Log Fields (RTLD CDN)

Log data is reported as a JSON document. Log format determines whether log data identification information will be included and how the data is formatted. Each type of log format is described below.

JSON: This format includes:
- Top-level name/value pairs that uniquely identify the set of log entries reported in the JSON document.
- An object for each log entry associated with the current JSON document.
View a sample log file.
JSON Array: This format generates a JSON document that contains an array of objects. Each object is a log entry associated with the current JSON document.

View a sample log file.
JSON Lines: This format generates an invalid JSON document that contains an object on each line. Each object is a log entry associated with the current JSON document. This object is an exact match for an object contained by the Logs array.

View a sample log file.
CSV: This format generates a comma-separated value (CSV) document with the following format:
- First Line: Identifies the set of log fields that will be reported for each log entry and the order in which data for these fields will be reported. View log field definitions within the Logs Array section.
- Subsequent Lines: Each subsequent line contains a log entry. Each log entry contains comma-separated values for the log fields identified in the first line.
Adding or removing log fields may alter the order in which they are reported within a CSV document. It is important to rely on the CSV’s first line to identify the set of log fields that are reported for each log entry and the order in which data for those fields will be provided.

View a sample log file.

If log data uses either the CSV, JSON Array, or JSON Lines log format, then it will not contain information that uniquely identifies a set of log data. If log data is delivered to a destination other than AWS S3, Azure Blob Storage, or Google Cloud Storage, then there is no way to check for gaps in sequence numbers when attempting to identify missing log data.

A log entry describes a HTTP/HTTPS request that was submitted to our CDN.

Top-Level Name/Value Pairs

Top-level name/value pairs are unavailable for the CSV, JSON Array, and JSON Lines log formats. If you require this information, please choose the standard JSON log format.

Top-level name/value pairs are described below.

account_number (String): Customer Account Number. Indicates your CDN account number (e.g., 0001).
agent_id (String): Agent ID. Indicates the unique ID that identifies the Real-Time Log Delivery software agent that generated the log data.
datestamp (String): Date Stamp. Indicates the date on which the log data was generated.

Syntax: YYYYMMDD

Example: 20230412
logs (Array of Objects): Log Data. Describes the log entries associated with the current JSON document. Each object contains a set of fields that describe the request/response for a single log entry.
platform (String): Platform. Returns wpc.
profile_id (Integer): Profile ID. Identifies a RTLD profile by its system-defined ID.
seq_num (Integer): Sequence Number. Indicates the sequential number that identifies the order in which the log data was generated by the software agent identified by the agent_id field.

logs Array

The logs array contains an object for each log entry associated with the current JSON document. Each log entry describes a request to our CDN via the following fields:

account_number (String): Customer AN. (Category: General) Indicates your CDN account number (e.g., 0001).
auth_user (String): User (Basic Authentication). (Category: Request) Indicates the user name passed in the request URL for the purpose of HTTP basic authentication.

Sample request: http://joe:mypassword@cdn.mydomain.com/index.html

The following value will be reported for this field: joe
background_fill_wait_time ():** Background Fill Wait Time. (Category: Network) Indicates the amount of time, in seconds, that it took for a sub-request to receive the first byte of the response.
bytes_in (Integer): Bytes In. (Category: Network) Indicates the sum of the number of bytes read from both of the following sources:
- Requesting client
- Origin server
bytes_out (Integer): Bytes Out. (Category: Network) Indicates the number of bytes sent in the response from the edge server to the client.
cache_status (String): Cache Status Code. (Category: Response) Indicates the cache status code that was generated by the request. This code indicates how the request was handled by the CDN with regards to caching.

Sample value: TCP_HIT
client_as_org (String): AS Org. (Category: Client Network) Indicates the organization corresponding to the client’s ASN.
client_asn (Integer): ASN. (Category: Client Network) Indicates the Autonomous System Number (ASN) associated with the client’s IP address.
client_city (String): City. (Category: Client Geography) Indicates the city from which the request originated.
client_continent_code (String): Continent Code. (Category: Client Geography) Indicates the continent from which the request originated using one of the following codes:
- AF: Africa
- AS: Asia
- EU: Europe
- NA: North America
- OC: Oceania
- SA: South and Central America
- Empty String: Unknown continent
client_country_code (String): Country Code. (Category: Client Geography) Indicates the two-character ISO 3166-1 code for the country from which the request originated.
client_geo_latitude (Decimal): Latitude. (Category: Client Geography) Indicates the approximate latitude of the postal code, city, subdivision, or country associated with the client’s IP address.

