Select Service
Access Logs Reference
Published April 5, 2023 | Last modified December 5, 2024
Objective
This guide presents reference information on the various fields of the logs of access requests made to your HTTPs load balancers, displayed on the dashboards.
The referer header will be sanitized during decoding. Multiple URLs, invalid relative URLs containing a fragment component, and valid absolute URLs containing userinfo or a fragment component will be removed.
Client Details
The following table presents field descriptions for client information such as identification, geographic location, etc.
| Name | Type | Description | Values |
|---|---|---|---|
| user | string | User identifier as configured in User Identification Policy. If not configured, the system uses src_ip as a default user identifier. | For example: IP-212.150.5.74 |
| src_ip | string | The source IP of the client. | For example: 212.150.5.74 |
| asn | string | Autonomous system identifier represented by both name and number. More about autonomous systems: https://en.wikipedia.org/wiki/Autonomous_system_(Internet) | For example: GOOGLE(15169) |
| as_org | string | Autonomous system name. https://en.wikipedia.org/wiki/Autonomous_system_(Internet) | For example: GOOGLE |
| as_number | string | Autonomous system number. https://en.wikipedia.org/wiki/Autonomous_system_(Internet) | For example: 15169 |
| country | string | Client's country ISO 3166-2 (two-letter) code. https://en.wikipedia.org/wiki/ISO_3166-2 | For example: US |
| region | string | Client's region name. | |
| city | string | Client's city name. | For example: Paris |
| longitude | string | Client's geo location longitude. Longitude is a vertical line that measures east or west of the meridian in Greenwich, UK. | |
| latitude | string | Client's geo location latitude. Latitude is a horizontal line that measures the distance north or south of the equator. | |
| tls_fingerprint | string | JA3 TLS fingerprint facilitates the profiling of individual SSL/TLS clients over various destination IPs, ports, and X509 certificates. | e7d705a3286e19ea42f587b344ee6865 |
| ja4_tls_fingerprint | string | A more sophisticated variant of JA3, JA4 lowers the overall count of distinct fingerprints. | t13d1516h2_8daaf6152771_02713d6af862 |
Device Details
The following table presents details of the device sending access requests:
| Name | Type | Description | Values |
|---|---|---|---|
| browser_type | string | Client's browser type. This information is taken from HTTP User-Agent header therefore it’s populated for HTTP traffic only. | For example: Chrome |
| device_type | string | Client's device type. This information is taken from HTTP User-Agent header therefore it’s populated for HTTP traffic only. | For example: iPhone |
Request Details
The following table presents details of the various fields in the request being made:
| Name | Type | Description | Values |
|---|---|---|---|
| dst | string | The detail of the destination/origin server where the request is going to. | If this is a vk8s service, then the value will be S:, For example: S:frontend.arcadia-trading For something like a DNS endpoint, the value will be S:, For example: S:prod.croix-rouge.fr if endpoint or origin server is public ip, the value will appear like this: S:185.15.129.72 Note: for FWD PROXY/Connect Proxy cases, the dst will be 2 level URL of the destination for eg something like yahoo.com or google.com |
| dst_instance | string | Detail of the specific destination instance where requests are going to. | For vk8s service, the value will be Pod name. For example: ingress-kong-757d459b79-nc7hd This pod name is associated with the dst above. If this is DNS endpoint, the value will be IP address of the endpoint. If destination itself was configured to be a public ip (static) then this field will be set to STATIC. For Proxy cases, the value will be Country code of the destination IP (where traffic is headed to) |
| dst_site | string | Site which is used to send the traffic to the endpoint / origin server | In most cases the value will be the same as RE Site (for example: pa2-par), which got the traffic. But it can be a CE Site, if the endpoint is discovered in CE. Or another RE, if the endpoint discovered in that RE is used. |
| dst_port | Destination port on the origin server. | For example: 443 | |
