytes": 769,"OriginIP": "0.0.0.0","JA3Hash": "-","OriginResponseHeaderDuration": 182.676,"OriginResponseStatusCode": 404,"ClientRegion": "US","RemotePort": 80,"ClientISP": "AS396982","BotClassMaliciousBot": "-","BotClassAccountTakeOver": "-","OriginDNSResponseDuration": 0.0,"RequestReferer": "-","BotClassAttacker": "-","RequestUA": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36","EdgeServerIP": "0.0.0.0","OriginTLSHandshakeDuration": -1,"RequestStatus": "1"}