Log data is reported as a JSON document. Log format determines whether log data identification information will be included and how the data is formatted. Each type of log format is described below.
JSON
This format includes:
JSON Array
This format generates a JSON document that contains an array of objects. Each object is a log entry associated with the current JSON document.
JSON Lines
This format generates an invalid JSON document that contains an object on each line. Each object is a log entry associated with the current JSON document. This object is an exact match for an object contained by the Logs array.
If log data uses either the JSON Array or JSON Lines log format, then it will not contain information that uniquely identifies a set of log data. If log data is delivered to a destination other than AWS S3, Azure Blob Storage, or Google Cloud Storage, then there is no way to check for gaps in sequence numbers when attempting to identify missing log data.
A log entry describes a HTTP/HTTPS request that was submitted to our CDN.
Top-level name/value pairs are unavailable for the JSON Array and JSON Lines log formats. If you require this information, please choose the standard JSON log format.
Top-level name/value pairs are described below.
Field |
Friendly Name |
Description |
---|---|---|
account_number String |
Customer Account Number |
Indicates your CDN account number (e.g., 0001). This account number may be viewed from the upper-right hand corner of the MCC. |
String |
Agent ID |
Indicates the unique ID that identifies the Real-Time Log Delivery software agent that generated the log data. |
String |
Date Stamp |
Indicates the date on which the log data was generated. Syntax: YYYYMMDD
Example: 20240412
|
logs Array of Objects |
Log Data |
Describes the log entries associated with the current JSON document. Each object contains a set of fields that describe the request/response for a single log entry. |
profile_id Number (Integer) |
Profile ID |
Identifies a RTLD profile by its system-defined ID. |
Number (Integer) |
Sequence Number |
Indicates the sequential number that identifies the order in which the log data was generated by the software agent identified by the agent_id field. |
service String |
Service |
This field always reports waf. |
The logs array contains an object for each log entry associated with the current JSON document. Each log entry describes a threat via the following fields:
Field |
Friendly Name |
Description |
---|---|---|
account_number String |
Customer AN |
Category: GeneralProvides miscellaneous information about the request. Indicates your CDN account number (e.g., 0001). This account number may be viewed from the upper-right hand corner of the MCC. |
action_type String |
Action Type |
Category: EventProvides high-level information about the violation. Indicates the action that was triggered as a result of the violation. Valid values are:
|
client_city String |
City Name |
Category: Client GeographyProvides geographical information about the client that submitted the request. Indicates the city from which the request originated. |
String |
Country Code |
Category: Client GeographyProvides geographical information about the client that submitted the request. Indicates the two-character ISO 3166-1 code for the country from which the request originated. |
client_country String |
Country Name |
Category: Client GeographyProvides geographical information about the client that submitted the request. Indicates the country from which the request originated. |
client_ip String |
IP Address |
Category: Client NetworkDescribes the network of the client that submitted the request. Indicates the IP address for the computer that submitted the request to our CDN. |
host String |
Host |
Category: Request HeaderDescribes request header values. Indicates the Host header value sent in the client's request to the CDN. View examples.
Example 1: We will examine log data for the following request: http://wpc.0001.edgecastcdn.net/800001/myorigin/index.html
The following value will be reported for this field: wpc.0001.edgecastcdn.net
Example 2: We will examine log data for the following request: http://cdn.mydomain.com/index.html
The following value will be reported for this field: cdn.mydomain.com
|
referer String |
Referer |
Category: Request HeaderDescribes request header values. Indicates the Referer header value sent in the client's request to the CDN. This header reports the URL of the site from which the request originated. This field will typically be set to a blank value |
rule_message String |
Rule Message |
Category: EventProvides high-level information about the violation. Provides a description of the rule that the request violated. |
rule_tags Array of String Values |
Rule Tags |
Category: EventProvides high-level information about the violation. Indicates the tags associated with the rule that the request violated. These tags may be used to determine whether a rule, access control, or global setting was violated. |
server_port Integer |
Server Port |
Category: Network Provides information on where and how the request was handled by our network. Indicates the port number on an edge server to which the client directed a request. Valid values are:
|
sub_events_count Integer |
Sub Events Count |
Category: Sub EventIndicates how the request violated the security configuration. Indicates the total number of sub events. |
Array of Objects |
Sub Events |
Category: Sub EventIndicates how the request violated the security configuration. Contains a list of fields that describe each sub event associated with the current event. A sub event is reported for each rule violation incurred by a request. |
timestamp Number (Decimal) |
Epoch Time |
Category: ResponseDescribes the response sent from an edge server to the client that submitted the request. Indicates the Unix time, in seconds, at which an edge server delivered the requested content to the client. Syntax: Seconds.Microseconds
|
url String |
URL |
Category: RequestDescribes the request submitted to the CDN. Indicates the URL that was requested. |
user_agent String |
User Agent |
Category: Request HeaderDescribes request header values. Indicates the user agentRefers to software that acts on behalf of a user. For example, a web browser (e.g., FireFox, Chrome, and Internet Explorer) is a user agent. A web browser will make HTTP/HTTPS requests based on user actions (e.g., requesting a web site or clicking a link). that submitted the HTTP request to our CDN. |
uuid String |
Event ID |
Category: RequestDescribes the request submitted to the CDN. Indicates the unique ID assigned to the event. Pass this ID to the Get Event Log Entry endpoint to retrieve this event log entry. |
waf_instance_name String |
Instance Name |
Category: Security ConfigurationProvides information about the security configuration that was violated. Indicates the name of the instance that activated the profile containing the rule that the requested violated. |
waf_profile_name String |
Profile Name |
Category: Security ConfigurationProvides information about the security configuration that was violated. Indicates the name of the profile that triggered the violation. |
waf_profile_type String |
Profile Type |
Category: Security ConfigurationProvides information about the security configuration that was violated. Indicates whether the request was screened as a result of an instance’s production or audit profile. Valid values are: PRODUCTION | AUDIT
|
The sub_events array contains a list of fields that describe each sub event associated with the current event. A sub event is reported for each rule violation incurred by a request.
