Instant Logs is a lightweight, easy-to-use log service that requires no additional setup. With Instant Logs, you can view site access logs in real time on the ESA console, which helps you locate attacks, troubleshoot system failures, debug or test site network connections, and more.
Why use instant logs
Traditional Content Delivery Network (CDN) products often rely on offline logs to identify and resolve issues. However, offline logs have significant limitations in the following scenarios:
Cross-region fault diagnosis: When users report access issues in a specific region, traditional methods that rely on single-node or high-latency network-wide logs make it difficult to quickly find the root cause.
Verifying phased releases: When you roll out a new feature, you need to verify its effect on a small portion of traffic. Offline logs cannot quickly filter request records specific to the phased release.
Real-time attack analysis: To defend against new types of malicious attacks, you need to analyze network-wide request patterns in real time to create mitigation policies. The high latency of offline logs delays responses.
Real-time business monitoring: During promotional events, you need to monitor request volume in real time. Statistics with minute-level latency are not sufficient for making dynamic policy adjustments.
Verifying new service onboarding: When a new customer configures a site, log latency can prevent you from quickly confirming that the delivery path is correct, impacting onboarding efficiency.
The instant logs of ESA provide real-time log viewing capabilities. You can observe detailed information about access to your site in the console, similar to using the tail -f core command in Linux/Unix systems to track file content changes in real time.
Use instant logs to identify anomalies
Monitoring instant logs and using traffic filters helps you quickly locate abnormal attacks. Based on the detected attack characteristics, you can use the security analysis feature of ESA to quickly create corresponding WAF mitigation rules for abnormal requests and easily block the attacks.
Limits
A site can have only one active monitoring session at a time. Each session can last for a maximum of 60 minutes.
Instant logs can store a maximum of 40 records per session. Records are ordered chronologically, and new records overwrite the oldest ones.
Any of the following actions terminates your monitoring session. To resume monitoring, click Start Monitoring again.
The session terminates if you expand a log record, click Stop Monitoring, or click the
Export button. The historical log records remain on the Instant Logs page.Adding a filter, switching to another page (such as the Offline Logs page), or refreshing the current page terminates the session and clears all historical log records.
Start monitoring instant logs
In the ESA console, navigate to Websites. In the Website column, click the name of your target site.
In the left navigation pane, choose .
On the Instant Logs page, click Start Monitoring to begin collecting logs.
You can add a Traffic Filter to narrow the scope of the logs to help you identify anomalies.
After you stop monitoring, you can expand a log record to view detailed fields or click the
Export button on the right to download the data as a JSON file.
Instant log fields
Field | Type | Description |
BotTag | string | The traffic type of the client request. Examples:
|
ClientASN | string | The autonomous system number (ASN) derived from the client IP address. |
ClientCountryCode | string | The ISO 3166-1 alpha-2 country code derived from the client IP address. |
ClientIP | string | The client IP address that connected to the ESA node. |
ClientISP | string | The internet service provider (ISP) derived from the client IP address. |
ClientRegionCode | string | The ISO 3166-2 region code derived from the client IP address. |
ClientRequestBytes | int | The size of the client request, in bytes. |
ClientRequestHeaderRange | string | The value of the |
ClientRequestHost | string | The |
ClientRequestID | string | The unique ID of the client request. |
ClientRequestMethod | string | The |
ClientRequestPath | string | The path of the client request. |
ClientRequestProtocol | string | The protocol of the client request. |
ClientRequestQuery | string | Client request's |
ClientRequestReferer | string | The |
ClientRequestURI | string | The |
ClientRequestUserAgent | string | The |
ClientSrcPort | int | The source port used by the client to connect to the ESA node. |
ClientSSLCipher | string | The SSL cipher suite used by the client. |
ClientSSLProtocol | string | The SSL protocol version used by the client. A hyphen ( |
ClientXRequestedWith | string | The |
EdgeCacheStatus | string | The cache status of the client request. |
EdgeEndTimestamp | Timestamp ISO8601 | The timestamp when the ESA node finished sending the response to the client. Example: |
EdgeRequestHost | string | The |
EdgeResponseBodyBytes | int | The size of the response |
EdgeResponseBytes | int | The total size of the response that the ESA node returned to the client, in bytes. |
EdgeResponseCompressionAlgo | string | The compression algorithm of the response from the ESA node. |
EdgeResponseCompressionRatio | float | The compression ratio of the response from the ESA node. |
EdgeResponseContentType | string | The |
EdgeResponseStatusCode | int | The status code that the ESA node returned to the client. |
EdgeResponseTime | int | The total time, in milliseconds (ms), from when the ESA node receives a request until the client finishes receiving the response. |
EdgeServerID | string | The unique ID of the ESA node that the client accessed. |
EdgeServerIP | string | The IP address of the ESA node that the client accessed. |
EdgeStartTimestamp | Timestamp ISO8601 | The timestamp when the ESA node received the client request. Example: |
JA3Hash | string | The hash value of the client's JA3 fingerprint. |
JA4Hash | string | The hash value of the client's JA4 fingerprint. |
EdgeTimeToFirstByteMs | int | The time to first byte (TTFB) from the ESA node, measured in milliseconds (ms). This is the duration from when the ESA node receives a request to when it sends the first byte of the response. |
OriginDNSResponseTimeMs | int | The origin server's DNS resolution time, in milliseconds (ms). If a back-to-origin request is not made, the value is |
OriginIP | string | The IP address of the origin server accessed during the back-to-origin request. If a back-to-origin request is not made, the value is a hyphen ( |
OriginResponseDurationMs | int | The origin server's time to first byte (TTFB), in milliseconds (ms). If a back-to-origin request is not made, the value is |
OriginResponseHeaderRange | string | The value of the Range header in the origin server's response. If a back-to-origin request is not made, the value is a hyphen ( |
OriginResponseHTTPExpires | string | The value of the Expires header in the origin server's response. If a back-to-origin request is not made, the value is a hyphen ( |
OriginResponseHTTPLastModified | string | The value of the Last-Modified header in the origin server's response. If a back-to-origin request is not made, the value is a hyphen ( |
OriginResponseStatusCode | int | The status code of the response from the origin server. If a back-to-origin request is not made, the value is |
OriginSSLProtocol | string | The SSL protocol version used for the back-to-origin request. If a back-to-origin request is not made, the value is a hyphen ( |
OriginTCPHandshakeDurationMs | int | The time to complete the TCP handshake for the back-to-origin connection, in milliseconds (ms). If a back-to-origin request is not made, the value is |
OriginTLSHandshakeDurationMs | int | The time to complete the TLS handshake for the back-to-origin connection, in milliseconds (ms). If a back-to-origin request is not made, the value is |
SecAction | string | The final mitigation action taken for this request. |
SecActions | string | All mitigation actions taken for this request. |
SecRuleID | string | The ID of the final mitigation rule triggered for this request. |
SecRuleIDs | string | The IDs of all mitigation rules triggered for this request. |
SecSource | string | The security module that triggered the final mitigation action. |
SecSources | string | A list of all security modules that triggered mitigation actions for this request. |
SiteName | string | The name of the site. |
SmartRoutingStatus | string | Indicates whether smart routing was used. A value of |
TlsHash | string | The MD5 hash value that represents the client's SSL/TLS fingerprint. |
SampleInterval | float | The sampling rate for this log record. |
Feature availability by edition
Free | Basic | Standard | Advanced | Enterprise |