L7 Access Logs
The following are detailed field descriptions for L7 access logs (Site Acceleration Logs, Rate Limiting and CC Attack Protection Logs, Custom Rule Logs, Bot Management Logs, and Managed Rule Logs).
Note
The feature of Real-time Logs - Site Acceleration Logs to record full L7 request logs (including L7 protection block logs) is in beta testing. If needed, please contact us.
Rate Limiting and CC Attack Protection Logs, Custom Rule Logs, and Bot Management Logs will be deactivated on July 31, 2024. It is recommended to obtain full L7 protection logs by using the Site Acceleration Logs.
General Fields
Field Name | Data Type | Description | Supported by Offline Logs or Not | Supported by Real-Time Logs or Not |
EdgeEndTime | Timestamp ISO8601 | The time to complete the response to the client request. | ✕ | ✓ |
EdgeFunctionSubrequest | Integer | Indicates whether this log entry belongs to a sub-request initiated by an edge function. Valid values include: 1: sub-request initiated by an edge function. 0: sub-request not initiated by an edge function. | ✓ | ✓ |
EdgeServerID | String | Unique identifier of the EdgeOne server accessed by the client. | ✓ | ✓ |
EdgeServerIP | String | IP address of the EdgeOne server obtained through DNS resolution of the host. | ✓ | ✓ |
EdgeSeverRegion | String | Country resolved from the IP address of the responding EdgeOne node. For the format standard, refer to ISO 3166-1 alpha-2. | ✕ | ✓ |
LogTime | Timestamp ISO8601 | Generation time of the logs. | ✕ | ✓ |
ParentRequestID | String | If this request is initiated using edge functions, it is recorded as the RequestID of the parent request; otherwise, it is recorded as -. | ✓ | ✓ |
RequestID | String | Unique identifier of the client request. | ✓ | ✓ |
Client Information
Field Name | Data Type | Description | Supported by Offline Logs or Not | Supported by Real-Time Logs or Not |
ClientDeviceType | String | Client request device type. Valid values include: TV: Television Tablet: Tablet PC Mobile: Mobile phone Desktop: Computer Other: Others | ✕ | ✓ |
ClientIP | String | Client IP address connected to EdgeOne nodes. | ✓ | ✓ |
ClientISP | String | ISP information resolved from the Client IP address. For data within the Chinese mainland, it is recorded as the ISP's Chinese name. For data in global availability zones (excluding the Chinese mainland), it is recorded as Autonomous System Number (ASN). | ✓ | ✓ |
ClientRegion | String | ✓ | ✓ | |
ClientState | String | Administrative region below the country level, resolved from the Client IP address. Currently, it only supports data within the Chinese mainland. Format standard: ISO-3166-2. | ✓ | ✓ |
Request Information
Field Name | Data Type | Description | Supported by Offline Logs or Not | Supported by Real-Time Logs or Not |
RemotePort | Integer | Port for establishing a connection between the client and the node under the TCP protocol. | ✓ | ✓ |
RequestBytes | Integer | Total traffic sent from the client to the EdgeOne node during the request process, in bytes. It is obtained from statistics based on the request header size, request body size, and data sent from the client to the EdgeOne node during the SSL handshake. | ✓ | ✓ |
RequestHost | String | Host of the client request. | ✓ | ✓ |
RequestMethod | String | HTTP method of the client request. Valid values include: GET POST HEAD PUT DELETE CONNECT OPTIONS TRACE PATCH | ✓ | ✓ |
RequestProtocol | String | Application layer protocol of the client request. Valid values include: HTTP/1.0 HTTP/1.1 HTTP/2.0 HTTP/3 WebSocket | ✓ | ✓ |
RequestRange | String | Range parameter information of the client request. | ✓ | ✓ |
RequestReferer | String | Referer information of the client request. | ✓ | ✓ |
RequestSSLProtocol | String | SSL (TLS) protocol used by the client. If the value is -, it indicates no SSL handshake in the request. Valid values include: TLS 1.0 TLS 1.1 TLS 1.2 TLS 1.3 | ✕ | ✓ |
