为已防护的域名启用Anti-Bot日志服务后,您可以通过编写日志查询分析语句查询该网站域名的详细访问、攻防日志信息。

您可以参考以下常用日志查询分析语句,根据业务需要编写查询语句获取网站域名的相关日志信息。

说明 您可以根据实际情况调整查询分析语句中的limit值来返回需要的记录数。例如,limit 10表示返回10条记录。未指定limit值时,则默认返回前100条记录。

查询网站域名业务访问相关信息

  • 查询入方向带宽流量
    host:example.com | SELECT
    date_format(from_unixtime(__time__ - __time__% 600), '%H:%i') as dt,
    round(sum(request_length)/1024.0/600, 2) as "流入流量(KB/s)", round(sum(if((block_action <> ''),
    request_length, 0))/1024.0/600, 2) as "攻击流量(KB/s)"
    group by __time__ - __time__% 600 order by dt limit 10000
  • 查询出方向带宽流量
    host:example.com | SELECT
    date_format(from_unixtime(__time__ - __time__% 600), '%H:%i') as dt,
    round(sum(body_bytes_sent)/1024.0/600, 2) as "流出流量(KB/s)", round(sum(if((block_action <> ''),
    body_bytes_sent, 0))/1024.0/600, 2) as "被攻击流量(KB/s)"
    group by __time__ - __time__% 600 order by dt limit 10000
  • 查询QPS峰值
    host:example.com |SELECT COUNT(*) as c,date_trunc('second', __time__) as s GROUP by s 
    order by c  desc limit 1
  • 查询近10分钟内每分钟的访问请求量(按时间降序排列)
    host:example.com |SELECT COUNT(*) as c,date_trunc('minute', __time__) as minute GROUP by s  order by minute desc limit 10
  • 查询TOP 10访问客户端IP
    host:example.com |SELECT real_client_ip,COUNT(*) as c group by real_client_ip order by c desc limit 10
  • 查询TOP 10被访问URL地址
    host:example.com |SELECT request_path,COUNT(*) as c group by request_path order by c desc limit 10
  • 查询HTTP状态码
    说明 通过观察异常状态码可确认业务是否正常。
    host:example.com |SELECT status, upstream_status,COUNT(*) as c GROUP by status, upstream_status order by c desc limit 10

查询网站域名安全防护相关信息

  • 查询指定URL或接口地址的TOP 10访问客户端IP
    说明 遭受攻击时恶意攻击者的IP通常排名靠前。
    host:example.com and request_path:/login.php |SELECT real_client_ip,COUNT(*) as c group by real_client_ip order by c desc
    limit 10
  • 查询指定IP访问的URL地址
    说明 一般遭受CC攻击时,被攻击的URL或接口地址比较集中。
    host:example.com and real_client_ip:1.2.3.4 |SELECT request_path,COUNT(*) as c group by request_path order by c desc limit
    10
  • 查询来自指定访问客户端IP的请求命中的Anti-Bot防护策略ID
    host:example.com and real_client_ip:1.2.3.4 |SELECT antibot,antibot_rule,COUNT(*) as c GROUP by antibot,antibot_rule  order by c desc limit 10
  • 查询指定Anti-Bot防护策略ID的命中情况
    说明 基于查询结果可进一步观察防护策略实际效果和命中率。
    host:example.com and antibot_rule:1234 |SELECT real_client_ip,COUNT(*) as c GROUP by real_client_ip order by c
    desc limit 10
  • 查询Anti-Bot增强防护SDK的验签情况
    host:taobao.com |SELECT wxbb_invalid_wua,COUNT(*) as c GROUP by wxbb_invalid_wua order by c desc limit 10