Log Fields (RTLD Rate Limiting)

Log data is reported as a JSON document. Log format determines whether log data identification information will be included and how the data is formatted. Each type of log format is described below.

If log data uses either the JSON Array or JSON Lines log format, then it will not contain information that uniquely identifies a set of log data. If log data is delivered to a destination other than AWS S3, Azure Blob Storage, or Google Cloud Storage, then there is no way to check for gaps in sequence numbers when attempting to identify missing log data.

A log entry describes a HTTP/HTTPS request that was submitted to our CDN.

Top-Level Name/Value Pairs

Top-level name/value pairs are unavailable for the JSON Array and JSON Lines log formats. If you require this information, please choose the standard JSON log format.

Top-level name/value pairs are described below.

Field

Friendly Name

Description

account_number

String

Customer Account Number

Indicates your CDN account number (e.g., 0001). This account number may be viewed from the upper-right hand corner of the MCC.

agent_id

String

Agent ID

Indicates the unique ID that identifies the Real-Time Log Delivery software agent that generated the log data.

datestamp

String

Date Stamp

Indicates the date on which the log data was generated.

Syntax:

YYYYMMDD

Example:

20230412

logs

Array of Objects

Log Data

Describes the log entries associated with the current JSON document. Each object contains a set of fields that describe the request/response for a single log entry.

profile_id

Number (Integer)

Profile ID

Identifies a RTLD profile by its system-defined ID.

seq_num

Number (Integer)

Sequence Number

Indicates the sequential number that identifies the order in which the log data was generated by the software agent identified by the agent_id field.

service

String

Service

This field always reports rl.

logs Array

The logs array contains an object for each log entry associated with the current JSON document. Each log entry describes a threat via the following fields:

Field

Friendly Name

Description

account_number

String

Customer AN

Category: GeneralProvides miscellaneous information about the request.

Indicates your CDN account number (e.g., 0001). This account number may be viewed from the upper-right hand corner of the MCC.

client_city

String

City Name

Category: Client GeographyProvides geographical information about the client that submitted the request.

Indicates the city from which the request originated.

client_country_code

String

Country Code

Category: Client GeographyProvides geographical information about the client that submitted the request.

Indicates the two-character ISO 3166-1 code for the country from which the request originated.

View a listing of country codes.

client_country

String

Country Name

Category: Client GeographyProvides geographical information about the client that submitted the request.

Indicates the country from which the request originated.

client_ip

String

Client IP

Category: Client NetworkDescribes the network of the client that submitted the request.

Indicates the IP address for the computer that submitted the request to our CDN.

host

String

Host

Category: Request HeaderDescribes request header values.

Indicates the Host header value sent in the client's request to the CDN.

limit_action_duration

Number (Integer)

Rate Limiting Action Duration

Category: Security ConfigurationProvides information about the security configuration that was violated.

Indicates the minimum length of time, in seconds, that eligible requests were rate limited when the event took place.

limit_action_percentage

Number (Decimal)

Rate Limiting Action Percentage

Category: Security ConfigurationProvides information about the security configuration that was violated.

Indicates the percentage of eligible requests that were rate limited when the event took place.

limit_action_type

String

Rate Limiting Action Type

Category: Security ConfigurationProvides information about the security configuration that was violated.

Indicates how the rate limit was enforced on the request.

  • ALERT: Alert Only
  • REDIRECT_302: Redirect (HTTP 302)
  • CUSTOM_RESPONSE: Custom Response
  • DROP_REQUEST: Drop Request (503 Service Unavailable response with a retry-after of 10 seconds)

limit_id

String

Rate Limiting Action Limit ID

Category: Security ConfigurationProvides information about the security configuration that was violated.

Indicates the system-defined ID of the rate rule whose rate limit was exceeded by the request.

limit_start_timestamp

Number (Integer)

Rate Limiting Action Start Epoch

Category: Security ConfigurationProvides information about the security configuration that was violated.

Indicates the timestamp, in Unix time (milliseconds), at which the enforcement of the rate limit started.

method

String

Request Method

Category: Security ConfigurationProvides information about the security configuration that was violated.

Indicates the request's HTTP method.

Example:

GET

referer

String

Referer

Category: Request HeaderDescribes request header values.

Indicates the Referer header value sent in the client's request to the CDN. This header reports the URL of the site from which the request originated.

This field will typically be set to a blank value for the HTTP Small and the ADN platforms.

scope_id

String

Scope ID

Category: Security ConfigurationProvides information about the security configuration that was violated.

