L7 Access Logs
The following are detailed field descriptions for L7 Access Logs (Site Acceleration Log, Rate Limiting, CC Attack Protection Log, Custom Rule Log, Bot Management Log, Managed Rule Log).
Note
Real-time Log - Site Acceleration Log records Full L7 Request Log, including the feature of L7 Protection Blocked Log is in beta testing. If needed, please Contact Us.
Rate Limiting, CC Attack Protection Log, Custom Rule Log, and Bot Management Log are projected to be discontinued on July 31, 2024. It is recommended to use the Site Acceleration Log to obtain comprehensive L7 Protection Logs.
Field Description
General Fields
Field Name | Data Type | Description | Does this field support offline logs | Does this field support real-time logs |
ContentID | String | Content Identifier related to requests, used to identify specific traffic and content subsets for billing, reporting, and monitoring provided on the EO platform. If the request is associated with a content identifier, it is eocontentid; if not, it is zoneid. | ✓ | ✓ |
EdgeEndTime | Timestamp ISO8601 | The time to complete the response to the client request. Example value: 2024-10-14T05:13:43Z, denoting 05:13:43, October 14, 2024 (UTC+0), which is equivalent to 13:13:43, October 14, 2024 (UTC+8 (Beijing time)). | ✕ | ✓ |
EdgeFunctionSubrequest | Integer | Indicates whether this log entry belongs to a subrequest initiated by an edge function, with the following values: 1: Subrequest initiated by an edge function. 0: Subrequest not initiated by an edge function. | ✓ | ✓ |
LogTime | Timestamp ISO8601 | Time the log was generated.Example value: 2024-10-14T05:13:43Z. | ✕ | ✓ |
ParentRequestID | String | If this request is initiated using edge functions, record the parent request's RequestID; otherwise, record as "-". | ✓ | ✓ |
RequestID | String | Unique ID of the client request. | ✓ | ✓ |
Client information
Field Name | Data Type | Description | Does this field support offline logs | Does this field support real-time logs |
ClientConnectionID | String | The unique identifier for the connection between the client and the edge node. Example value: "5692760165714882237". | ✕ | ✓ |
ClientDeviceType | String | Client request device type, values are: TV: Television Tablet: Tablet PC Mobile: Mobile Phone Desktop: Computer Other: Other | ✕ | ✓ |
ClientIP | String | Client IP connecting to EdgeOne nodes. | ✓ | ✓ |
ClientISP | String | ISP information resolved from Client IP. For data within the Chinese mainland, record as the ISP's Chinese name; For data in global availability zones (excluding the Chinese mainland), record as Autonomous System Number (ASN). | ✓ | ✓ |
ClientPort | Integer | Client port connected to EdgeOne node. | ✕ | ✓ |
ClientRegion | String | ✓ | ✓ | |
ClientState | String | Subdivision below the country level resolved from the Client IP. Currently supports only data within the Chinese mainland. Format standard: ISO-3166-2. | ✓ | ✓ |
Request information
Field Name | Data Type | Description | Does this field support offline logs | Does this field support real-time logs |
RemotePort | Integer | The EdgeOne node port that establishes a connection with the client under the TCP protocol. | ✓ | ✓ |
RequestBodyBytes | Integer | The size of the request body sent by the client to the EdgeOne node, in Bytes. | ✕ | ✓ |
RequestBytes | Integer | Total traffic sent from the client to the EdgeOne node during the request process, based on the size of the request header, request body, and data sent during the SSL handshake. Unit: Byte. | ✓ | ✓ |
RequestHost | String | Client request host. | ✓ | ✓ |
RequestMethod | String | HTTP client request method, values are: GET POST HEAD PUT DELETE CONNECT OPTIONS TRACE PATCH | ✓ | ✓ |
RequestProtocol | String | Client request application layer protocol, values are: HTTP/1.0 HTTP/1.1 HTTP/2.0 HTTP/3 WebSocket | ✓ | ✓ |
RequestRange | String | Client request Range. | ✓ | ✓ |
RequestReferer | String | Client request Referer. | ✓ | ✓ |
RequestScheme | String | Client request HTTP version. Values: HTTP, HTTPS. | ✕ | ✓ |
RequestSSLProtocol | String | Client SSL(TLS) protocol used. If the value is "-", it means there was no SSL handshake. Possible values are: TLS1.0 TLS1.1 TLS1.2 TLS1.3 | ✕ | ✓ |
