The Salesforce Developers website will undergo maintenance on May 29, 2024 from 3:00 a.m. UTC to 10:00 a.m. UTC. The maintenance process may affect the availability of our documentation. Please plan accordingly.

eCDN Logpush Log Field

The following descriptions detail the fields available for http_requests.

BotDetectionIDsList of IDs that correlate to the Bot Management Heuristic detections made on a request.array[int]
BotScoreBot Score. Scores below 30 are commonly associated with automated traffic. Available for Bot Management customers (please contact Salesforce account team to enable).int
BotScoreSrcDetection engine responsible for generating the Bot Score.
Possible values are: Not Computed | Heuristics | Machine Learning | Behavioral Analysis | Verified Bot | JS Fingerprinting | Cloudflare Service.
BotTagsType of bot traffic (if available).
The list of potential values are:
api | google | bing | googleAds | googleMedia | googleImageProxy | pinterest | newRelic | baidu | apple | yandex
CacheCacheStatusCache status.
Possible values are: unknown | miss | expired | updating | stale | hit | ignored | bypass | revalidated | dynamic | stream_hit | deferred

HIT: Found in eCDN cache
MISS: Not found in eCDN cache, served from origin
NONE/UNKNOWN: Not eligible for caching due to Firewall rule blocking request, or redirect page rule.
EXPIRED: Found in eCDN cache, but expired and served from origin
STALE: Served from eCDN cache, but expired and unable to retrieve updated resource from origin
BYPASS: Instructed by origin to bypass cache via Cache-Control header set to no-cache, private, or max-age=0 or when cookies are sent in the response header
REVALIDATED: Served from eCDN cache, but stale and revalidated by If-Modified-Since or If-None-Match header
UPDATING: Served from eCDN cache, expired, and being updated by origin. It's indicating for very popular cached resources at eCDN.
DYNAMIC: Not eligible for caching and not explicitly instructed to cache, requested from origin web server. This can mean, for example that it was blocked by the firewall.
CacheReserveUsedCache Reserve was used to serve this request.bool
CacheResponseBytesNumber of bytes returned by the
ClientASNClient AS
ClientCountry2-letter ISO-3166 country code of the client IP address.string
ClientDeviceTypeClient device type.string
ClientIPIP address of the client.string
ClientIPClassClient IP class.
Possible values are: unknown | badHost | searchEngine | allowlist | monitoringService | noRecord | scan | tor.
ClientRequestBytesNumber of bytes in the client
ClientRequestHostHost requested by the client.string
ClientRequestMethodHTTP method of client request.string
ClientRequestPathURI path requested by the client.string
ClientRequestProtocolHTTP protocol of client request.string
ClientRequestRefererHTTP request referrer.string
ClientRequestSchemeThe URL scheme requested by the visitor.string
ClientRequestSourceIdentifies requests as coming from an external source or another service within CDN provider.

Refer to the list of potential values.

