eCDN Logpush Log Field
Field descriptions are provided in the following sections.
The following descriptions detail the fields available for http_requests. For code samples, see eCDN Logpush.
| Field | Description | Type |
|---|---|---|
| BotDetectionIDs | List of IDs that correlate to the Bot Management Heuristic detections made on a request. | array[int] |
| BotScore | Bot Score. Scores below 30 are commonly associated with automated traffic. Available for Bot Management customers (please contact Salesforce account team to enable). | int |
| BotScoreSrc | Detection engine responsible for generating the Bot Score. Possible values are: Not Computed | Heuristics | Machine Learning | Behavioral Analysis | Verified Bot | JS Fingerprinting | Cloudflare Service. | string |
| BotTags | Type of bot traffic (if available). The list of potential values are: api | google | bing | googleAds | googleMedia | googleImageProxy | pinterest | newRelic | baidu | apple | yandex | array[string] |
| CacheCacheStatus | Cache status. Possible values are: unknown | miss | expired | updating | stale | hit | ignored | bypass | revalidated | dynamic | stream_hit | deferred HIT: Found in eCDN cache MISS: Not found in eCDN cache, served from origin NONE/UNKNOWN: Not eligible for caching due to Firewall rule blocking request, or redirect page rule. EXPIRED: Found in eCDN cache, but expired and served from origin STALE: Served from eCDN cache, but expired and unable to retrieve updated resource from origin BYPASS: Instructed by origin to bypass cache via Cache-Control header set to no-cache, private, or max-age=0 or when cookies are sent in the response header REVALIDATED: Served from eCDN cache, but stale and revalidated by If-Modified-Since or If-None-Match header UPDATING: Served from eCDN cache, expired, and being updated by origin. It's indicating for very popular cached resources at eCDN. DYNAMIC: Not eligible for caching and not explicitly instructed to cache, requested from origin web server. This can mean, for example that it was blocked by the firewall. | string |
| CacheReserveUsed | Cache Reserve was used to serve this request. | bool |
| CacheResponseBytes | Number of bytes returned by the cache. | int |
| ClientASN | Client AS number. | int |
| ClientCountry | 2-letter ISO-3166 country code of the client IP address. | string |
| ClientDeviceType | Client device type. | string |
| ClientIP | IP address of the client. | string |
| ClientIPClass | Client IP class. Possible values are: unknown | badHost | searchEngine | allowlist | monitoringService | noRecord | scan | tor. | string |
| ClientRequestBytes | Number of bytes in the client request. | int |
| ClientRequestHost | Host requested by the client. | string |
| ClientRequestMethod | HTTP method of client request. | string |
| ClientRequestPath | URI path requested by the client. | string |
| ClientRequestProtocol | HTTP protocol of client request. | string |
| ClientRequestReferer | HTTP request referrer. | string |
| ClientRequestScheme | The URL scheme requested by the visitor. | string |
| ClientRequestSource | Identifies requests as coming from an external source or another service within CDN provider. Refer to the list of potential values. unknown: Should never happen eyeball: A request from an end user. If you want to count requests made the CDN edge, the query should filter on requestSource=eyeball. purge: A request made by the purge system. alwaysOnline: A request made by CDN Always Online crawler. healthcheck: A request made by CDN Health Check system. edgeWorkerFetch: A fetch request made from an edge Worker. edgeWorkerCacheAPI: A cache API call made from an edge Worker. edgeWorkerKV: A KV call made from an edge Worker. orangeToOrange: A request that comes from another orange clouded zone. sslDetector: A request made by CDN SSL Detector system. earlyHintsCache: An Early Hint request. inBrowserChallenge: An end user request caused by a CDN security product (Challenges, JavaScript Detections). These requests never reach the origin. | string |
| ClientRequestURI | URI requested by the client. | string |
| ClientRequestUserAgent | User agent reported by the client. | string |
| ClientSSLCipher | Client SSL cipher. | string |
| ClientSSLProtocol | Client SSL (TLS) protocol. The value “none” means that SSL was not used. | string |
| ClientTCPRTTMs | The smoothed average of TCP round-trip time (SRTT). For the initial request on a connection, this is measured only during connection setup. For a subsequent request on the same connection, it is measured over the entire connection lifetime up until the time that request is received. | int |
| Cookies | String key-value pairs for Cookies. | object |
| EdgeCFConnectingO2O | True if the request looped through multiple zones on the eCDN. This is considered an orange to orange (o2o) request. | bool |
| EdgeColoCode | IATA airport code of data center that received the request. | string |
| EdgeColoID | eCDN edge colo id. | int |
| EdgeEndTimestamp | Timestamp at which the edge finished sending response to the client. | int or string |
| EdgePathingOp | Indicates what type of response was issued for this request (unknown = no specific action). | string |
| EdgePathingSrc | Details how the request was classified based on security checks (unknown = no specific classification). | string |
| EdgePathingStatus | Indicates what data was used to determine the handling of this request (unknown = no data). | string |
| EdgeRequestHost | Host header on the request from the edge to the origin. | string |
| EdgeResponseBodyBytes | Size of the HTTP response body returned to clients. | int |
| EdgeResponseBytes | Number of bytes returned by the edge to the client. | int |
| EdgeResponseCompressionRatio | Edge response compression ratio. | float |
| EdgeResponseContentType | Edge response Content-Type header value. | string |
| EdgeResponseStatus | HTTP status code returned by eCDN to the client. | int |
| EdgeServerIP | IP of the edge server making a request to the origin. Possible responses are string in IPv4 or IPv6 format, or empty string. Empty string means that there was no request made to the origin server. | string |