RequestStatus | String | Client request status. If using the WebSocket protocol, EdgeOne will periodically log it. This field can be used to determine the connection status. Possible values are: 0: not ended 1: Request successfully terminated 2: Under WebSocket protocol, indicates the first log entry of the connection 3: Under WebSocket protocol, indicates a log entry that is neither the first nor the last of the connection | ✓ | ✓ |
RequestTime | Timestamp ISO8601 | Time when the EdgeOne node received the client request, timezone: UTC +00:00.Example value: 2024-10-14T05:13:43Z. | ✓ | ✓ |
RequestUA | String | Client request User-Agent. | ✓ | ✓ |
RequestUrl | String | Client request URL Path, excluding query parameters. | ✓ | ✓ |
RequestUrlQueryString | String | A query string that is carried in the client request URL. | ✓ | ✓ |
Response information
Field Name | Data Type | Description | Does this field support offline logs | Does this field support real-time logs |
EdgeCacheStatus | String | Whether the client request hits the node cache, values include: hit: resource provided by node cache miss: resource can be cached, but provided by origin server dynamic: resource cannot be cached other: unrecognized cache status | ✓ | ✓ |
EdgeInternalTime | Integer | Time consumption from when EdgeOne receives the client-initiated request to when the first byte is responded to the client; unit: ms. | ✓ | ✓ |
EdgeResponseBodyBytes | Integer | Response body size returned to the client by the nodes, unit: Byte. | ✓ | ✓ |
EdgeResponseBytes | Integer | Total traffic returned by the node to the client, based on the size of the response header, response body, and data sent by the EdgeOne node during the SSL handshake. Unit: Byte. | ✓ | ✓ |
EdgeResponseStatusCode | Integer | Response status code returned to the client by the nodes. | ✓ | ✓ |
EdgeResponseTime | Integer | Time consumed from when EdgeOne receives the client-initiated request to when the client receives the server-side response. Unit: ms. | ✓ | ✓ |
Edge Server Information
Field Name | Data Type | Description | Does this field support offline logs | Does this field support real-time logs |
EdgeException | String | Describe the issues encountered by the EO edge node when processing requests. For detailed explanations of the field values, please refer to field description fo EdgeException. | ✕ | ✓ |
EdgeServerID | String | The unique identifier of the EdgeOne server accessed by the client. Example value: "28a1672eeaa86c145501d3950bff06cc-501d3fb0abce346ac9a5598b665bfcfe". | ✓ | ✓ |
EdgeServerIP | String | DNS resolution Host to obtain the EdgeOne server IP address. | ✓ | ✓ |
EdgeServerRegionTopDivision | String | Edge service access IP resolves to the next level administrative division of the country. Currently, only data within the Chinese mainland is supported. Format standard: ISO-3166-2. | ✕ | ✓ |
EdgeSeverRegion | String | ✕ | ✓ |
Real Server Information
Field Name | Data Type | Description | Does this field support offline logs | Does this field support real-time logs |
OriginDNSResponseDuration | Float | Time consumed to receive the DNS Resolution response from the origin server. If there is no origin retrieval, it is recorded as -1. Unit: ms. | ✕ | ✓ |
OriginIP | String | The IP of the origin server accessed for origin retrieval. If there is no origin retrieval, it is recorded as "-". | ✕ | ✓ |
OriginRequestHeaderSendDuration | Float | Time consumed to send the request header to the origin server. It is generally 0. If there is no origin retrieval, it is recorded as -1. Unit: ms. | ✕ | ✓ |
OriginResponseHeaderDuration | Float | Time consumed from sending the request header to the origin server to receiving the response header from the origin server. If there is no origin retrieval, it is recorded as -1. Unit: ms. | ✕ | ✓ |
OriginResponseStatusCode | Integer | origin server Response Status Code, if there is no origin retrieval, record as -1. | ✕ | ✓ |
OriginSSLProtocol | String | SSL protocol version used for the request to the origin server. If there is no origin retrieval, it is recorded as "-"; possible values: TLS1.0 TLS1.1 TLS1.2 TLS1.3 | ✕ | ✓ |
OriginTCPHandshakeDuration | Float | Time consumed to complete the TCP handshake when requesting the origin server. If there is no origin retrieval, it is recorded as -1. Unit: ms;Note: It is 0 when the connection is reused. | ✕ | ✓ |
