Log data is reported as a JSON document. Log format determines whether log data identification information will be included and how the data is formatted. Each type of log format is described below.
JSON
This format includes:
JSON Array
This format generates a JSON document that contains an array of objects. Each object is a log entry associated with the current JSON document.
JSON Lines
This format generates an invalid JSON document that contains an object on each line. Each object is a log entry associated with the current JSON document. This object is an exact match for an object contained by the Logs array.
If log data uses either the JSON Array or JSON Lines log format, then it will not contain information that uniquely identifies a set of log data. If log data is delivered to a destination other than AWS S3, Azure Blob Storage, or Google Cloud Storage, then there is no way to check for gaps in sequence numbers when attempting to identify missing log data.
A log entry describes a HTTP/HTTPS request that was submitted to our CDN.
Top-level name/value pairs are unavailable for the JSON Array and JSON Lines log formats. If you require this information, please choose the standard JSON log format.
Top-level name/value pairs are described below.
Field |
Friendly Name |
Description |
---|---|---|
account_number String |
Customer Account Number |
Indicates your CDN account number (e.g., 0001). This account number may be viewed from the upper-right hand corner of the MCC. |
String |
Agent ID |
Indicates the unique ID that identifies the Real-Time Log Delivery software agent that generated the log data. |
String |
Date Stamp |
Indicates the date on which the log data was generated. Syntax: YYYYMMDD
Example: 20240412
|
logs Array of Objects |
Log Data |
Describes the log entries associated with the current JSON document. Each object contains a set of fields that describe the request/response for a single log entry. |
profile_id Number (Integer) |
Profile ID |
Identifies a RTLD profile by its system-defined ID. |
Number (Integer) |
Sequence Number |
Indicates the sequential number that identifies the order in which the log data was generated by the software agent identified by the agent_id field. |
service String |
Service |
This field always reports rl. |
The logs array contains an object for each log entry associated with the current JSON document. Each log entry describes a threat via the following fields:
Field |
Friendly Name |
Description |
---|---|---|
account_number String |
Customer AN |
Category: GeneralProvides miscellaneous information about the request. Indicates your CDN account number (e.g., 0001). This account number may be viewed from the upper-right hand corner of the MCC. |
client_city String |
City Name |
Category: Client GeographyProvides geographical information about the client that submitted the request. Indicates the city from which the request originated. |
String |
Country Code |
Category: Client GeographyProvides geographical information about the client that submitted the request. Indicates the two-character ISO 3166-1 code for the country from which the request originated. |
client_country String |
Country Name |
Category: Client GeographyProvides geographical information about the client that submitted the request. Indicates the country from which the request originated. |
client_ip String |
Client IP |
Category: Client NetworkDescribes the network of the client that submitted the request. Indicates the IP address for the computer that submitted the request to our CDN. |
host String |
Host |
Category: Request HeaderDescribes request header values. Indicates the Host header value sent in the client's request to the CDN. View examples.
Example 1: We will examine log data for the following request: http://wpc.0001.edgecastcdn.net/800001/myorigin/index.html
The following value will be reported for this field: wpc.0001.edgecastcdn.net
Example 2: We will examine log data for the following request: http://cdn.mydomain.com/index.html
The following value will be reported for this field: cdn.mydomain.com
|
limit_action_duration Number (Integer) |
Rate Limiting Action Duration |
Category: Security ConfigurationProvides information about the security configuration that was violated. Indicates the minimum length of time, in seconds, that eligible requests were rate limited when the event took place. |
limit_action_percentage Number (Decimal) |
Rate Limiting Action Percentage |
Category: Security ConfigurationProvides information about the security configuration that was violated. Indicates the percentage of eligible requests that were rate limited when the event took place. |
limit_action_type String |
Rate Limiting Action Type |
Category: Security ConfigurationProvides information about the security configuration that was violated. Indicates how the rate limit was enforced on the request.