A null value is reported when the client’s latitude cannot be determined.
client_geo_longitude (Decimal): Longitude. (Category: Client Geography) Indicates the approximate longitude of the postal code, city, subdivision, or country associated with the client’s IP address.

A null value is reported when the client’s longitude cannot be determined.
client_ip_version (String): IP Version. (Category: Client Network) Indicates the client’s IP version number. Valid values are:
- INET: IPv4
- INET6: IPv6
client_ip (String): IP Address. (Category: Client Network) Indicates the IP address for the computer that submitted the request to our CDN.
client_isp (String): ISP. (Category: Client Network) Indicates the Internet Service Provider (ISP) associated with the client’s IP address.
client_port (Integer): Port. (Category: Client Network) Indicates the port number on the client’s computer to which the HTTP response was directed.
client_protocol (String): Protocol. (Category: Request) Indicates the HTTP protocol and version defined within the client’s request. Valid values are:

HTTP_1_0 | HTTP_1_1 | HTTP_2_0
client_region (String): Region. (Category: Client Geography) Indicates the geographical region (e.g., state or province) from which the request originated.
client_tls_cipher (String): SSL Cipher Name. (Category: Request) Indicates the cipher suite used in the handshake between the client that submitted the request and one of our servers.

Example: TLS_AES_256_GCM_SHA384
client_tls_version (String): TLS Version. (Category: Request) Indicates the TLS protocol version used for the communication between the client and our network.

Example: TLSv1.3
cookie_<COOKIE>** (String):** Cookie. Indicates the value of the cookie defined within the field name. A key-value pair will be included for each cookie defined within the Custom Cookies option.

Example: The following key-value pair indicates that the sessionId cookie was set to abc123def:

"cookie_sessionId": "abc123def",
custom_field (String): Custom Field. (Category: General) Indicates the data defined by the Custom Log Field feature.

This field returns an empty string when you have not configured custom data logging via the Custom Log Field feature.
file_size (Integer): File Size. (Category: Response) Indicates the size, in bytes, of the requested asset (i.e., response body).
first_byte_served (Integer): First Byte Served. (Category: Network) Indicates whether the first byte of the requested content was served to the client. Valid values are:
- 1: True
- 0: False
host (String): Hostname. (Category: Request Header) Indicates the Host header value sent in the client’s request to the CDN.
last_byte_served (Integer): Last Byte Served. (Category: Network) Indicates whether the last byte of the requested content was served to the client. Valid values are:
- 1: True
- 0: False
method (String): HTTP Method. (Category: Request) Indicates the request’s HTTP method (e.g., GET, HEAD, and POST).
origin_name (String): Origin Name. (Category: Request Header) Indicates the hostname that was requested.
path (String): URL Path. (Category: Request) Indicates the URL path for the CDN content that was requested, posted, or deleted. This URL, which excludes the query string, is reported as a relative path that starts directly after the hostname.

What is the difference between path and rewritten_path?

The path field always reports the requested URL’s relative path, while rewritten_path reports the relative path after the URL has been rewritten.
platform (String): Platform. (Category: Network) Returns wpc.
pop (String): POP. (Category: Network) Identifies the POP that handled the client’s request by its three-letter abbreviation.
prewrite_time (Decimal): Prewrite Time. (Category: Performance) Indicates the length of time, in seconds, that it took to initiate the response to the client. This metric measures the duration between when an edge server receives a request and when it starts sending the response to the client.

Syntax: <SECONDS>.<MICROSECONDS>
proxy_ip (String): Proxy IP. (Category: Network) Indicates the IP address for the server to which an edge server forwarded a request. This IP address may identify an Origin Shield server or a web server associated with your origin configuration.
proxy_port (Integer): Proxy Port. (Category: Network) Indicates the port number on an Origin Shield server or a web server associated with your origin configuration. Valid values are:
- 0: Indicates that the request was not proxied.
- 80: HTTP request
- 443: HTTPS request
proxy_type (String): Proxy Type. (Category: Network) Indicates the type of server to which an edge server forwarded a request. Valid values are:
- NONE: Indicates that the request was served directly from the edge of our network and therefore it was not proxied to another server.
- MIDGRESS: Indicates that an edge server proxied the request to a different CDN server.
  
  Examples:
  - The request was proxied to an Origin Shield server.
  - The request was proxied to a peer edge server due to hotfiling. Hotfiling refers to the process of loading an asset cached on an edge server to multiple edge servers within the same POP. Hotfiling takes place when there is a sudden spike in traffic for a specific asset. It is designed to reduce the number of requests that are forwarded to an origin server..
- ORIGIN: Indicates that the request was proxied to an external web server associated with an origin configuration.
query (String): Query String. (Category: Request) Indicates the query string defined in the request URL.

