请选择
Observability
  • Log Service
    • Overview
    • Real-time Logs
      • Real-time Logs Overview
      • Push to Tencent Cloud CLS
      • Push to AWS S3-Compatible COS
      • Push to HTTP Server
    • Offline Logs
    • Related References
      • Field description
        • L7 Access Logs
        • L4 Proxy Logs
      • Real-Time Log Push Filter Conditions
      • Custom Log Push Fields
  • Data Analysis
    • Overview
    • Traffic Analysis
    • Cache Analysis
    • Security Analysis
      • Site Security Overview
      • Web Security Analysis
    • L4 Proxy
    • DNS Resolution
    • Related References
      • How to use filter condition
      • How to Modify Query Time Range
      • How to Export Statistical Data and Reports

L7 Access Logs

The following are detailed field descriptions for L7 access logs (Site Acceleration Logs, Rate Limiting and CC Attack Protection Logs, Custom Rule Logs, Bot Management Logs, and Managed Rule Logs).
Note
The feature of Real-time Logs - Site Acceleration Logs to record full L7 request logs (including L7 protection block logs) is in beta testing. If needed, please contact us.
Rate Limiting and CC Attack Protection Logs, Custom Rule Logs, and Bot Management Logs will be deactivated on July 31, 2024. It is recommended to obtain full L7 protection logs by using the Site Acceleration Logs.

General Fields

Field Name
Data Type
Description
Supported by Offline Logs or Not
Supported by Real-Time Logs or Not
EdgeEndTime
Timestamp ISO8601
The time to complete the response to the client request.
EdgeFunctionSubrequest
Integer
Indicates whether this log entry belongs to a sub-request initiated by an edge function. Valid values include:
1: sub-request initiated by an edge function.
0: sub-request not initiated by an edge function.
EdgeServerID
String
Unique identifier of the EdgeOne server accessed by the client.
EdgeServerIP
String
IP address of the EdgeOne server obtained through DNS resolution of the host.
EdgeSeverRegion
String
Country resolved from the IP address of the responding EdgeOne node. For the format standard, refer to ISO 3166-1 alpha-2.
LogTime
Timestamp ISO8601
Generation time of the logs.
ParentRequestID
String
If this request is initiated using edge functions, it is recorded as the RequestID of the parent request; otherwise, it is recorded as -.
RequestID
String
Unique identifier of the client request.

Client Information

Field Name
Data Type
Description
Supported by Offline Logs or Not
Supported by Real-Time Logs or Not
ClientDeviceType
String
Client request device type. Valid values include:
TV: Television
Tablet: Tablet PC
Mobile: Mobile phone
Desktop: Computer
Other: Others
ClientIP
String
Client IP address connected to EdgeOne nodes.
ClientISP
String
ISP information resolved from the Client IP address.
For data within the Chinese mainland, it is recorded as the ISP's Chinese name.
For data in global availability zones (excluding the Chinese mainland), it is recorded as Autonomous System Number (ASN).
ClientRegion
String
Country/Region resolved from the Client IP address. Format standard: ISO 3166-1 alpha-2.
ClientState
String
Administrative region below the country level, resolved from the Client IP address. Currently, it only supports data within the Chinese mainland. Format standard: ISO-3166-2.

Request Information

Field Name
Data Type
Description
Supported by Offline Logs or Not
Supported by Real-Time Logs or Not
RemotePort
Integer
Port for establishing a connection between the client and the node under the TCP protocol.
RequestBytes
Integer
Total traffic sent from the client to the EdgeOne node during the request process, in bytes. It is obtained from statistics based on the request header size, request body size, and data sent from the client to the EdgeOne node during the SSL handshake.
RequestHost
String
Host of the client request.
RequestMethod
String
HTTP method of the client request. Valid values include:
GET
POST
HEAD
PUT
DELETE
CONNECT
OPTIONS
TRACE
PATCH
RequestProtocol
String
Application layer protocol of the client request. Valid values include:
HTTP/1.0
HTTP/1.1
HTTP/2.0
HTTP/3
WebSocket
RequestRange
String
Range parameter information of the client request.
RequestReferer
String
Referer information of the client request.
RequestSSLProtocol
String
SSL (TLS) protocol used by the client. If the value is -, it indicates no SSL handshake in the request. Valid values include:
TLS 1.0
TLS 1.1
TLS 1.2
TLS 1.3
RequestStatus
Integer
Status of the client request. For WebSocket requests, EdgeOne will periodically print logs. This field can be used to determine the connection status. Valid values include:
0: Request does not end.
1: Request ends normally.
2: It indicates the first log entry of the same connection under the WebSocket protocol.
3: It indicates a log entry that is neither the first nor the last of the same connection under the WebSocket protocol.
RequestTime
Timestamp ISO8601
Time when the EdgeOne node receives the client request. Time zone: UTC +00:00.
RequestUA
String
User-Agent information of the client request.
RequestUrl
String
URL path of the client request, excluding query parameters.
RequestUrlQueryString
String
Query parameter carried in the client request URL.

Response Information

Field Name
Data Type
Description
Supported by Offline Logs or Not
Supported by Real-Time Logs or Not
EdgeCacheStatus
String
Whether the client request hits the node cache. Valid values include:
hit: The resource is provided by the node cache.
miss: The resource can be cached, but provided by the origin server.
dynamic: The resource cannot be cached.
other: The cache status cannot be recognized.
EdgeInternalTime
Integer
Duration from the time when EdgeOne receives the client-initiated request to the time when the first byte is responded to the client, in ms.
EdgeResponseBodyBytes
Integer
Size of the response body returned by the node to the client, in bytes.
EdgeResponseBytes
Integer
Total traffic returned by the node to the client, in bytes. It is obtained from statistics based on the response header size, response body size, and data sent by the EdgeOne node to the client during the SSL handshake.
EdgeResponseStatusCode
Integer
Response status code returned to the client by the node.
EdgeResponseTime
Integer
Duration from the time when EdgeOne receives the client-initiated request to the time when the client receives the server-side response, in ms.