OriginTLSHandshakeDuration | Float | Time consumed to complete the TLS handshake when requesting the origin server. If there is no origin retrieval or the origin-pull protocol is HTTP, it is recorded as -1. Unit: ms; Note: It is 0 when the connection is reused. | ✕ | ✓ |
Security Protection related fields
Field Name | Data Type | Description | Does this field support offline logs | Does this field support real-time logs |
BotCharacteristic | String | EO Bot Intelligent Analysis Engine has identified the characteristics of this request, only available for domains with the Bot Intelligent Analysis feature enabled in Bot Management.For the meaning of field values, please refer to field description of BotCharacteristic. | ✕ | ✓ |
BotClassAccountTakeOver | String | Based on recent IP Intelligence Data, the Client IP request poses a risk level for malicious login attacks. The values are: high: High Risk medium: Medium Risk low: Low Risk -: No historical data or domain has not enabled the Client Reputation feature | ✕ | ✓ |
BotClassAttacker | String | Based on recent IP Intelligence Data, the Client IP request poses a risk level for attacks (e.g., DDoS, high-frequency malicious requests, site attacks). The values are: high: High Risk medium: Medium Risk low: Low Risk -: No historical data or domain has not enabled the Client Reputation feature | ✕ | ✓ |
BotClassMaliciousBot | String | Based on recent IP Intelligence Data, the Client IP request poses a risk level for malicious crawlers, volume brushing, and brute force attacks. The values are: high: High Risk medium: Medium Risk low: Low Risk -: No historical data or domain has not enabled the Client Reputation feature | ✕ | ✓ |
BotClassProxy | String | Based on recent IP Intelligence Data, the Client IP request opens a suspicious proxy port and is used as a Network Proxy (including Second-level IP Dialing). The risk levels are: high: High Risk medium: Medium Risk low: Low Risk -: No historical data or domain has not enabled the Client Reputation feature | ✕ | ✓ |
BotClassScanner | String | Based on recent IP Intelligence Data, the Client IP request shows Scanner Behavior of exploiting known vulnerabilities. The risk levels are: high: High Risk medium: Medium Risk low: Low Risk -: No historical data or domain has not enabled the Client Reputation feature | ✕ | ✓ |
BotTag | String | The EO Bot Intelligent Analysis Engine comprehensively evaluates requests based on factors such as request rate and the IP Intelligence Database, only available for domains with the Bot Intelligent Analysis feature enabled in Bot Management. The values are: evil_bot:Malicious Bot Requests suspect_bot:Suspected Bot Requests good_bot:Normal Bot Request normal:Normal Request -:Unclassified | ✕ | ✓ |
JA3Hash | String | Used to analyze the JA3 fingerprint’s MD5 hash value for SSL/TLS clients. Provided only for domains with Bot Management enabled. | ✕ | ✓ |
SecurityAction | String | Final disposition action after request hits security rules, with possible values: -:Unknown/Not Hit Monitor:Observation JSChallenge:JavaScript Challenge Deny:Block Allow:Allow BlockIP:IP Ban Redirect:Redirect ReturnCustomPage:Return to Custom Page ManagedChallenge:Hosted Challenge Silence:Silence LongDelay:Response after a long delay ShortDelay:Response after a short delay | ✕ | ✓ |
SecurityModule | String | The name of the security module that finally handles the request, corresponding to SecurityAction, possible values include:-:Unknown/Not Hit CustomRule: Web Protection - Custom Rules RateLimitingCustomRule: Web Protection - Rate Limiting Rules ManagedRule: Web Protection - Managed Rules L7DDoS: Web Protection - CC Attack Protection BotManagement: Bot Management - Basic Bot Management BotClientReputation: Bot Management - Client Profile Analytics BotBehaviorAnalysis: Bot Management - Intelligent Bot Analysis BotCustomRule: Bot Management - Custom Bot Rules BotActiveDetection: Bot Management - Proactive Feature Recognition | ✕ | ✓ |
SecurityRuleID | String | ID of the security rule for final request handling, corresponding to SecurityAction. | ✕ | ✓ |
Related references
Log Example
Below is an example of a single L7 access log by default. You can customize the EdgeOne log output format according to the specific requirements of the downstream log analysis system. For more details, see Custom Log Output Format.
