Managing Logs

Updated on 2025-03-04 GMT+08:00

View PDF

After you authorize EdgeSec to access Log Tank Service (LTS), you can use the EdgeSec logs recorded by LTS for quick and efficient real-time analysis, device O&M management, and analysis of service trends.

LTS analyzes and processes a large number of logs. It enables you to process logs in real-time, efficiently, and securely. Logs can be stored in LTS for seven days by default but you can configure LTS for up to 30 days if needed. Logs earlier than 30 days are automatically deleted. However, you can configure LTS to dump those logs to an Object Storage Service (OBS) bucket or enable Data Ingestion Service (DIS) for long-term storage.

NOTE:

On the LTS console, you can view logs for the last 30 days and download logs for the last five days.
LTS is billed by traffic and is billed separately from EdgeSec. For details about LTS pricing, see Price Calculator.
If you have enabled enterprise projects, ensure that you have all operation permissions for the project where your EdgeSec instance locates. Then, you can select the project from the Enterprise Project drop-down list and configure EdgeSec logging.

For details about how to configure protection logs, see Enabling LTS for EdgeSec Protection Event Logging.
For details about how to view logs on the LTS console, see Viewing Protection Logs on LTS.
EdgeSec supports HTTP attack logs and DDoS attack logs.
- For details about the fields in HTTP attack logs, see Fields in HTTP attack logs.
- For details about the fields in DDoS attack logs, see Fields in DDoS attack logs.

Prerequisites

A protected website has been added. For details, see Adding a Website to EdgeSec.

Enabling LTS for EdgeSec Protection Event Logging

Log in to the management console.
Click in the upper left corner of the page and choose Content Delivery & Edge Computing > CDN and Security.
Select the configuration path as required.

Configure EdgeSec logs. In the navigation pane, choose Edge SecurityEdge Security > Statistic. On the Statistic page that is displayed, click the Configure Logs tab.

Enable the all log recording and select a log group or click LTS. Table 1 describes the related parameters. Go to the LTS console to create a log group and log stream. For details, see Creating Log Groups and Log Streams.

**Table 1** Log parameters
Parameter	Description	Example Value
Log Group	Select a log group or click View Log Group to go to the LTS console and create a log group.	lts-group-qhse
HTTP Attack Log	If this option is enabled, select a log stream or click View Log Stream to go to the LTS console and create a log stream.	lts-topic-8dvf
DDoS Attack Log	If this option is enabled, select a log stream or click View Log Stream to go to the LTS console and create a log stream.	lts-topic-8n7I

Click OK.

Viewing Protection Logs on LTS

Log in to the management console.
Click in the upper left corner of the page and choose Management & Deployment > Log Tank Service.
In the log group list, click to expand the log group (for example, lts-group-EdgeSec).
Viewing attack logs
1. In the log stream list, click the name of the configured attack log stream.
  Figure 1 Log stream name configured for attack logs
2. View attack logs.

Fields in HTTP attack logs

Field	Type	Description	Remarks
id	string	Attack event ID.	-
geo	string	Geolocation	c indicates the country, and r indicates the province.
sip	string	Attacking source IP address	-
attackTime	string	Attack time	-
tenantId	string	Tenant ID	-
host	string	Domain name	-
hostId	string	Domain name ID	-
enterpriseProjectId	string	Enterprise project ID	-
projectId	string	Project ID of the region where the tenant is located	-
siteSn	string	Site name	-
rule	string	Rule ID	-
ruleName	sting	Rule name	-
method	string	Attack request method	-
url	string	Attack request URL	-
requestHeader	string	Attack request header	-
requestParams	string	Attack request parameters	-
cookie	string	Attack request cookie	-
requestBody	string	Attack request body	-
status	string	Attack response code	When functioning as a web server, the Nginx processes client requests and returns this response code.
responseHeaders	string	Attack response header	-
responseBody	string	Attack response body	-
responseSize	long	Attack response body size	-
upstreamStatus	string	Attack response code of the upstream server	Response code returned by the upstream server when the Nginx functions as a reverse proxy server which forwards a client request to the upstream server.
upstreamResponseTime	string	Attack response time	-
processTime	string	Attack processing time	-
attackCount	long	Number of attacks	-
attackCategory	string	Attack type	-
attack	string	Attack details	The key and value of attack indicate the attack type and number of attacks, respectively. The key and value of action indicate the protection action and number of actions, respectively.
maliciousData	string	Malicious data that triggers the rule	-
maliciousLocation	string	Malicious data location	-
policyId	string	Policy ID	-

Fields in DDoS attack logs

Field	Type	Description	Remarks
id	string	Attacked target IP address	-
attackTime	long	Attack time	-
tenantId	string	Tenant ID	-
siteId	string	Site ID	-
attackType	string	Attack source type	-
avgBps	long	Average attack traffic bandwidth	-
avgPps	long	Average number of forwarded attack data packets	-
maxBps	long	Maximum attack traffic bandwidth	-
maxPps	long	Maximum number of forwarded attack data packets	-

Log Tag Fields

Field	Type	Description	Remarks
_resource_id	string	Resource ID	Attack source. Currently, HTTP and DDoS are supported.
_resource_name	string	Resource name.	Log type. Currently, only attack logs are supported.
_service_type	string	Service type.	Cloud service type. The value is EdgeSec.