Check out the new F5 Distributed Cloud Technical Knowledge Hub

Access Logs Reference

Objective
Client Details
Device Details
Request Details
HTTP Protocol Details
Response Details
WAF Details
Bot Defense (bot_defense) Details
Service Policy (policy_hits) Details
Metadata Details

Objective

This guide presents reference information on the various fields of the logs of access requests made to your HTTPs load balancers, displayed on the dashboards.

Client Details

The following table presents field descriptions for client information such as identification, geographic location, etc.

Name	Type	Description	Values
user	string	User identifier as configured in User Identification Policy. If not configured, the system uses src_ip as a default user identifier.	For example: IP-212.150.5.74
src_ip	string	The source IP of the client.	For example: 212.150.5.74
asn	string	Autonomous system identifier represented by both name and number. More about autonomous systems: https://en.wikipedia.org/wiki/Autonomous_system_(Internet)	For example: GOOGLE(15169)
as_org	string	Autonomous system name. https://en.wikipedia.org/wiki/Autonomous_system_(Internet)	For example: GOOGLE
as_number	string	Autonomous system number. https://en.wikipedia.org/wiki/Autonomous_system_(Internet)	For example: 15169
country	string	Client's country ISO 3166-2 (two-letter) code. https://en.wikipedia.org/wiki/ISO_3166-2	For example: US
region	string	Client's region name.
city	string	Client's city name.	For example: Paris
longitude	string	Client's geo location longitude. Longitude is a vertical line that measures east or west of the meridian in Greenwich, UK.
latitude	string	Client's geo location latitude. Latitude is a horizontal line that measures the distance north or south of the equator.

Device Details

The following table presents details of the device sending access requests:

Name	Type	Description	Values
browser_type	string	Client's browser type. This information is taken from HTTP User-Agent header therefore it’s populated for HTTP traffic only.	For example: Chrome
device_type	string	Client's device type. This information is taken from HTTP User-Agent header therefore it’s populated for HTTP traffic only.	For example: iPhone

Request Details

The following table presents details of the various fields in the request being made:

Name	Type	Description	Values
dst	string	The detail of the destination/origin server where the request is going to.	If this is a vk8s service, then the value will be S:, For example: S:frontend.arcadia-trading For something like a DNS endpoint, the value will be S:, For example: S:prod.croix-rouge.fr if endpoint or origin server is public ip, the value will appear like this: S:185.15.129.72 Note: for FWD PROXY/Connect Proxy cases, the dst will be 2 level URL of the destination for eg something like yahoo.com or google.com
dst_instance	string	Detail of the specific destination instance where requests are going to.	For vk8s service, the value will be Pod name. For example: ingress-kong-757d459b79-nc7hd This pod name is associated with the dst above. If this is DNS endpoint, the value will be IP address of the endpoint. If destination itself was configured to be a public ip (static) then this field will be set to STATIC. For Proxy cases, the value will be Country code of the destination IP (where traffic is headed to)
dst_site	string	Site which is used to send the traffic to the endpoint / origin server	In most cases the value will be the same as RE Site (for example: pa2-par), which got the traffic. But it can be a CE Site, if the endpoint is discovered in CE. Or another RE, if the endpoint discovered in that RE is used.
dst_port		Destination port on the origin server.	For example: 443
duration_with_no_data_tx_delay	string	first_downstream_tx_byte - first_upstream_tx_byte	Like duration_with_data_tx_delay, except that reference is taken from the moment first byte is sent to client.
duration_with_data_tx_delay	string	last_downstream_tx_byte - first_upstream_tx_byte	Indicates how much "time" it took to process the request/response inside XC LB. (like eg WAF, API detection, service policy, Bot detection, etc if enabled) + time upstream spent to process.
time_to_last_upstream_rx_byte	string	Time interval in seconds between the first downstream byte received and the last upstream byte received (i.e. time it takes to receive a complete response).
time_to_first_upstream_rx_byte	string	Time interval in seconds between the first downstream byte received and the first upstream byte received (i.e. time it takes to start receiving a response).
time_to_last_downstream_tx_byte	string	Time interval between the first downstream byte received and the last downstream byte sent. Depending on protocol, buffering, windowing, filters, etc. there may be a considerable delta between time_to_last_upstream_rx_byte and this field. Note also that this is an approximate time. In the current implementation it does not include kernel socket buffer time. In the current implementation it also does not include send window buffering inside the HTTP/2 codec. In the future it is likely that work will be done to make this duration more accurate.
time_to_first_downstream_tx_byte	string	Time interval between the first downstream byte received and the first downstream byte sent. There may be a considerable delta between the time_to_first_upstream_rx_byte and this field due to filters. Additionally, the same caveats apply as documented in time_to_last_downstream_tx_byte about not accounting for kernel socket buffer time, etc.
total_duration_seconds	string
rtt_upstream_seconds	string	Round trip of connection to the upstream/origin server.
rtt_downstream_seconds	string	Round trip of connection to downstream (client).
src	string	The “source” of the service which is sending the request.	Case 1. If this is a service-to-service communication happening via envoy (like v8s service etc) this value will be the name of the service. For example: S:lilac-edge-node-6.lilac-edge Case 2. If this is mTLS src then the value will be the first SAN in the client certificate Case3. If not Case1/2, Its a request coming from a client via public internet etc, then the value will appear as: N:public
src_instance	string	Details of the instance which generated the traffic.	Case 1. If this is service-to-service communication happening via envoy (like v8s service etc). The value will be an instance of the service (for eg pod name like in recommendationservice-69cddc6ffb-m794d) Case2. If this is mTLS src_instance, the value will be the Subject Name in the client certificate. Case3. If this is request from a public client, then the value will be the country detected by geo lookup
src_site	string	This is the F5DC site (RE or CE etc) which receives the request from the client.	This is the site where client traffic is hitting. For example: dc12-ash If the client is close to dc12 and traffic from client is coming to dc12. It could be also CE, if the LB is exposed via CE,
src_port	string	This is the src port of the client.