Origin Server Information

Field Name
Data Type
Description
Supported by Offline Logs or Not
Supported by Real-Time Logs or Not
OriginDNSResponseDuration
Float
Time consumed to receive the DNS Resolution response from the origin server, in ms. If there is no origin-pull, it is recorded as -1.
OriginIP
String
IP address of the origin server accessed for origin-pull. If there is no origin-pull, it is recorded as -.
OriginRequestHeaderSendDuration
Float
Time consumed to send the request header to the origin server, in ms. It is generally 0. If there is no origin-pull, it is recorded as -1.
OriginResponseHeaderDuration
Float
Duration from sending the request header to the origin server to receiving the response header from the origin server, in ms. If there is no origin-pull, it is recorded as -1.
OriginResponseStatusCode
Integer
Response status code of the origin server. If there is no origin-pull, it is recorded as -1.
OriginSSLProtocol
String
SSL protocol version used for requesting the origin server. If there is no origin-pull, it is recorded as -. Valid values include:
TLS 1.0
TLS 1.1
TLS 1.2
TLS 1.3
OriginTCPHandshakeDuration
Float
Time consumed to complete the TCP handshake when requesting the origin server, in ms. If there is no origin-pull, it is recorded as -1. Note: It is 0 when the connection is reused.
OriginTLSHandshakeDuration
Float
Time consumed to complete the TLS handshake when requesting the origin server, in ms. If there is no origin-pull, it is recorded as -1. Note: It is 0 when the connection is reused.

Fields Related to Security Protection

Field Name
Data Type
Description
Supported by Offline Logs or Not
Supported by Real-Time Logs or Not
BotCharacteristic
String
Characteristics of this request identified by EO Bot Intelligent Analysis Engine, only available for domains with Bot Management - Bot Intelligent Analysis enabled.
BotClassAccountTakeOver
String
Risk level of the requesting client's IP address with malicious cracking logins and account takeover attacks, based on the recent IP intelligence data. Valid values include:
high: high risk
medium: medium risk
low: low risk
-: No historical data or the domain has not enabled the Client Reputation feature.
BotClassAttacker
String
Risk level of the requesting client's IP address with attacks (e.g., DDoS, high-frequency malicious requests, and site attacks), based on the recent IP intelligence data. Valid values include:
high: high risk
medium: medium risk
low: low risk
-: No historical data or the domain has not enabled the Client Reputation feature.
BotClassMaliciousBot
String
Risk level of the requesting client's IP address with malicious crawlers, brushing, and brute force attacks, based on the recent IP intelligence data. Valid values include:
high: high risk
medium: medium risk
low: low risk
-: No historical data or the domain has not enabled the Client Reputation feature.
BotClassProxy
String
Risk level of the requesting client's IP address opening suspicious proxy ports and being used as a network proxy (including second-level dialing IP), based on the recent IP intelligence data. Valid values include:
high: high risk
medium: medium risk
low: low risk
-: No historical data or the domain has not enabled the Client Reputation feature
BotClassScanner
String
Risk level of the requesting client's IP address with scanner actions of exploiting known vulnerabilities, based on the recent IP intelligence data. Valid values include:
high: high risk
medium: medium risk
low: low risk
-: No historical data or the domain has not enabled the Client Reputation feature.
BotTag
String
Comprehensive evaluation and classification of the request by the EO Bot Intelligent Analysis Engine based on factors such as the request rate and the IP intelligence database. It is only available for domains with Bot Management - Bot Intelligent Analysis enabled. Valid values include:
evil_bot (malicious Bot request)
suspect_bot (suspected Bot request)
good_bot (normal Bot request)
normal (normal request)
- (unclassified)
JA3Hash
String
MD5 hash value of the JA3 fingerprint, used to analyze the SSL/TLS clients. It is only available for domains with Bot Management enabled.
SecurityAction
String
Final handling action after a request matches the security rules. Valid values include:
-: unknown/not matched
Monitor: observation
JSChallenge: JavaScript challenge
Deny: block
Allow: pass
BlockIP: IP banning
Redirect: redirect
ReturnCustomPage: returning custom pages
ManagedChallenge: managed challenge
Silence: Silence
LongDelay: response after a long delay
ShortDelay: response after a short delay
SecurityModule
String
Name of the security module finally handling the request, corresponding to SecurityAction. Valid values include:
-: unknown/not matched
CustomRule: Web Protection - Custom Rules
RateLimitingCustomRule: Web Protection - Rate Limiting Rules
ManagedRule: Web Protection - Managed Rules
L7DDoS: Web Protection - CC Attack Protection
BotManagement: Bot Management - Bot Basic Management
BotClientReputation: Bot Management - Client Reputation
BotBehaviorAnalysis: Bot Management - Bot Intelligent Analysis
BotCustomRule: Bot Management - Custom Bot Rules
BotActiveDetection: Bot Management - Proactive Feature Recognition
SecurityRuleID
String
ID of the security rule for final request handling, corresponding to SecurityAction.
Note:
In the site acceleration logs, for long connections using the WebSocket protocol, EdgeOne will periodically record logs and the last log entry is recorded at the end of the final request. Requests can be identified through the RequestID field, that is, logs with the same RequestID represent the same connection. Additionally, the RequestStatus field can be used to determine the connection status at the time of logging.