| duration_with_no_data_tx_delay | string | first_downstream_tx_byte - first_upstream_tx_byte | Like duration_with_data_tx_delay, except that reference is taken from the moment first byte is sent to client. |
| duration_with_data_tx_delay | string | last_downstream_tx_byte - first_upstream_tx_byte | Indicates how much "time" it took to process the request/response inside XC LB. (like eg WAF, API detection, service policy, Bot detection, etc if enabled) + time upstream spent to process. |
| time_to_last_upstream_rx_byte | string | Time interval in seconds between the first downstream byte received and the last upstream byte received (i.e. time it takes to receive a complete response). | |
| time_to_first_upstream_rx_byte | string | Time interval in seconds between the first downstream byte received and the first upstream byte received (i.e. time it takes to start receiving a response). | |
| time_to_last_downstream_tx_byte | string | Time interval between the first downstream byte received and the last downstream byte sent. Depending on protocol, buffering, windowing, filters, etc. there may be a considerable delta between time_to_last_upstream_rx_byte and this field. Note also that this is an approximate time. In the current implementation it does not include kernel socket buffer time. In the current implementation it also does not include send window buffering inside the HTTP/2 codec. In the future it is likely that work will be done to make this duration more accurate. | |
| time_to_first_downstream_tx_byte | string | Time interval between the first downstream byte received and the first downstream byte sent. There may be a considerable delta between the time_to_first_upstream_rx_byte and this field due to filters. Additionally, the same caveats apply as documented in time_to_last_downstream_tx_byte about not accounting for kernel socket buffer time, etc. | |
| total_duration_seconds | string | ||
| rtt_upstream_seconds | string | Round trip of connection to the upstream/origin server. | |
| rtt_downstream_seconds | string | Round trip of connection to downstream (client). | |
| src | string | The “source” of the service which is sending the request. | Case 1. If this is a service-to-service communication happening via envoy (like v8s service etc) this value will be the name of the service. For example: S:lilac-edge-node-6.lilac-edge Case 2. If this is mTLS src then the value will be the first SAN in the client certificate Case3. If not Case1/2, Its a request coming from a client via public internet etc, then the value will appear as: N:public |
| src_instance | string | Details of the instance which generated the traffic. | Case 1. If this is service-to-service communication happening via envoy (like v8s service etc). The value will be an instance of the service (for eg pod name like in recommendationservice-69cddc6ffb-m794d) Case2. If this is mTLS src_instance, the value will be the Subject Name in the client certificate. Case3. If this is request from a public client, then the value will be the country detected by geo lookup |
| src_site | string | This is the F5DC site (RE or CE etc) which receives the request from the client. | This is the site where client traffic is hitting. For example: dc12-ash If the client is close to dc12 and traffic from client is coming to dc12. It could be also CE, if the LB is exposed via CE, |
| src_port | string | This is the src port of the client. |
HTTP Protocol Details
The following table presents field reference specific to the protocol using which request is made:
| Name | Type | Description | Values |
|---|---|---|---|
| protocol | string | Valid HTTP protocol version. | HTTP10/HTTP11/HTTP2 The value will be PROTOCOL_UNSPECIFIED for non-http requests. |
| scheme | string | Valid HTTP scheme. | https/http The value will be empty for non-http requests. |
| method | string | Valid HTTP method. | HEAD/GET/POST/OPTIONS… The value will be METHOD_UNSPECIFIED for non-http requests. |
| authority | string | authority = [userinfo "@"] host [":" port] | For example: www.google.com |
| original_authority | string | ||
| domain | string | ||
| referer | string | Value of HTTP Referer header | |
| x_forwarded_for | string | Value of HTTP X-Forwarded-For header | |
| user_agent | string | Value of HTTP User-Agent header | |
| req_path | string | Request path. | |
| req_params | string | Query parameters. | |
| req_headers | string | Request headers. The system logs request headers only if API discovery is enabled and sample it up to 25%. | |
