Select Service
Access Logs Reference
Published April 5, 2023 | Last modified June 4, 2026
Objective
This guide presents reference information on the various access request log fields for requests made to your Distributed Cloud HTTPs load balancers and displayed on the dashboards.
The referer header is sanitized during decoding. Multiple URLs, invalid relative URLs containing a fragment component, and valid absolute URLs containing userinfo or a fragment component are removed.
Client details
The following table presents field descriptions for client information such as identification, geographic location, and more:
| Name | Type | Description | Values |
|---|---|---|---|
| user | string | User identifier as configured in User Identification Policy. If not configured, the system uses src_ip as a default user identifier. | For example: IP-212.150.5.74 |
| src_ip | string | The source IP of the client. | For example: 212.150.5.74 |
| asn | string | Autonomous system identifier represented by both name and number. More about autonomous systems | For example: GOOGLE(15169) |
| as_org | string | Autonomous system name. | For example: GOOGLE |
| as_number | string | Autonomous system number. | For example: 15169 |
| country | string | Client's country ISO 3166-2 (two-letter) code. | For example: US |
| region | string | Client's region name. | |
| city | string | Client's city name. | For example: Paris |
| longitude | string | Client's geo-location longitude. Longitude is a vertical line that measures east or west of the meridian in Greenwich, UK. | |
| latitude | string | Client's geo-location latitude. Latitude is a horizontal line that measures the distance north or south of the equator. | |
| tls_fingerprint | string | JA3 TLS fingerprint facilitates the profiling of individual SSL/TLS clients over various destination IPs, ports, and X509 certificates. | For example: "e7d705a3286e19ea42f587b344ee6865" |
| ja4_tls_fingerprint | string | A more sophisticated variant of JA3, JA4 lowers the overall count of distinct fingerprints. | For example: "t13d1516h2_8daaf6152771_02713d6af862" |
Device details
The following table presents details of the device sending access requests:
| Name | Type | Description | Values |
|---|---|---|---|
| browser_type | string | Client's browser type. This information is taken from HTTP User-Agent header. Therefore, it is populated for HTTP traffic only. | For example: Chrome |
| device_type | string | Client's device type. This information is taken from HTTP User-Agent header. Therefore, it is populated for HTTP traffic only. | For example: iPhone |
Request details
The following table presents details of the various fields in the request being made:
| Name | Type | Description | Values |
|---|---|---|---|
| dst | string | The detail of the destination/origin server where the request is going to. | If this is a vk8s service, then the value is S:, For example: "S:frontend.arcadia-trading". For something like a DNS endpoint, the value is S:. For example: "S:prod.croix-rouge.fr". If endpoint or origin server is public IP, the value appears as "S:185.15.129.72". Note that for FWD PROXY/Connect Proxy cases, the dst is a two-level URL of the destination. For example, yahoo.com or google.com. |
| dst_instance | string | Detail of the specific destination instance where requests are going to. | For vk8s service, the value is the pod name. For example: "ingress-kong-757d459b79-nc7hd". This pod name is associated with the dst above. If this is a DNS endpoint, the value is the IP address of the endpoint. If destination itself was configured to be a public IP (static), then this field is set to STATIC. For Proxy cases, the value is the country code of the destination IP (where traffic is headed to) |
| dst_site | string | Site which is used to send the traffic to the endpoint/origin server | In most cases the value is the same as RE Site (for example: "pa2-par"), which receives the traffic. But it can be a CE Site, if the endpoint is discovered on the CE, or another RE if the endpoint discovered in that RE is used. |
| dst_port | Destination port on the origin server. | For example: 443 | |
| duration_with_no_data_tx_delay | string | first_downstream_tx_byte - first_upstream_tx_byte | Like duration_with_data_tx_delay, except that reference is taken from the moment first byte is sent to client. |