HTTP Protocol Details

The following table presents field reference specific to the protocol using which request is made:

Name	Type	Description	Values
protocol	string	Valid HTTP protocol version.	HTTP10/HTTP11/HTTP2 The value will be PROTOCOL_UNSPECIFIED for non-http requests.
scheme	string	Valid HTTP scheme.	https/http The value will be empty for non-http requests.
method	string	Valid HTTP method.	HEAD/GET/POST/OPTIONS… The value will be METHOD_UNSPECIFIED for non-http requests.
authority	string	authority = [userinfo "@"] host [":" port]	For example: www.google.com
original_authority	string
domain	string
referer	string	Value of HTTP Referer header
x_forwarded_for	string	Value of HTTP X-Forwarded-For header
user_agent	string	Value of HTTP User-Agent header
req_path	string	Request path.
req_params	string	Query parameters.
req_headers	string	Request headers. The system logs request headers only if API discovery is enabled and sample it up to 25%.
req_body	string	Request body. The system logs request headers only if API discovery is enabled and sample it up to 25%.

Response Details

The following table presents field reference for the response sent:

Name	Type	Description	Values
protocol	string	Valid HTTP protocol version.	HTTP1.0/HTTP1.1/HTTP2 The value will be PROTOCOL_UNSPECIFIED for non-http requests.
scheme	string	Valid HTTP scheme.	https/http The value will be empty for non-http requests.
method	string	Valid HTTP method.	HEAD/GET/POST/OPTIONS… The value will be METHOD_UNSPECIFIED for non-http requests.
authority	string	authority = [userinfo "@"] host [":" port]	For example: www.google.com
original_authority	string
domain	string
referer	string	Value of HTTP Referer header
x_forwarded_for	string	Value of HTTP X-Forwarded-For header
user_agent	string	Value of HTTP User-Agent header
req_path	string	Request path.
req_params	string	Query parameters.
req_headers	string	Request headers. The system logs request headers only if API discovery is enabled and sample it up to 25%.
req_body	string	Request body. The system logs request headers only if API discovery is enabled and sample it up to 25%.

WAF Details

Name	Type	Description	Values
waf_action	string	The action which has been recommended by WAF Engine.	Valid values: allow block

Bot Defense (bot_defense) Details

Name	Type	Description	Values
bot_defense_js_injection	bool	Indicates whether Shape JS is injected in the page or not.
insight	string	Shape bot classification.	HUMAN, GOODBOT, MALICIOUS, UNAVAILABLE
recommendation	string	Shape Bot Defense recommended action.	Action_alert
automation_type	string	The reason why client is detected as a bot.	Token Missing

Service Policy (policy_hits) Details

Name	Type	Description	Values
policy_set	string	The name of the last executed service policy set.
policy	string	The name of the last executed service policy.
policy_namespace	string	The namespace of the last executed service policy.
policy_rule	string	The name of the last executed service policy rule.
policy_rule_description	string	Description of service policy rule as it appears in configuration.
result	string	Service policy result.	Valid values: allow deny default_allow default_deny
rate_limiter_action	string	Rate limiter result.	Valid values: fail pass none or empty string
malicious_user_mitigation_action	string	Malicious user mitigation action if malicious user feature is configured.	Valid values: MUM_NONE MUM_BLOCK_TEMPORARILY MUM_JAVASCRIPT_CHALLENGE MUM_CAPTCHA_CHALLENGE
ip_risk	string	IP risk as it appears in IP reputation database	Valid values: LOW_RISK MEDIUM_RISK HIGH_RISK
ip_trustscore	string	The score between 0 and 100. Represents IP trust. 100 means high trust low risk, 0 means low trust high risk.	Numeric string value between 0 and 100.
ip_trustworthiness	string	Property describing IP trustworthiness (the opposite of risk).	Valid values: LOW MEDIUM HIGH
ip_threat_categories	string	Lists all threat categories as CSV string to which that IP belongs to.
oas_request_properties
oas_validation_action

Metadata Details

Name	Type	Description	Values
app_type	string	Application profile type name.
cluster_name	string	F5DC cluster name to which request was routed.	For example: pa2-par-int-ves-io
has_sec_event	bool	Indicates whether security event is generated for this request.
hostname	string	Hostname of machine which generated this log record.	For example: master-0
messaged	string	Unique log type identifier.	For access log the value always will be dea91c9a-beed-4561-67af-ab4112426b1f
namespace	string	A workspace within tenant's space in which the virtual host was created.
req_id	string	Unique request identifier.
tenant	string	Organization or group of users sharing common access with specific privileges to XC resources.
vh_name	string	Tenant's virtual host name.
vh_type	string	Virtual host type.	Valid values: VIRTUAL_SERVICE HTTP_LOAD_BALANCER API_GATEWAY TCP_LOADBALALNCER PROXY LOCAL_K8S_API_GATEWAY CDN_LOADBALALNCER
timeseries_enabled	bool	Indicates that DDoS protection is enabled for this LB.