Field |
Friendly Name |
Description |
---|---|---|
matched_on String |
Matched On |
Indicates the variable that identifies where the violation was found. |
matched_value String |
Matched Value |
Indicates the value of the variable defined in the matched_on field. |
rule_id Integer |
Rule ID |
Indicates the ID for the rule that the request violated. |
rule_message String |
Rule Message |
Provides a description of the rule that the request violated. |
total_anomaly_score Integer |
Total Anomaly Score |
Indicates the total anomaly score for the current rule violation. This score is calculated by summing the anomaly score of the current rule violation with all rule violations reported above this sub event. View example.
The anomaly score incurred by each sub event in this example is listed below.
The total anomaly score for each sub event is listed below.
|
Sample log data that contains two log entries is provided below for all three log formats.
{ "agent_id": "1234500008619D55A", "seq_num": 0, "service": "waf", "account_number": "0001", "profile_id": 0, "datestamp": "20201008", "logs": [{ "timestamp": 1602200337.177535713, "user_agent": "curl/7.64.1", "url": "https://cdn.example.com/", "client_ip": "190.220.230.2", "referer": "", "host": "cdn.example.com", "uuid": "38046679731278771327748811544613832704", "client_country_code": "US", "waf_profile_name": "Site 1", "waf_profile_type": "PRODUCTION", "waf_instance_name": "Site 1 Instance", "sub_events_count": 1, "sub_events": [{ "total_anomaly_score": 0, "matched_on": "REQUEST_METHOD", "matched_value": "POST", "rule_id": 80009, "rule_message": "Method is not allowed by policy" } ], "rule_tags": [], "rule_message": "Method is not allowed by policy", "action_type": "BLOCK_REQUEST", "server_port": 443, "client_country": "United States", "client_city": "Los Angeles" }, { "timestamp": 1602200338.598465258, "user_agent": "curl/7.64.1", "url": "https://cdn.example.com/", "client_ip": "230.180.240.23", "referer": "", "host": "cdn.example.com", "uuid": "38046679731278771327748811544613832998", "client_country_code": "US", "waf_profile_name": "Site 1", "waf_profile_type": "PRODUCTION", "waf_instance_name": "Site 1 Instance", "sub_events_count": 1, "sub_events": [{ "total_anomaly_score": 0, "matched_on": "REQUEST_METHOD", "matched_value": "POST", "rule_id": 80009, "rule_message": "Method is not allowed by policy" } ], "rule_tags": [], "rule_message": "Method is not allowed by policy", "action_type": "BLOCK_REQUEST", "server_port": 443, "client_country": "United States", "client_city": "Los Angeles" } ] }
[{ "timestamp": 1602200337.177535713, "user_agent": "curl/7.64.1", "url": "https://cdn.example.com/", "client_ip": "190.220.230.2", "referer": "", "host": "cdn.example.com", "uuid": "38046679731278771327748811544613832704", "client_country_code": "US", "waf_profile_name": "Site 1", "waf_profile_type": "PRODUCTION", "waf_instance_name": "Site 1 Instance", "sub_events_count": 1, "sub_events": [{ "total_anomaly_score": 0, "matched_on": "REQUEST_METHOD", "matched_value": "POST", "rule_id": 80009, "rule_message": "Method is not allowed by policy" } ], "rule_tags": [], "rule_message": "Method is not allowed by policy", "action_type": "BLOCK_REQUEST", "server_port": 443, "client_country": "United States", "client_city": "Los Angeles" }, { "timestamp": 1602200338.598465258, "user_agent": "curl/7.64.1", "url": "https://cdn.example.com/", "client_ip": "230.180.240.23", "referer": "", "host": "cdn.example.com", "uuid": "38046679731278771327748811544613832998", "client_country_code": "US", "waf_profile_name": "Site 1", "waf_profile_type": "PRODUCTION", "waf_instance_name": "Site 1 Instance", "sub_events_count": 1, "sub_events": [{ "total_anomaly_score": 0, "matched_on": "REQUEST_METHOD", "matched_value": "POST", "rule_id": 80009, "rule_message": "Method is not allowed by policy" } ], "rule_tags": [], "rule_message": "Method is not allowed by policy", "action_type": "BLOCK_REQUEST", "server_port": 443, "client_country": "United States", "client_city": "Los Angeles" } ]
{"user_agent": "Mozilla/5.0 (Windows NT ...Represents a log entry.} {"user_agent": "Mozilla/5.0 (Windows NT ...}
Edgecast CDN