Help Center/ Edge Security/ User Guide/ Security Protection/ Protection Statistics/ Managing Logs
Updated on 2024-10-31 GMT+08:00
View PDF
Share

Managing Logs

After you authorize EdgeSec to access Log Tank Service (LTS), you can use the EdgeSec logs recorded by LTS for quick and efficient real-time analysis, device O&M management, and analysis of service trends.

LTS analyzes and processes a large number of logs. It enables you to process logs in real-time, efficiently, and securely. Logs can be stored in LTS for seven days by default but you can configure LTS for up to 30 days if needed. Logs earlier than 30 days are automatically deleted. However, you can configure LTS to dump those logs to an Object Storage Service (OBS) bucket or enable Data Ingestion Service (DIS) for long-term storage.

  • On the LTS console, you can view logs for the last 30 days and download logs for the last five days.
  • LTS is billed by traffic and is billed separately from EdgeSec. For details about LTS pricing, see Price Calculator.
  • If you have enabled enterprise projects, ensure that you have all operation permissions for the project where your EdgeSec instance locates. Then, you can select the project from the Enterprise Project drop-down list and configure EdgeSec logging.

Prerequisites

A protected website has been added. For details, see Adding a Website to EdgeSec.

Enabling LTS for EdgeSec Protection Event Logging

  1. Log in to the management console.
  2. Click in the upper left corner of the page and choose Content Delivery & Edge Computing > CDN and Security.
  3. Select the configuration path as required.

    Configure EdgeSec logs. In the navigation pane, choose Edge SecurityEdge Security > Statistic. On the Statistic page that is displayed, click the Configure Logs tab.

  4. Enable the all log recording and select a log group or click LTS. Table 1 describes the related parameters. Go to the LTS console to create a log group and log stream. For details, see Creating Log Groups and Log Streams.

    Table 1 Log parameters

    Parameter

    Description

    Example Value

    Log Group

    Select a log group or click View Log Group to go to the LTS console and create a log group.

    lts-group-qhse

    HTTP Attack Log

    If this option is enabled, select a log stream or click View Log Stream to go to the LTS console and create a log stream.

    lts-topic-8dvf

    DDoS Attack Log

    If this option is enabled, select a log stream or click View Log Stream to go to the LTS console and create a log stream.

    lts-topic-8n7I

  5. Click OK.

Viewing Protection Logs on LTS

  1. Log in to the management console.
  2. Click in the upper left corner of the page and choose Management & Deployment > Log Tank Service.
  3. In the log group list, click to expand the log group (for example, lts-group-EdgeSec).
  4. Viewing attack logs

    1. In the log stream list, click the name of the configured attack log stream.
      Figure 1 Log stream name configured for attack logs
    2. View attack logs.

Fields in HTTP attack logs

Field

Type

Description

Remarks

id

string

Attack event ID.

-

geo

string

Geolocation

c indicates the country, and r indicates the province.

sip

string

Attacking source IP address

-

attackTime

string

Attack time

-

tenantId

string

Tenant ID

-

host

string

Domain name

-

hostId

string

Domain name ID

-

enterpriseProjectId

string

Enterprise project ID

-

projectId

string

Project ID of the region where the tenant is located

-

siteSn

string

Site name

-

rule

string

Rule ID

-

ruleName

sting

Rule name

-

method

string

Attack request method

-

url

string

Attack request URL

-

requestHeader

string

Attack request header

-

requestParams

string

Attack request parameters

-

cookie

string

Attack request cookie

-

requestBody

string

Attack request body

-

status

string

Attack response code

When functioning as a web server, the Nginx processes client requests and returns this response code.

responseHeaders

string

Attack response header

-

responseBody

string

Attack response body

-

responseSize

long

Attack response body size

-

upstreamStatus

string

Attack response code of the upstream server

Response code returned by the upstream server when the Nginx functions as a reverse proxy server which forwards a client request to the upstream server.

upstreamResponseTime

string

Attack response time

-

processTime

string

Attack processing time

-

attackCount

long

Number of attacks

-

attackCategory

string

Attack type

-

attack

string

Attack details

The key and value of attack indicate the attack type and number of attacks, respectively. The key and value of action indicate the protection action and number of actions, respectively.

maliciousData

string

Malicious data that triggers the rule

-

maliciousLocation

string

Malicious data location

-

policyId

string

Policy ID

-

Fields in DDoS attack logs

Field

Type

Description

Remarks

id

string

Attacked target IP address

-

attackTime

long

Attack time

-

tenantId

string

Tenant ID

-

siteId

string

Site ID

-

attackType

string

Attack source type

-

avgBps

long

Average attack traffic bandwidth

-

avgPps

long

Average number of forwarded attack data packets

-

maxBps

long

Maximum attack traffic bandwidth

-

maxPps

long

Maximum number of forwarded attack data packets

-

Log Tag Fields

Field

Type

Description

Remarks

_resource_id

string

Resource ID

Attack source. Currently, HTTP and DDoS are supported.

_resource_name

string

Resource name.

Log type. Currently, only attack logs are supported.

_service_type

string

Service type.

Cloud service type. The value is EdgeSec.
Parent topic: Protection Statistics