This field excludes the question mark that delimits the query string from the request URL.
read_time (Decimal): Read Time. (Category: Performance) Indicates the length of time, in seconds, that it took an edge server to read the response. This measurement varies according to the number of layers (e.g., peer edge server, Origin Shield server, or origin server) through which the request is proxied.

Our servers forward data as it is read. This means that the read_time and write_time reported for an asset spans over an overlapping time period.

Syntax: <SECONDS>.<MICROSECONDS>
referer (String): Referrer. (Category: Request Header) Indicates the Referer header value sent in the client’s request to the CDN. This header reports the URL of the site from which the request originated.
req_hdr_<REQUEST_HEADER> (String): Request Header. Indicates the value of the request header defined within the field name. A key-value pair will be included for each request header defined within the Custom Request Headers option.

The name of this field identifies a request header using lowercase letters. Additionally, hyphens in the request header’s name are converted to underscores.

Example: The following key-value pair indicates that the Accept-Encoding request header was set to gzip, deflate: "req_hdr_accept_encoding": "gzip, deflate",
resp_hdr_<RESPONSE_HEADER> (String): Response Header. Indicates the value of the response header defined within the field name. A key-value pair will be included for each response header defined within the Custom Response Headers option.

The name of this field identifies a response header using lowercase letters. Additionally, hyphens in the response header’s name are converted to underscores.

Example: The following key-value pair indicates that the Content-Length request header was set to 445: "resp_hdr_content_length": "445",
rewritten_path (String): Rewritten URL Path. (Category: Request) Indicates the rewritten URL path for the CDN content that was requested, posted, or deleted. This URL, which excludes the query string, is reported as a relative path that starts directly after the hostname.

What is the difference between path and rewritten_path?

The path field always reports the requested URL’s relative path, while rewritten_path reports the relative path after the URL has been rewritten.
scheme (String): Scheme. (Category: Request) Indicates the request’s scheme. Valid values are: http | https
server_ip (String): Edge Server IP Address. (Category: Network) Indicates the IP address for the edge server that processed the request.
server_port (Integer): Edge Server Port. (Category: Network) Indicates the port number on an edge server to which the client directed a request. Valid values are:
- 80: HTTP request
- 443: HTTPS request
status_code (Integer): Status Code. (Category: Response) Indicates the HTTP status code for the response generated by an origin server, an Origin Shield server, or an edge server.

Sample value: 200
status (String): Status Message. (Category: Response) Indicates the HTTP status message for the response generated by an origin server, an Origin Shield server, or an edge server.

Sample value: OK
timestamp (Decimal): Timestamp. (Category: Response) Indicates the Unix time, in seconds, at which an edge server delivered the requested content to the client.

Syntax: <SECONDS>.<MICROSECONDS>
total_time (Decimal): Total Time. (Category: Performance) Indicates the length of time, in seconds, that it took to send a response to the client. This metric measures the duration between when an edge server receives a request and when it finishes sending the response to the client.

This field does not take into account network time.

Syntax: <SECONDS>.<MICROSECONDS>
user_agent (String): User Agent. (Category: Request Header) Indicates the user agent that submitted the HTTP request to our CDN.
uuid (String): UUID. (Category: Request) Identifies the request using a unique identifier.

This field is our implementation of a unique identifier and it bears no relationship to a traditional universally unique identifier (UUID).
waf_audit_alert (Boolean): WAF Audit Alert. (Category: Response) Indicates whether this request violated a WAF rule set (e.g., access rule, custom rule, or managed rule) running in audit mode.
waf_prod_action (Boolean): WAF Production Action. (Category: Response) Indicates whether this request triggered a non-alert enforcement action for a WAF rule set (e.g., access rule, custom rule, or managed rule) running in production mode.

This log field excludes requests that trigger an alert.
waf_prod_alert (Boolean): WAF Production Alert. (Category: Response) Indicates whether this request triggered an alert for a WAF rule set (e.g., access rule, custom rule, or managed rule) running in production mode.
write_time (Decimal): Write Time. (Category: Performance) Indicates the length of time, in seconds, that it took an edge server to write the response. This metric measures the duration between when an edge server starts writing the response and when it finishes sending the response to the client.

Our servers forward data as it is read. This means that the read_time and write_time reported for an asset spans over an overlapping time period.

This field does not take into account network time.

Syntax: <SECONDS>.<MICROSECONDS>

Sample Log Data

Sample log data that contains two log entries is provided below for all four log formats.