RequestStatus | Integer | Status of the client request. For WebSocket requests, EdgeOne will periodically print logs. This field can be used to determine the connection status. Valid values include: 0: Request does not end. 1: Request ends normally. 2: It indicates the first log entry of the same connection under the WebSocket protocol. 3: It indicates a log entry that is neither the first nor the last of the same connection under the WebSocket protocol. | ✓ | ✓ |
RequestTime | Timestamp ISO8601 | Time when the EdgeOne node receives the client request. Time zone: UTC +00:00. | ✓ | ✓ |
RequestUA | String | User-Agent information of the client request. | ✓ | ✓ |
RequestUrl | String | URL path of the client request, excluding query parameters. | ✓ | ✓ |
RequestUrlQueryString | String | Query parameter carried in the client request URL. | ✓ | ✓ |
Response Information
Field Name | Data Type | Description | Supported by Offline Logs or Not | Supported by Real-Time Logs or Not |
EdgeCacheStatus | String | Whether the client request hits the node cache. Valid values include: hit: The resource is provided by the node cache. miss: The resource can be cached, but provided by the origin server. dynamic: The resource cannot be cached. other: The cache status cannot be recognized. | ✓ | ✓ |
EdgeInternalTime | Integer | Duration from the time when EdgeOne receives the client-initiated request to the time when the first byte is responded to the client, in ms. | ✓ | ✓ |
EdgeResponseBodyBytes | Integer | Size of the response body returned by the node to the client, in bytes. | ✓ | ✓ |
EdgeResponseBytes | Integer | Total traffic returned by the node to the client, in bytes. It is obtained from statistics based on the response header size, response body size, and data sent by the EdgeOne node to the client during the SSL handshake. | ✓ | ✓ |
EdgeResponseStatusCode | Integer | Response status code returned to the client by the node. | ✓ | ✓ |
EdgeResponseTime | Integer | Duration from the time when EdgeOne receives the client-initiated request to the time when the client receives the server-side response, in ms. | ✓ | ✓ |
Origin Server Information
Field Name | Data Type | Description | Supported by Offline Logs or Not | Supported by Real-Time Logs or Not |
OriginDNSResponseDuration | Float | Time consumed to receive the DNS Resolution response from the origin server, in ms. If there is no origin-pull, it is recorded as -1. | ✕ | ✓ |
OriginIP | String | IP address of the origin server accessed for origin-pull. If there is no origin-pull, it is recorded as -. | ✕ | ✓ |
OriginRequestHeaderSendDuration | Float | Time consumed to send the request header to the origin server, in ms. It is generally 0. If there is no origin-pull, it is recorded as -1. | ✕ | ✓ |
OriginResponseHeaderDuration | Float | Duration from sending the request header to the origin server to receiving the response header from the origin server, in ms. If there is no origin-pull, it is recorded as -1. | ✕ | ✓ |
OriginResponseStatusCode | Integer | Response status code of the origin server. If there is no origin-pull, it is recorded as -1. | ✕ | ✓ |
OriginSSLProtocol | String | SSL protocol version used for requesting the origin server. If there is no origin-pull, it is recorded as -. Valid values include: TLS 1.0 TLS 1.1 TLS 1.2 TLS 1.3 | ✕ | ✓ |
OriginTCPHandshakeDuration | Float | Time consumed to complete the TCP handshake when requesting the origin server, in ms. If there is no origin-pull, it is recorded as -1. Note: It is 0 when the connection is reused. | ✕ | ✓ |
OriginTLSHandshakeDuration | Float | Time consumed to complete the TLS handshake when requesting the origin server, in ms. If there is no origin-pull, it is recorded as -1. Note: It is 0 when the connection is reused. | ✕ | ✓ |
Fields Related to Security Protection
Field Name | Data Type | Description | Supported by Offline Logs or Not | Supported by Real-Time Logs or Not |
BotCharacteristic | String | Characteristics of this request identified by EO Bot Intelligent Analysis Engine, only available for domains with Bot Management - Bot Intelligent Analysis enabled. | ✕ | ✓ |
