Enabling Logging
Advanced Anti-DDoS is interconnected with Log Tank Service (LTS), and the console provides a log analysis and query page. After you enable Advanced Anti-DDoS, you can record attack logs to LTS. Using this log data, you can efficiently perform real-time analysis, security O&M, and service trend tracking.
LTS processes and analyzes large volumes of logs. It allows you to manage logs in real time, efficiently, and securely. Logs are stored in LTS for 30 days by default, but you can configure a retention period of up to 365 days. Logs that exceed this retention period are automatically deleted. However, you can configure LTS to dump these logs to an Object Storage Service (OBS) bucket or enable Data Ingestion Service (DIS) for long-term storage.
Notes and Constraints
A log stream can only record one type of logs. To record both attack logs and attack details, create two log streams.
Prerequisites
LTS has been enabled. For details, see Managing Log Groups and Managing Log Streams.
You will be billed for using the Log Tank Service (LTS). For billing details, see LTS Pricing Details.
Enabling AAD Logging
- Log in to the AAD console.
- In the navigation pane on the left, choose . The Dashboard page is displayed.
- Click the Logs tab page. Click Connect to LTS.
- Configure log interconnection. For details, see Figure 1.
Table 1 AAD log parameters Parameter
Description
Log Group Region
Select the region to which the log group belongs.
Log Types
Select the types of logs to be recorded.
Log Group
A log group is the basic unit for LTS to manage logs. It comprises log streams and categorizes them. A log group does not store any log data. It only helps with log stream management.
Select a log group or click Create Log Group to go to the LTS console and create a log group.
Instance Attack Logs
A log stream is the basic unit for reading and writing logs. Different types of collected logs are classified and stored in different log streams for easier management.
Select a log stream for recording instance attack logs.
Instance Attack Details
Select a log stream for recording attack log details.
- Click OK.
- Check or analyze logs.
After CNAD is connected to LTS, the recorded logs are automatically displayed on the Logs tab page. You can check and analyze the logs. For more information, see Searching for and Analyzing Logs.
Figure 2 Checking logs
Log Fields in LTS
This section describes the fields of AAD logs.
| Field | Description |
|---|---|
| ip | Attacked IP address |
| ip_id | ID of the attacked IP address |
| attack_type | Attack type |
| attack_protocol | This field is not used currently. The default value is 0. |
| attack_start_time | Time the attack starts, which is a timestamp accurate to millisecond. |
| attack_status | Attack status.
|
| drop_kbits | The minute-level maximum attack traffic, in bits. |
| attack_pkts | The minute-level maximum number of attack packets |
| duration_elapse | Duration of an ended security event, in seconds. |
| end_time | Time the attack ends, which is a timestamp accurate to millisecond. For an ongoing security event, the value of this field is 0. |
| max_drop_kbps | Peak attack traffic, in Kbit/s. |
| max_drop_pps | Peak attack packets, in pps. |
| Field | Description |
|---|---|
| attackStatus | Attack status |
| attackType | Attack status
|
| attackTypeDescCn | Attack type, in Chinese. |
| attackTypeDescEn | Attack type, in English. |
| attackUnit | Attack unit |
| attacker | Attack source |
| attackerKbps | Peak attack traffic, in kbps. |
| attackerPps | Peak attack traffic, in pps. |
| direction | Log direction
|
| dropKbits | Total volume of discarded traffic, in kbits. |
| dropPackets | Total number of discarded packets. |
| duration | Attack duration, in seconds. |
| handleTime | Time when the log is processed. |
| logTime | Log time |
| logType | Log type |
| maxDropKbps | Peak value of discarded IP traffic, in kbps. |
| maxDropPps | Peak value of discarded IP traffic, in pps. |
| port | Port number |
| startTimeAlert | Start time of an exception |
| timeScale | Time identifier (identifier for minute-level processing time or hour-level processing time). |
| valid | Indicates whether logs are successfully parsed. |
| writeTime | Persistence time |
| zoneIP | Protected IP |
| startTimeAttack | Time when the attack starts |
| startTimeKey | ID of an attack starting at a certain time |
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