| duration_with_data_tx_delay | string | last_downstream_tx_byte - first_upstream_tx_byte | Indicates how much "time" it took to process the request/response inside Distributed Cloud load balancer. (For example: WAF, API detection, service policy, Bot detection, and more if enabled) + time upstream spent to process. |
| time_to_last_upstream_rx_byte | string | Time interval in seconds between the first downstream byte received and the last upstream byte received (as in, the time it takes to receive a complete response). | |
| time_to_first_upstream_rx_byte | string | Time interval in seconds between the first downstream byte received and the first upstream byte received (as in, the time it takes to start receiving a response). | |
| time_to_last_downstream_tx_byte | string | Time interval between the first downstream byte received and the last downstream byte sent. Depending on protocol, buffering, windowing, filters, and more. There may be a considerable delta between time_to_last_upstream_rx_byte and this field. Note also that this is an approximate time. In the current implementation, it does not include kernel socket buffer time. In the current implementation, it also does not include send window buffering inside the HTTP/2 codec. In the future, it is likely that work is done to make this duration more accurate. | |
| time_to_first_downstream_tx_byte | string | Time interval between the first downstream byte received and the first downstream byte sent. There may be a considerable delta between the time_to_first_upstream_rx_byte and this field due to filters. Additionally, the same caveats apply as documented in time_to_last_downstream_tx_byte about not accounting for kernel socket buffer time, and more. | |
| total_duration_seconds | string | ||
| rtt_upstream_seconds | string | Round trip of connection to the upstream/origin server. | |
| rtt_downstream_seconds | string | Round trip of connection to downstream (client). | |
| src | string | The “source” of the service which is sending the request. | Case 1. If this is a service-to-service communication happening via envoy (like v8s service, and more) this value is the name of the service. For example: "S:lilac-edge-node-6.lilac-edge". Case 2. If this is mTLS src, then the value is the first SAN in the client certificate. Case3. If not Case1/2, It is a request coming from a client via public Internet and more; then the value will appear as: N:public. |
| src_instance | string | Details of the instance which generated the traffic. | Case 1. If this is service-to-service communication happening via envoy (like v8s service, and more). The value is an instance of the service (for example, pod name in "recommendationservice-69cddc6ffb-m794d"). Case2. If this is mTLS src_instance, the value is the subject name in the client certificate. Case3. If this is request from a public client, then the value is the country detected by geo lookup |
| src_site | string | This is the F5 Site (RE or CE) which receives the request from the client. | This is the Site where client traffic is hitting. For example: "dc12-ash". If the client is close to "dc12" and traffic from the client is coming to "dc12", then it could also be a CE if the load balancer is exposed via the CE. |
| src_port | string | This is the src port of the client. |
HTTP protocol details
The following table presents field reference specific to the protocol using which request is made:
| Name | Type | Description | Values |
|---|---|---|---|
| protocol | string | Valid HTTP protocol version. | HTTP 1.0/HTTP 1.1/HTTP 2. The value is PROTOCOL_UNSPECIFIED for non-HTTP requests. |
| scheme | string | Valid HTTP scheme. | HTTPs/HTTP. The value is empty for non-HTTP requests. |
| method | string | Valid HTTP method. | HEAD/GET/POST/OPTIONS and so on. The value is METHOD_UNSPECIFIED for non-HTTP requests. |
| authority | string | authority = [userinfo "@"] host [":" port] | For example: www.google.com |
| original_authority | string | ||
| domain | string | ||
| referer | string | Value of HTTP Referer header | |
| x_forwarded_for | string | Value of HTTP X-Forwarded-For header | |
| user_agent | string | Value of HTTP User-Agent header | |
| req_path | string | Request path. | |
| req_params | string | Query parameters. | |
| req_headers | string | Request and response headers are logged only when the app_type is present. These headers are sampled up to 50%. API Discovery/API Endpoint Discovery is one of the features that can automatically assign this label. | |
| rsp_code | string | Response code | Note: The value is 0 if the request is blocked. |