unknown: Should never happen
eyeball: A request from an end user. If you want to count requests made the CDN edge, the query should filter on requestSource=eyeball.
purge: A request made by the purge system.
alwaysOnline: A request made by CDN Always Online crawler.
healthcheck: A request made by CDN Health Check system.
edgeWorkerFetch: A fetch request made from an edge Worker.
edgeWorkerCacheAPI: A cache API call made from an edge Worker.
edgeWorkerKV: A KV call made from an edge Worker.
orangeToOrange: A request that comes from another orange clouded zone.
sslDetector: A request made by CDN SSL Detector system.
earlyHintsCache: An Early Hint request.
inBrowserChallenge: An end user request caused by a CDN security product (Challenges, JavaScript Detections). These requests never reach the origin.
ClientRequestURIURI requested by the client.string
ClientRequestUserAgentUser agent reported by the client.string
ClientSSLCipherClient SSL cipher.string
ClientSSLProtocolClient SSL (TLS) protocol. The value “none” means that SSL was not used.string
ClientTCPRTTMsThe smoothed average of TCP round-trip time (SRTT). For the initial request on a connection, this is measured only during connection setup. For a subsequent request on the same connection, it is measured over the entire connection lifetime up until the time that request is
CookiesString key-value pairs for Cookies.object
EdgeCFConnectingO2OTrue if the request looped through multiple zones on the eCDN. This is considered an orange to orange (o2o) request.bool
EdgeColoCodeIATA airport code of data center that received the request.string
EdgeColoIDeCDN edge colo
EdgeEndTimestampTimestamp at which the edge finished sending response to the or string
EdgePathingOpIndicates what type of response was issued for this request (unknown = no specific action).string
EdgePathingSrcDetails how the request was classified based on security checks (unknown = no specific classification).string
EdgePathingStatusIndicates what data was used to determine the handling of this request (unknown = no data).string
EdgeRequestHostHost header on the request from the edge to the origin.string
EdgeResponseBodyBytesSize of the HTTP response body returned to
EdgeResponseBytesNumber of bytes returned by the edge to the
EdgeResponseCompressionRatioEdge response compression ratio.float
EdgeResponseContentTypeEdge response Content-Type header value.string
EdgeResponseStatusHTTP status code returned by eCDN to the
EdgeServerIPIP of the edge server making a request to the origin. Possible responses are string in IPv4 or IPv6 format, or empty string. Empty string means that there was no request made to the origin server.string
EdgeStartTimestampTimestamp at which the edge received request from the or string
EdgeTimeToFirstByteMsTotal view of Time To First Byte as measured at eCDN. Starts after a TCP connection is established and ends when eCDN begins returning the first byte of a response to eyeballs. Includes TLS handshake time (for new connections) and origin response
SecurityActionsArray of actions the security products performed on this request. The individual security products associated with this action be found in SecuritySources and their respective rule Ids can be found in SecurityRuleIDs. The length of the array is the same as SecurityRuleIDs and SecuritySources.
Possible actions are : unknown | allow | block | challenge | jschallenge | log | connectionClose | challengeSolved | challengeFailed | challengeBypassed | jschallengeSolved | jschallengeFailed | jschallengeBypassed | bypass | managedChallenge | managedChallengeSkipped | managedChallengeNonInteractiveSolved | managedChallengeInteractiveSolved | managedChallengeBypassed | rewrite | forceConnectionClose | skip | managedChallengeFailed.
SecurityRuleIDsArray of rule IDs of the security product that matched the request. The security product associated with the rule ID can be found in SecuritySources. The length of the array is the same as SecurityActions and SecuritySources.array[string]
SecurityRuleIDRule ID of the security rule that triggered a terminating action, if any.string
SecuritySourcesArray of security products that matched the request. The same product can appear multiple times, which indicates different rules or actions that were activated. The rule IDs can be found in SecurityRuleIDs, and the actions can be found in SecurityActions. The length of the array is the same as SecurityRuleIDs and SecurityActions.
Possible sources are : unknown | asn | country | ip | ipRange | securityLevel | zoneLockdown | waf | firewallRules | uaBlock | rateLimit | bic | hot | l7ddos | validation | botFight | apiShield | botManagement | dlp | firewallManaged | firewallCustom | apiShieldSchemaValidation | apiShieldTokenValidation.
SecurityRuleDescriptionDescription of the security rule that triggered a terminating action, if any.string
OriginRequestHeaderSendDurationMsTime taken to send request headers to origin after establishing a connection. Note that this value is usually
OriginResponseDurationMsUpstream response time, measured from the first datacenter that receives a request. Includes time taken by Argo Smart Routing and Tiered Cache, plus time to connect and receive a response from origin servers. This field replaces
OriginResponseHeaderReceiveDurationMsTime taken for origin to return response headers after eCDN finishes sending request
OriginResponseStatusStatus returned by the origin server. The value 0 means that there was no request made to the origin server and the response was served by
OriginTCPHandshakeDurationMsTime taken to complete TCP handshake with origin. This will be 0 if an origin connection is
OriginTLSHandshakeDurationMsTime taken to complete TLS handshake with origin. This will be 0 if an origin connection is
ParentRayIDRay ID of the parent request if this request was made using a Worker script.string
RayIDID of the request.string
ZoneNameThe human-readable name of the zone (e.g. ‘’).string

The following descriptions detail the fields available for firewall_events.

ActionThe code of the first-class action the Firewall took on this request.
Possible actions are : unknown | allow | block | challenge | jschallenge | log | connectionclose | challengesolved | challengefailed | challengebypassed | jschallengesolved | jschallengefailed | jschallengebypassed | bypass | managedchallenge | managedchallengeskipped | managedchallengenoninteractivesolved | managedchallengeinteractivesolved | managedchallengebypassed.
ClientASNThe ASN number of the
ClientASNDescriptionThe ASN of the visitor as string.string
ClientCountryCountry from which request originated.string
ClientIPThe visitor’s IP address (IPv4 or IPv6).string
ClientIPClassThe classification of the visitor’s IP address, possible values are : unknown | badHost | searchEngine | allowlist | monitoringService | noRecord | scan | tor.string
ClientRefererHostThe referer host.string
ClientRefererPathThe referer path requested by visitor.string
ClientRefererQueryThe referer query-string was requested by the visitor.string
ClientRefererSchemeThe referer URL scheme requested by the visitor.string
ClientRequestHostThe HTTP hostname requested by the visitor.string
ClientRequestMethodThe HTTP method used by the visitor.string
ClientRequestPathThe path requested by visitor.string
ClientRequestProtocolThe version of HTTP protocol requested by the visitor.string
ClientRequestQueryThe query-string was requested by the visitor.string
ClientRequestSchemeThe URL scheme requested by the visitor.string
ClientRequestUserAgentVisitor’s user-agent string.string
DescriptionThe description of the rule triggered by this request.string
DatetimeThe date and time the event occurred at the or string
EdgeColoCodeThe airport code of the CDN datacenter that served this request.string
EdgeResponseStatusHTTP response status code returned to
KindThe kind of event, currently only possible values are: firewall.string
MatchIndexRules match index in the
MetadataAdditional product-specific information. Metadata is organized in key pairs. Key and Value formats can vary by the security product and can change over time.object
OriginResponseStatusHTTP origin response status code returned to
OriginatorRayIDThe RayID of the request that issued the challenge/jschallenge.string
RayIDThe RayID of the request.string
RuleIDThe security product-specific RuleID triggered by this request.string
SourceThe security product triggered by this request.
Possible sources are : unknown | asn | country | ip | iprange | securitylevel | zonelockdown | waf | firewallrules | uablock | ratelimit | bic | hot | l7ddos | botfight | apishield | botmanagement | dlp | firewallmanaged | firewallcustom.