Indicates the system-defined ID of the Security Application Manager configuration that enforced the rate limit.

scope_name

String

Scope Name

Category: Security ConfigurationProvides information about the security configuration that was violated.

Indicates the name of the Security Application Manager configuration that enforced the rate limit.

timestamp

Number (Decimal)

Timestamp

Category: ResponseDescribes the response sent from an edge server to the client that submitted the request.

Indicates the Unix time, in seconds, at which an edge server sent a response to the client.

Syntax:

Seconds.Microseconds

url

String

URL

Category: RequestDescribes the request submitted to the CDN.

Indicates the URL that was requested.

user_agent

String

User Agent

Category: Request HeaderDescribes request header values.

Indicates the user agentRefers to software that acts on behalf of a user. For example, a web browser (e.g., FireFox, Chrome, and Internet Explorer) is a user agent. A web browser will make HTTP/HTTPS requests based on user actions (e.g., requesting a web site or clicking a link). that submitted the HTTP request to our CDN.

Sample Log Data

Sample log data that contains two log entries is provided below for all three log formats.

Example (JSON):

{
	"agent_id": "1234500008619D55A",
	"seq_num": 4,
	"service": "rl",
	"account_number": "0001",
	"profile_id": 1,
	"datestamp": "20210812",
	"logs": [{
			"timestamp": 1628804857.1012251,
			"account_number": "0001",
			"user_agent": "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:59.0) Gecko/20100101 Firefox/59.0",
			"url": "https://cdn.example.com/images/bunny.png",
			"client_ip": "93.113.59.253",
			"referer": "https://models.example.com/",
			"host": "cdn.example.com",
			"client_country_code": "RO",
			"client_country": "Romania",
			"client_city": "Bucharest",
			"limit_action_duration": 0,
			"limit_id": "SJuO3wey",
			"limit_action_percentage": 100,
			"limit_start_timestamp": 1628804857.167,
			"limit_action_type": "ALERT",
			"method": "GET",
			"scope_id": "dJR9RX4S",
			"scope_name": "SAM"
		}, {
			"timestamp": 1628804858.1012254,
			"account_number": "0001",
			"user_agent": "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:59.0) Gecko/20100101 Firefox/59.0",
			"url": "https://cdn.example.com/photos/sky.png",
			"client_ip": "107.190.102.233",
			"referer": "https://example2.com/",
			"host": "cdn.example.com",
			"client_country_code": "CA",
			"client_country": "Canada",
			"client_city": "Windsor",
			"limit_action_duration": 0,
			"limit_id": "SJuO3wey",
			"limit_action_percentage": 100,
			"limit_start_timestamp": 1628804832.024,
			"limit_action_type": "ALERT",
			"method": "GET",
			"scope_id": "dJR9RX4S",
			"scope_name": "SAM"
		}
	]
}

Example (JSON array):

[{
		"timestamp": 1628804857.1012251,
		"account_number": "0001",
		"user_agent": "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:59.0) Gecko/20100101 Firefox/59.0",
		"url": "https://cdn.example.com/images/bunny.png",
		"client_ip": "93.113.59.253",
		"referer": "https://models.example.com/",
		"host": "cdn.example.com",
		"client_country_code": "RO",
		"client_country": "Romania",
		"client_city": "Bucharest",
		"limit_action_duration": 0,
		"limit_id": "SJuO3wey",
		"limit_action_percentage": 100,
		"limit_start_timestamp": 1628804857.167,
		"limit_action_type": "ALERT",
		"method": "GET",
		"scope_id": "dJR9RX4S",
		"scope_name": "SAM"
	}, {
		"timestamp": 1628804858.1012254,
		"account_number": "0001",
		"user_agent": "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:59.0) Gecko/20100101 Firefox/59.0",
		"url": "https://cdn.example.com/photos/sky.png",
		"client_ip": "107.190.102.233",
		"referer": "https://example2.com/",
		"host": "cdn.example.com",
		"client_country_code": "CA",
		"client_country": "Canada",
		"client_city": "Windsor",
		"limit_action_duration": 0,
		"limit_id": "SJuO3wey",
		"limit_action_percentage": 100,
		"limit_start_timestamp": 1628804832.024,
		"limit_action_type": "ALERT",
		"method": "GET",
		"scope_id": "dJR9RX4S",
		"scope_name": "SAM"
	}
]		

Example (JSON lines):

{"user_agent": "Mozilla/5.0 (Windows NT ...Represents a log entry.}
{"user_agent": "Mozilla/5.0 (Windows NT ...}