Updated on 2026-07-06 GMT+08:00

Enabling Logging

Advanced Anti-DDoS is interconnected with Log Tank Service (LTS), and the console provides a log analysis and query page. After you enable Advanced Anti-DDoS, you can record attack logs to LTS. Using this log data, you can efficiently perform real-time analysis, security O&M, and service trend tracking.

LTS processes and analyzes large volumes of logs. It allows you to manage logs in real time, efficiently, and securely. Logs are stored in LTS for 30 days by default, but you can configure a retention period of up to 365 days. Logs that exceed this retention period are automatically deleted. However, you can configure LTS to dump these logs to an Object Storage Service (OBS) bucket or enable Data Ingestion Service (DIS) for long-term storage.

Notes and Constraints

A log stream can only record one type of logs. To record both attack logs and attack details, create two log streams.

Prerequisites

LTS has been enabled. For details, see Managing Log Groups and Managing Log Streams.

You will be billed for using the Log Tank Service (LTS). For billing details, see LTS Pricing Details.

Enabling AAD Logging

  1. Log in to the AAD console.
  2. In the navigation pane on the left, choose Advanced Anti-DDoS > Dashboard. The Dashboard page is displayed.
  3. Click the Logs tab page. Click Connect to LTS.
  4. Configure log interconnection. For details, see Figure 1.

    Figure 1 Configuring AAD logs
    Table 1 AAD log parameters

    Parameter

    Description

    Log Group Region

    Select the region to which the log group belongs.

    Log Types

    Select the types of logs to be recorded.

    • Instance Attack Logs: An attack log includes information about the event type, protective action, and source IP address of an attack. For details, see Table 2.
    • Instance Attack Details: It includes the attack start time, end time, attack status, and attack type. For details, see Table 3.

    Log Group

    A log group is the basic unit for LTS to manage logs. It comprises log streams and categorizes them. A log group does not store any log data. It only helps with log stream management.

    Select a log group or click Create Log Group to go to the LTS console and create a log group.

    Instance Attack Logs

    A log stream is the basic unit for reading and writing logs. Different types of collected logs are classified and stored in different log streams for easier management.

    Select a log stream for recording instance attack logs.

    Instance Attack Details

    Select a log stream for recording attack log details.

  5. Click OK.
  6. Check or analyze logs.

    After CNAD is connected to LTS, the recorded logs are automatically displayed on the Logs tab page. You can check and analyze the logs. For more information, see Searching for and Analyzing Logs.

    Figure 2 Checking logs

Log Fields in LTS

This section describes the fields of AAD logs.

Table 2 Fields in an instance attack log

Field

Description

ip

Attacked IP address

ip_id

ID of the attacked IP address

attack_type

Attack type

attack_protocol

This field is not used currently. The default value is 0.

attack_start_time

Time the attack starts, which is a timestamp accurate to millisecond.

attack_status

Attack status.

  • ATTACK: The attack is ongoing.
  • NORMAL: The attack ends.

drop_kbits

The minute-level maximum attack traffic, in bits.

attack_pkts

The minute-level maximum number of attack packets

duration_elapse

Duration of an ended security event, in seconds.

end_time

Time the attack ends, which is a timestamp accurate to millisecond. For an ongoing security event, the value of this field is 0.

max_drop_kbps

Peak attack traffic, in Kbit/s.

max_drop_pps

Peak attack packets, in pps.

Table 3 Description of fields in the instance attack details

Field

Description

attackStatus

Attack status

attackType

Attack status

  • ATTACK: The attack is ongoing.
  • NORMAL: The attack ends.

attackTypeDescCn

Attack type, in Chinese.

attackTypeDescEn

Attack type, in English.

attackUnit

Attack unit

attacker

Attack source

attackerKbps

Peak attack traffic, in kbps.

attackerPps

Peak attack traffic, in pps.

direction

Log direction

  • inbound
  • outbound

dropKbits

Total volume of discarded traffic, in kbits.

dropPackets

Total number of discarded packets.

duration

Attack duration, in seconds.

handleTime

Time when the log is processed.

logTime

Log time

logType

Log type

maxDropKbps

Peak value of discarded IP traffic, in kbps.

maxDropPps

Peak value of discarded IP traffic, in pps.

port

Port number

startTimeAlert

Start time of an exception

timeScale

Time identifier (identifier for minute-level processing time or hour-level processing time).

valid

Indicates whether logs are successfully parsed.

writeTime

Persistence time

zoneIP

Protected IP

startTimeAttack

Time when the attack starts

startTimeKey

ID of an attack starting at a certain time