{"ClientState": "CN-LN","BotTag": "normal","EdgeSeverRegion": "US","RequestID": "13719873400522703510","EdgeException": "client_request_exception.upstream_failed","RequestMethod": "GET","RequestUrlQueryString": "-","LogTime": "2024-10-13T23:30:39Z","RequestUrl": "/app/","ClientPort": 62389,"RequestBodyBytes": 0,"SecurityRuleID": "-","ContentID": "zone-2mxigizoh600","OriginRequestHeaderSendDuration": 0.001,"EdgeResponseTime": 379,"ParentRequestID": "-","EdgeServerRegionTopDivision": "CN-LN","RequestSSLProtocol": "-","RequestScheme": "HTTPS","RequestTime": "2024-10-13T23:30:39Z","EdgeResponseStatusCode": 404,"ClientIP": "0.0.0.0","BotCharacteristic": "-","SecurityAction": "-","EdgeEndTime": "2024-10-13T23:30:39Z","RequestRange": "-","BotClassScanner": "-","BotClassProxy": "-","ClientDeviceType": "Desktop","RequestHost": "www.example.com","OriginSSLProtocol": "-","EdgeResponseBodyBytes": 548,"RequestProtocol": "HTTP/1.1","EdgeServerID": "b3da9837137ad37f8e430b1d6de51dc5-d41d8cd98f00b204e9800998ecf8427e","EdgeCacheStatus": "miss","EdgeFunctionSubrequest": 0,"EdgeResponseBytes": 825,"OriginTCPHandshakeDuration": 182.485,"SecurityModule": "-","ClientConnectionID": "5692760165714882237","EdgeInternalTime": 378,"RequestBytes": 769,"OriginIP": "0.0.0.0","JA3Hash": "-","OriginResponseHeaderDuration": 182.676,"OriginResponseStatusCode": 404,"ClientRegion": "US","RemotePort": 80,"ClientISP": "AS396982","BotClassMaliciousBot": "-","BotClassAccountTakeOver": "-","OriginDNSResponseDuration": 0.0,"RequestReferer": "-","BotClassAttacker": "-","RequestUA": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36","EdgeServerIP": "0.0.0.0","OriginTLSHandshakeDuration": -1,"RequestStatus": "1"}
Field Description of EdgeException
Field Format:
[Request Phase].[Exception Description]If there is no exception, the field value is
no_exception.Request Phase
Request Phase Parameter Value | Meaning |
client_request_exception | An exception occurs during the client's request process to the EdgeOne edge node. |
edge_response_exception | An exception occurs during the EdgeOne edge node's response process to the client. |
Exception Description
Notes:
Below are only common abnormal situations. Follow-up, EdgeOne may add descriptions of new abnormal situations.
Exception Description Value | Meaning |
timeout | Timeout |
peer_close | Peer closed (determined by whether a FIN packet is received); for the EdgeOne edge service, the peer refers to the client. |
closed | Local active close |
read_buffer_full | Read buffer full |
package_write_failed | Write failure (only for UDP) |
peer_error | Exception occurred in read-write operations (such as RST). |
peers_is_empty | Origin peers are empty. |
module_load_failed | HTTP module loading failed |
header_too_large | Oversized HTTP header |
parse_header_failed | HTTP header parsing failed |
read_offset_out_of_upstream_range | Reading the offset of origin-pull data exceeds the range of origin-pull response |
no_cache | Non-use of cache |
partial_compress_cache | Contain only partial compressed cache |
upstream_no_mtime | Origin-pull response has no mtime |
cache_no_mtime | Local cache has no mtime |
upstream_mtime_change | Origin-pull mtime adjustment |
upstream_no_etag | Origin-pull response has no etag |
cache_no_etag | Local cache has no etag |
upstream_etag_change | Origin-pull etag change |
upstream_length_change | Origin-pull length adjustment |
upstream_status_change | Origin-pull status code change |
upstream_data_not_set | Uninitialized origin-pull module data |
upstream_respond_extra_data | Redundant data in origin server response |
domain_resolve_failed | Origin-pull domain name resolution failed |
domain_resolve_none | The origin-pull domain name resolution result is empty. |
upstream_server_is_empty | The origin server list is empty. |
upstream_failed | Origin-pull failure |
upstream_content_range_with_content_encoding | The origin server response contains both Content-Range and Content-Encoding. |
upstream_unknown_transfer_encoding | The origin server response has an unknown Transfer-Encoding. |
upstream_transfer_encoding_with_content_length | The origin server response contains both Transfer-Encoding and Content-Length. |
upstream_keepalive_without_length | The origin server responds with a file of unknown length and requires keep-alive. |
chunked_error | chunked parsing failure |
read_file_info_failed | Failed to read cached file information. |
set_cache_data_failed | Attempt to set cache data failed. |
unknown_compress_method | Unknown compression algorithm |
compress_size_too_large | The compressed file is oversized. |
compress_error | Compression exception |
upstream_verify_failed | UUID anti-hijacking verification failure |
scheme_error | unknown schema |
empty_domain | The domain name is empty. |
reset_client | Require RST Client |
blacklist_fatal_error | blocklist anomaly |
range_index_error | Multiple Range subscript anomalies |
upstream_respond_206_without_content_range | Origin server response 206 without carrying Range |
upstream_respond_content_range_without_size | Origin server response Content-Range without carrying total file size |
upstream_respond_error_content_range | Origin server response Range anomaly |
Field Description of BotCharacteristic
Notes:
This field is only provided to domain names that have enabled the Bot management - bot intelligent analysis feature.