| rsp_code | string | Response code | Note: the value will be 0 if request is blocked. |
Response Details
The following table presents field reference for the response sent:
| Name | Type | Description | Values |
|---|---|---|---|
| protocol | string | Valid HTTP protocol version. | HTTP1.0/HTTP1.1/HTTP2 The value will be PROTOCOL_UNSPECIFIED for non-http requests. |
| scheme | string | Valid HTTP scheme. | https/http The value will be empty for non-http requests. |
| method | string | Valid HTTP method. | HEAD/GET/POST/OPTIONS… The value will be METHOD_UNSPECIFIED for non-http requests. |
| authority | string | authority = [userinfo "@"] host [":" port] | For example: www.google.com |
| original_authority | string | ||
| domain | string | ||
| referer | string | Value of HTTP Referer header | |
| x_forwarded_for | string | Value of HTTP X-Forwarded-For header | |
| user_agent | string | Value of HTTP User-Agent header | |
| req_path | string | Request path. | |
| req_params | string | Query parameters. | |
| req_headers | string | Request headers. The system logs request headers only if API discovery is enabled and sample it up to 25%. |
WAF Details
| Name | Type | Description | Values |
|---|---|---|---|
| waf_action | string | The action which has been recommended by WAF Engine. | Valid values: allow block |
Bot Defense (bot_defense) Details
| Name | Type | Description | Values |
|---|---|---|---|
| bot_defense_js_injection | bool | Indicates whether Shape JS is injected in the page or not. | |
| insight | string | Shape bot classification. | HUMAN, GOODBOT, MALICIOUS, UNAVAILABLE |
| recommendation | string | Shape Bot Defense recommended action. | Action_alert |
| automation_type | string | The reason why client is detected as a bot. | Token Missing |
Service Policy (policy_hits) Details
| Name | Type | Description | Values |
|---|---|---|---|
| policy_set | string | The name of the last executed service policy set. | |
| policy | string | The name of the last executed service policy. | |
| policy_namespace | string | The namespace of the last executed service policy. | |
| policy_rule | string | The name of the last executed service policy rule. | |
| policy_rule_description | string | Description of service policy rule as it appears in configuration. | |
| result | string | Service policy result. | Valid values: allow deny default_allow default_deny |
| rate_limiter_action | string | Rate limiter result. | Valid values: fail pass none or empty string |
| malicious_user_mitigation_action | string | Malicious user mitigation action if malicious user feature is configured. | Valid values: MUM_NONE MUM_BLOCK_TEMPORARILY MUM_JAVASCRIPT_CHALLENGE MUM_CAPTCHA_CHALLENGE |
| ip_risk | string | IP risk as it appears in IP reputation database | Valid values: LOW_RISK MEDIUM_RISK HIGH_RISK |
| ip_trustscore | string | The score between 0 and 100. Represents IP trust. 100 means high trust low risk, 0 means low trust high risk. | Numeric string value between 0 and 100. |
| ip_trustworthiness | string | Property describing IP trustworthiness (the opposite of risk). | Valid values: LOW MEDIUM HIGH |
| ip_threat_categories | string | Lists all threat categories as CSV string to which that IP belongs to. | |
| oas_request_properties | |||
| oas_validation_action |
Metadata Details
| Name | Type | Description | Values |
|---|---|---|---|
| app_type | string | Application profile type name. | |
| cluster_name | string | F5DC cluster name to which request was routed. | For example: pa2-par-int-ves-io |
| has_sec_event | bool | Indicates whether security event is generated for this request. | |
| hostname | string | Hostname of machine which generated this log record. | For example: master-0 |
| messaged | string | Unique log type identifier. | For access log the value always will be dea91c9a-beed-4561-67af-ab4112426b1f |
| namespace | string | A workspace within tenant's space in which the virtual host was created. | |
| req_id | string | Unique request identifier. | |
| tenant | string | Organization or group of users sharing common access with specific privileges to XC resources. | |
| vh_name | string | Tenant's virtual host name. | |
| vh_type | string | Virtual host type. | Valid values: VIRTUAL_SERVICE HTTP_LOAD_BALANCER API_GATEWAY TCP_LOADBALANCER PROXY LOCAL_K8S_API_GATEWAY CDN_LOADBALANCER |
| timeseries_enabled | bool | Indicates that DDoS protection is enabled for this LB. |