BotClassAccountTakeOver | String | Risk level of the requesting client's IP address with malicious cracking logins and account takeover attacks, based on the recent IP intelligence data. Valid values include: high: high risk medium: medium risk low: low risk -: No historical data or the domain has not enabled the Client Reputation feature. | ✕ | ✓ |
BotClassAttacker | String | Risk level of the requesting client's IP address with attacks (e.g., DDoS, high-frequency malicious requests, and site attacks), based on the recent IP intelligence data. Valid values include: high: high risk medium: medium risk low: low risk -: No historical data or the domain has not enabled the Client Reputation feature. | ✕ | ✓ |
BotClassMaliciousBot | String | Risk level of the requesting client's IP address with malicious crawlers, brushing, and brute force attacks, based on the recent IP intelligence data. Valid values include: high: high risk medium: medium risk low: low risk -: No historical data or the domain has not enabled the Client Reputation feature. | ✕ | ✓ |
BotClassProxy | String | Risk level of the requesting client's IP address opening suspicious proxy ports and being used as a network proxy (including second-level dialing IP), based on the recent IP intelligence data. Valid values include: high: high risk medium: medium risk low: low risk -: No historical data or the domain has not enabled the Client Reputation feature | ✕ | ✓ |
BotClassScanner | String | Risk level of the requesting client's IP address with scanner actions of exploiting known vulnerabilities, based on the recent IP intelligence data. Valid values include: high: high risk medium: medium risk low: low risk -: No historical data or the domain has not enabled the Client Reputation feature. | ✕ | ✓ |
BotTag | String | Comprehensive evaluation and classification of the request by the EO Bot Intelligent Analysis Engine based on factors such as the request rate and the IP intelligence database. It is only available for domains with Bot Management - Bot Intelligent Analysis enabled. Valid values include: evil_bot (malicious Bot request) suspect_bot (suspected Bot request) good_bot (normal Bot request) normal (normal request) - (unclassified) | ✕ | ✓ |
JA3Hash | String | MD5 hash value of the JA3 fingerprint, used to analyze the SSL/TLS clients. It is only available for domains with Bot Management enabled. | ✕ | ✓ |
SecurityAction | String | Final handling action after a request matches the security rules. Valid values include: -: unknown/not matched Monitor: observation JSChallenge: JavaScript challenge Deny: block Allow: pass BlockIP: IP banning Redirect: redirect ReturnCustomPage: returning custom pages ManagedChallenge: managed challenge Silence: Silence LongDelay: response after a long delay ShortDelay: response after a short delay | ✕ | ✓ |
SecurityModule | String | Name of the security module finally handling the request, corresponding to SecurityAction. Valid values include:-: unknown/not matched CustomRule: Web Protection - Custom Rules RateLimitingCustomRule: Web Protection - Rate Limiting Rules ManagedRule: Web Protection - Managed Rules L7DDoS: Web Protection - CC Attack Protection BotManagement: Bot Management - Bot Basic Management BotClientReputation: Bot Management - Client Reputation BotBehaviorAnalysis: Bot Management - Bot Intelligent Analysis BotCustomRule: Bot Management - Custom Bot Rules BotActiveDetection: Bot Management - Proactive Feature Recognition | ✕ | ✓ |
SecurityRuleID | String | ID of the security rule for final request handling, corresponding to SecurityAction. | ✕ | ✓ |
Note:
In the site acceleration logs, for long connections using the WebSocket protocol, EdgeOne will periodically record logs and the last log entry is recorded at the end of the final request. Requests can be identified through the
RequestID field, that is, logs with the same RequestID represent the same connection. Additionally, the RequestStatus field can be used to determine the connection status at the time of logging.