Field Value | Corresponding Rule Name | Detailed Description | Map Bot Tag ( BotTag) | Possible Hit on Attack or Business Scenario |
Client Inconsistency | Client inconsistency | Request header and feature are inconsistent, or the OS fingerprint at layer 4 does not match the User-Agent. | malicious Bot | Spoof UA, for example, a Linux server request declares itself as a Windows UA; Some users use a proxy, and when the egress is through an office network or campus network, the Layer-4 fingerprint comes from a proxy server, which does not match the user's UA. |
Irregular TLS Fingerprint | TLS fingerprint anomaly | Tool's TLS fingerprint anomaly | malicious Bot suspected Bot | request initiated by the scripting tool; Some clients use tools/components to call APIs, static resources. |
High Frequency | high-frequency request | The same or several IPs/User-Agents send a large number of requests. | malicious Bot suspected Bot | / |
Irregular Path Access | Access through unconventional paths | Random or concentrated requests to a specific API in the request path might be scanning or data capture. | malicious Bot suspected Bot | Some site resources are limited or during events, user requests are highly concentrated in accessing a specific path in a short time frame. |
Real-time Proxy Detection | real-time proxy detection | Based on real-time traffic mode, judge whether a request may be forwarded via proxy. | malicious Bot suspected Bot | Black market players use Second Dial Proxy to change IPs to bypass risk control strategies; User uses proxy VPN, office network/campus network egress IP. Large network fluctuation. |
TLS Fingerprint Inconsistency | TLS fingerprint inconsistent | TLS fingerprint mismatched with User-Agent | malicious Bot suspected Bot | some less popular clients (uncommon UA) request from the scripting tool; tamper with UA request; Office network/campus network egress. |
UA with Bot Identifier | UA with Bot identification | User-Agent contains common bot tool identification. | malicious Bot | User's UA contains common scripting tool identifier strings. |
Python-Requests | Python-requests request | Use the python-requests tool to send a request. | malicious Bot | User UA contains the string python-requests. |
Python-Urllib | Python-urllib request | Use the python-urllib tool to send a request. | malicious Bot | User UA contains the string python-urllib. |
Curl | cURL request | Use the curl tool to send a request. | malicious Bot | User UA contains the string curl. |
Go HTTP Client | Go HTTP Client requests | Send requests using the go-http-client tool | malicious Bot | User UA contains the string go-http-client. |
Phpcrawl | phpcrawl request | Use the phpcrawl tool to send a request. | malicious Bot | User UA contains the string phpcrawl. |
Libcurl | libcurl request | Use the libcurl tool to send a request. | malicious Bot | User UA contains the string libcurl. |
WinHTTP Client | WinHTTP request | Use the WinHttpClient tool to send a request. | malicious Bot | User UA contains the string WinHttpClient. |
Headless Browser | headless browser | Use a headless browser (such as Puppeteer, Selenium) to send a request. | malicious Bot | User UA contains the string headless. |
Triggered by Known Tool#{Num} | Specific tool feature #{Num} | Rules triggered by specific tools or actions. {Num} is used to identify different tools or actions. Self-service query/management of this type of feature is not currently supported. If you have any questions, please contact us. | malicious Bot suspected Bot | / |