Updated on 2024-12-24 GMT+08:00

Enabling Logging

After you authorize AAD to access Log Tank Service (LTS), you can use the AAD logs recorded by LTS for quick and efficient real-time analysis, device O&M management, and analysis of service trends.

Prerequisites

LTS has been enabled. For details, see Managing Log Groups and Managing Log Streams.

Enabling AAD Logging

  1. Log in to the management console.
  2. Select a region in the upper part of the page, click in the upper left corner of the page, and choose Security & Compliance > Anti-DDoS Service. The Anti-DDoS Service Center page is displayed.
  3. In the navigation pane on the left, choose Advanced Anti-DDoS > Dashboard. The Dashboard page is displayed.
  4. Click Logs, enable full logs , and configure log groups and log streams. For details about related parameters, see Figure 1.

    Figure 1 Configuring AAD logs
    Table 1 AAD log parameters

    Parameter

    Description

    Enterprise Project

    Select an enterprise project.

    Log Group Region

    Select the region to which the log group belongs.

    Log Group

    Select a log group or click View Log Group to go to the LTS console and create a log group.

    Instance Attack Logs

    Select a log stream or click View Log Stream to go to the LTS console and create a log stream.

    An attack log includes information about event type, protective action, and attack source IP address of each attack. For details about the log fields, see Table 2.

    Instance Attack Details

    Select a log stream or click View Log Stream to go to the LTS console and create a log stream.

    Instance attack details include the attack start time, end time, attack status, and attack type. For details about the fields, see Table 3.

  5. Click OK.

    You can view protection logs on the LTS console.

Log Fields in LTS

This section describes the fields of AAD logs.

Table 2 Fields in an instance attack log

Field

Description

ip

Attacked IP address

ip_id

ID of the attacked IP address

attack_type

Attack type

attack_protocol

This field is not used currently. The default value is 0.

attack_start_time

Time the attack starts, which is a timestamp accurate to millisecond.

attack_status

Attack status.

  • ATTACK: The attack is ongoing.
  • NORMAL: The attack ends.

drop_kbits

The minute-level maximum attack traffic, in bits.

attack_pkts

The minute-level maximum number of attack packets

duration_elapse

Duration of an ended security event, in seconds.

end_time

Time the attack ends, which is a timestamp accurate to millisecond. For an on-going security event, the value of this field is 0.

max_drop_kbps

Peak attack traffic, in Kbit/s.

max_drop_pps

Peak attack packets, in pps.

Table 3 Description of fields in the instance attack details

Field

Description

attackStatus

Attack status

attackType

Attack status

  • ATTACK: The attack is ongoing.
  • NORMAL: The attack ends.

attackTypeDescCn

Attack type, in Chinese.

attackTypeDescEn

Attack type, in English.

attackUnit

Attack unit

attacker

Attack source

attackerKbps

Peak attack traffic, in kbps.

attackerPps

Peak attack traffic, in pps.

direction

Log direction

  • inbound
  • outbound

dropKbits

Total volume of discarded traffic, in kbps.

dropPackets

Total number of discarded packets.

duration

Attack duration, in seconds.

handleTime

Time when the log is processed.

logTime

Log time

logType

Log type

maxDropKbps

Peak value of discarded IP traffic, in kbps.

maxDropPps

Peak value of discarded IP traffic, in pps.

port

Port number

startTimeAlert

Start time of an exception

timeScale

Time identifier (identifier for minute-level processing time or hour-level processing time).

valid

Indicates whether logs are successfully parsed.

writeTime

Persistence time

zoneIP

Protected IP

startTimeAttack

Time when the attack starts

startTimeKey

ID of an attack starting at a certain time