Response details
The following table presents field reference for the response sent:
| Name | Type | Description | Values |
|---|---|---|---|
| protocol | string | Valid HTTP protocol version. | HTTP 1.0/HTTP 1.1/HTTP 2 The value is PROTOCOL_UNSPECIFIED for non-HTTP requests. |
| scheme | string | Valid HTTP scheme. | HTTPs/HTTP. The value is empty for non-HTTP requests. |
| method | string | Valid HTTP method. | HEAD/GET/POST/OPTIONS/and so on. The value is METHOD_UNSPECIFIED for non-HTTP requests. |
| authority | string | authority = [userinfo "@"] host [":" port] | For example: www.google.com |
| original_authority | string | ||
| domain | string | ||
| referer | string | Value of HTTP Referer header | |
| x_forwarded_for | string | Value of HTTP X-Forwarded-For header | |
| user_agent | string | Value of HTTP User-Agent header | |
| req_path | string | Request path. | |
| req_params | string | Query parameters. | |
| req_headers | string | Request and response headers are logged only when the app_type is present. These headers are sampled up to 50%. API Discovery/API Endpoint Discovery is one of the features that can automatically assign this label. |
WAF details
| Name | Type | Description | Values |
|---|---|---|---|
| waf_action | string | The action which was recommended by the WAF Engine. | Valid values: allow block |
Bot Defense (bot_defense) details
| Name | Type | Description | Values |
|---|---|---|---|
| bot_defense_js_injection | bool | Indicates whether Shape JS is injected in the page or not. | |
| insight | string | Shape bot classification. | HUMAN, GOODBOT, MALICIOUS, UNAVAILABLE |
| recommendation | string | Shape Bot Defense recommended action. | Action_alert |
| automation_type | string | The reason why the client is detected as a bot. | Token Missing |
Service Policy (policy_hits) details
| Name | Type | Description | Values |
|---|---|---|---|
| policy_set | string | The name of the last executed service policy set. | |
| policy | string | The name of the last executed service policy. | |
| policy_namespace | string | The namespace of the last executed service policy. | |
| policy_rule | string | The name of the last executed service policy rule. | |
| policy_rule_description | string | Description of service policy rule as it appears in configuration. | |
| result | string | Service policy result. | Valid values: allow deny default_allow default_deny |
| rate_limiter_action | string | Rate limiter result. | Valid values: fail pass none or empty string |
| malicious_user_mitigation_action | string | Malicious user mitigation action if malicious user feature is configured. | Valid values: MUM_NONE MUM_BLOCK_TEMPORARILY MUM_JAVASCRIPT_CHALLENGE MUM_CAPTCHA_CHALLENGE |
| ip_risk | string | IP risk as it appears in IP reputation database | Valid values: LOW_RISK MEDIUM_RISK HIGH_RISK |
| ip_trustscore | string | The score between 0 and 100. Represents IP trust. 100 means high trust and low risk. 0 means low trust and high risk. | Numeric string value between 0 and 100. |
| ip_trustworthiness | string | Property describing IP trustworthiness (the opposite of risk). | Valid values: LOW MEDIUM HIGH |
| ip_threat_categories | string | Lists all threat categories as CSV string to which that IP belongs to. | |
| oas_request_properties | |||
| oas_validation_action |
Metadata details
| Name | Type | Description | Values |
|---|---|---|---|
| app_type | string | Application profile type name. | |
| cluster_name | string | F5DC cluster name to which request was routed. | For example: pa2-par-int-ves-io |
| has_sec_event | bool | Indicates whether security event is generated for this request. | |
| hostname | string | Hostname of machine which generated this log record. | For example: master-0 |
| messaged | string | Unique log type identifier. | For access log, the value always is dea91c9a-beed-4561-67af-ab4112426b1f. |
| namespace | string | A workspace within a tenant's space in which the virtual host was created. | |
| req_id | string | Unique request identifier. | |
| tenant | string | Organization or group of users sharing common access with specific privileges to Distributed Cloud resources. | |
| vh_name | string | Tenant's virtual host name. | |
| vh_type | string | Virtual host type. | Valid values: VIRTUAL_SERVICE HTTP_LOAD_BALANCER API_GATEWAY TCP_LOADBALANCER PROXY LOCAL_K8S_API_GATEWAY CDN_LOADBALANCER |
| timeseries_enabled | bool | Indicates that DDoS protection is enabled for this load balancer. |