|
limit_id String |
Rate Limiting Action Limit ID |
Category: Security ConfigurationProvides information about the security configuration that was violated. Indicates the system-defined ID of the rate rule whose rate limit was exceeded by the request. |
limit_start_timestamp Number (Integer) |
Rate Limiting Action Start Epoch |
Category: Security ConfigurationProvides information about the security configuration that was violated. Indicates the timestamp, in Unix time (milliseconds), at which the enforcement of the rate limit started. |
method String |
Request Method |
Category: Security ConfigurationProvides information about the security configuration that was violated. Indicates the request's HTTP method. Example: GET
|
referer String |
Referer |
Category: Request HeaderDescribes request header values. Indicates the Referer header value sent in the client's request to the CDN. This header reports the URL of the site from which the request originated. This field will typically be set to a blank value |
scope_id String |
Scope ID |
Category: Security ConfigurationProvides information about the security configuration that was violated. Indicates the system-defined ID of the Security Application Manager configuration that enforced the rate limit. |
scope_name String |
Scope Name |
Category: Security ConfigurationProvides information about the security configuration that was violated. Indicates the name of the Security Application Manager configuration that enforced the rate limit. |
timestamp Number (Decimal) |
Timestamp |
Category: ResponseDescribes the response sent from an edge server to the client that submitted the request. Indicates the Unix time, in seconds, at which an edge server sent a response to the client. Syntax: Seconds.Microseconds
|
url String |
URL |
Category: RequestDescribes the request submitted to the CDN. Indicates the URL that was requested. |
user_agent String |
User Agent |
Category: Request HeaderDescribes request header values. Indicates the user agentRefers to software that acts on behalf of a user. For example, a web browser (e.g., FireFox, Chrome, and Internet Explorer) is a user agent. A web browser will make HTTP/HTTPS requests based on user actions (e.g., requesting a web site or clicking a link). that submitted the HTTP request to our CDN. |
Sample log data that contains two log entries is provided below for all three log formats.
{ "agent_id": "1234500008619D55A", "seq_num": 4, "service": "rl", "account_number": "0001", "profile_id": 1, "datestamp": "20210812", "logs": [{ "timestamp": 1628804857.1012251, "account_number": "0001", "user_agent": "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:59.0) Gecko/20100101 Firefox/59.0", "url": "https://cdn.example.com/images/bunny.png", "client_ip": "93.113.59.253", "referer": "https://models.example.com/", "host": "cdn.example.com", "client_country_code": "RO", "client_country": "Romania", "client_city": "Bucharest", "limit_action_duration": 0, "limit_id": "SJuO3wey", "limit_action_percentage": 100, "limit_start_timestamp": 1628804857.167, "limit_action_type": "ALERT", "method": "GET", "scope_id": "dJR9RX4S", "scope_name": "SAM" }, { "timestamp": 1628804858.1012254, "account_number": "0001", "user_agent": "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:59.0) Gecko/20100101 Firefox/59.0", "url": "https://cdn.example.com/photos/sky.png", "client_ip": "107.190.102.233", "referer": "https://example2.com/", "host": "cdn.example.com", "client_country_code": "CA", "client_country": "Canada", "client_city": "Windsor", "limit_action_duration": 0, "limit_id": "SJuO3wey", "limit_action_percentage": 100, "limit_start_timestamp": 1628804832.024, "limit_action_type": "ALERT", "method": "GET", "scope_id": "dJR9RX4S", "scope_name": "SAM" } ] }
[{ "timestamp": 1628804857.1012251, "account_number": "0001", "user_agent": "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:59.0) Gecko/20100101 Firefox/59.0", "url": "https://cdn.example.com/images/bunny.png", "client_ip": "93.113.59.253", "referer": "https://models.example.com/", "host": "cdn.example.com", "client_country_code": "RO", "client_country": "Romania", "client_city": "Bucharest", "limit_action_duration": 0, "limit_id": "SJuO3wey", "limit_action_percentage": 100, "limit_start_timestamp": 1628804857.167, "limit_action_type": "ALERT", "method": "GET", "scope_id": "dJR9RX4S", "scope_name": "SAM" }, { "timestamp": 1628804858.1012254, "account_number": "0001", "user_agent": "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:59.0) Gecko/20100101 Firefox/59.0", "url": "https://cdn.example.com/photos/sky.png", "client_ip": "107.190.102.233", "referer": "https://example2.com/", "host": "cdn.example.com", "client_country_code": "CA", "client_country": "Canada", "client_city": "Windsor", "limit_action_duration": 0, "limit_id": "SJuO3wey", "limit_action_percentage": 100, "limit_start_timestamp": 1628804832.024, "limit_action_type": "ALERT", "method": "GET", "scope_id": "dJR9RX4S", "scope_name": "SAM" } ]
{"user_agent": "Mozilla/5.0 (Windows NT ...Represents a log entry.} {"user_agent": "Mozilla/5.0 (Windows NT ...}
Edgecast CDN