JSON
{
	"agent_id": "1234500008619D55A",
	"seq_num": 0,
	"platform": "adn",
	"account_number": "0001",
	"datestamp": "20180416",
	"logs": [{
			"user_agent": "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:59.0) Gecko/20100101 Firefox/59.0",
			"rewritten_path": "/800001/marketing/Resources/Scripts/script.js",
			"timestamp": 1523916295.768957,
			"client_ip": "121.11.22.3",
			"client_ip_version": "INET",
			"client_port": 25773,
			"status": "OK",
			"cache_status": "TCP_HIT",
			"bytes_out": 65895,
			"write_time": 0.000707,
			"file_size": 65535,
			"server_ip": "155.155.123.210",
			"server_port": 80,
			"method": "GET",
			"host": "cdn.mydomain.com",
			"query": "",
			"auth_user": "",
			"read_time": 0.000000,
			"bytes_in": 812,
			"referer": "http://cdn.mydomain.com/default.htm",
			"path": "/Resources/Scripts/script.js",
			"status_code": 200
		}, {
			"user_agent": "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:59.0) Gecko/20100101 Firefox/59.0",
			"rewritten_path": "/800001/marketing/skins/Images/print-black-24-px.png",
			"timestamp": 1523916295.841614,
			"client_ip": "123.10.10.2",
			"client_ip_version": "INET",
			"client_port": 25773,
			"status": "OK",
			"cache_status": "TCP_HIT",
			"bytes_out": 563,
			"write_time": 0.000213,
			"file_size": 262,
			"server_ip": "156.15.122.134",
			"server_port": 80,
			"method": "GET",
			"host": "cdn.mydomain.com",
			"query": "",
			"auth_user": "",
			"read_time": 0.000000,
			"bytes_in": 866,
			"referer": "http://cdn.mydomain.com/skins/styles/styles.css",
			"path": "/skins/Images/print-black-24-px.png",
			"status_code": 200
		}
	]
}

JSON_Array
[{
		"user_agent": "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:59.0) Gecko/20100101 Firefox/59.0",
		"rewritten_path": "/800001/marketing/Resources/Scripts/script.js",
		"timestamp": 1523916295.768957,
		"client_ip": "121.11.22.3",
		"client_ip_version": "INET",
		"client_port": 25773,
		"status": "OK",
		"cache_status": "TCP_HIT",
		"bytes_out": 65895,
		"write_time": 0.000707,
		"file_size": 65535,
		"server_ip": "155.155.123.210",
		"server_port": 80,
		"method": "GET",
		"host": "cdn.mydomain.com",
		"query": "",
		"auth_user": "",
		"read_time": 0.000000,
		"bytes_in": 812,
		"referer": "http://cdn.mydomain.com/default.htm",
		"path": "/Resources/Scripts/script.js",
		"status_code": 200
	}, {
		"user_agent": "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:59.0) Gecko/20100101 Firefox/59.0",
		"rewritten_path": "/800001/marketing/skins/Images/print-black-24-px.png",
		"timestamp": 1523916295.841614,
		"client_ip": "123.10.10.2",
		"client_ip_version": "INET",
		"client_port": 25773,
		"status": "OK",
		"cache_status": "TCP_HIT",
		"bytes_out": 563,
		"write_time": 0.000213,
		"file_size": 262,
		"server_ip": "156.15.122.134",
		"server_port": 80,
		"method": "GET",
		"host": "cdn.mydomain.com",
		"query": "",
		"auth_user": "",
		"read_time": 0.000000,
		"bytes_in": 866,
		"referer": "http://cdn.mydomain.com/skins/styles/styles.css",
		"path": "/skins/Images/print-black-24-px.png",
		"status_code": 200
	}
]

1{"user_agent": "Mozilla/5.0 (Windows NT ...}
2{"user_agent": "Mozilla/5.0 (Windows NT ...}

CSV
user_agent,rewritten_path,timestamp,...,status_code
"Mozilla/5.0 (Windows NT 10.0; WOW64; rv:59.0) Gecko/20100101 Firefox/59.0","/800001/marketing/Resources/Scripts/script.js",1523916295.768957,..,200
"Mozilla/5.0 (Windows NT 10.0; WOW64; rv:59.0) Gecko/20100101 Firefox/59.0","/800001/marketing/skins/Images/print-black-24-px.png",1523916295.841614,...,200

Top-Level Name/Value Pairs #

logs Array #

Sample Log Data #

Top-Level Name/Value Pairs

logs Array

Sample Log Data