| EdgeStartTimestamp | Timestamp at which the edge received request from the client. | int or string |
| EdgeTimeToFirstByteMs | Total view of Time To First Byte as measured at eCDN. Starts after a TCP connection is established and ends when eCDN begins returning the first byte of a response to eyeballs. Includes TLS handshake time (for new connections) and origin response time. | int |
| SecurityActions | Array of actions the security products performed on this request. The individual security products associated with this action be found in SecuritySources and their respective rule Ids can be found in SecurityRuleIDs. The length of the array is the same as SecurityRuleIDs and SecuritySources. Possible actions are : unknown | allow | block | challenge | jschallenge | log | connectionClose | challengeSolved | challengeFailed | challengeBypassed | jschallengeSolved | jschallengeFailed | jschallengeBypassed | bypass | managedChallenge | managedChallengeSkipped | managedChallengeNonInteractiveSolved | managedChallengeInteractiveSolved | managedChallengeBypassed | rewrite | forceConnectionClose | skip | managedChallengeFailed. | array[string] |
| SecurityRuleIDs | Array of rule IDs of the security product that matched the request. The security product associated with the rule ID can be found in SecuritySources. The length of the array is the same as SecurityActions and SecuritySources. | array[string] |
| SecurityRuleID | Rule ID of the security rule that triggered a terminating action, if any. | string |
| SecuritySources | Array of security products that matched the request. The same product can appear multiple times, which indicates different rules or actions that were activated. The rule IDs can be found in SecurityRuleIDs, and the actions can be found in SecurityActions. The length of the array is the same as SecurityRuleIDs and SecurityActions. Possible sources are : unknown | asn | country | ip | ipRange | securityLevel | zoneLockdown | waf | firewallRules | uaBlock | rateLimit | bic | hot | l7ddos | validation | botFight | apiShield | botManagement | dlp | firewallManaged | firewallCustom | apiShieldSchemaValidation | apiShieldTokenValidation. | |
| SecurityRuleDescription | Description of the security rule that triggered a terminating action, if any. | string |
| OriginRequestHeaderSendDurationMs | Time taken to send request headers to origin after establishing a connection. Note that this value is usually 0. | int |
| OriginResponseDurationMs | Upstream response time, measured from the first datacenter that receives a request. Includes time taken by Argo Smart Routing and Tiered Cache, plus time to connect and receive a response from origin servers. This field replaces OriginResponseTime. | int |
| OriginResponseHeaderReceiveDurationMs | Time taken for origin to return response headers after eCDN finishes sending request headers. | int |
| OriginResponseStatus | Status returned by the origin server. The value 0 means that there was no request made to the origin server and the response was served by eCDN. | int |
| OriginTCPHandshakeDurationMs | Time taken to complete TCP handshake with origin. This will be 0 if an origin connection is reused. | int |
| OriginTLSHandshakeDurationMs | Time taken to complete TLS handshake with origin. This will be 0 if an origin connection is reused. | int |
| ParentRayID | Ray ID of the parent request if this request was made using a Worker script. | string |
| RayID | ID of the request. | string |
| ZoneName | The human-readable name of the zone (e.g. ‘dev-example.cc-ecdn.net’). | string |
The following descriptions detail the fields available for firewall_events.
| Field | Description | Type |
|---|---|---|
| Action | The code of the first-class action the Firewall took on this request. Possible actions are : unknown | allow | block | challenge | jschallenge | log | connectionclose | challengesolved | challengefailed | challengebypassed | jschallengesolved | jschallengefailed | jschallengebypassed | bypass | managedchallenge | managedchallengeskipped | managedchallengenoninteractivesolved | managedchallengeinteractivesolved | managedchallengebypassed. | string |
| ClientASN | The ASN number of the visitor. | int |
| ClientASNDescription | The ASN of the visitor as string. | string |
| ClientCountry | Country from which request originated. | string |
| ClientIP | The visitor’s IP address (IPv4 or IPv6). | string |
| ClientIPClass | The classification of the visitor’s IP address, possible values are : unknown | badHost | searchEngine | allowlist | monitoringService | noRecord | scan | tor. | string |
| ClientRefererHost | The referer host. | string |
| ClientRefererPath | The referer path requested by visitor. | string |
| ClientRefererQuery | The referer query-string was requested by the visitor. | string |
| ClientRefererScheme | The referer URL scheme requested by the visitor. | string |
| ClientRequestHost | The HTTP hostname requested by the visitor. | string |
| ClientRequestMethod | The HTTP method used by the visitor. | string |
| ClientRequestPath | The path requested by visitor. | string |
| ClientRequestProtocol | The version of HTTP protocol requested by the visitor. | string |
| ClientRequestQuery | The query-string was requested by the visitor. | string |
| ClientRequestScheme | The URL scheme requested by the visitor. | string |
| ClientRequestUserAgent | Visitor’s user-agent string. | string |
| Description | The description of the rule triggered by this request. | string |
| Datetime | The date and time the event occurred at the edge. | int or string |
| EdgeColoCode | The airport code of the CDN datacenter that served this request. | string |
| EdgeResponseStatus | HTTP response status code returned to browser. | int |
| Kind | The kind of event, currently only possible values are: firewall. | string |
| MatchIndex | Rules match index in the chain. | int |
| Metadata | Additional product-specific information. Metadata is organized in key | object |
| OriginResponseStatus | HTTP origin response status code returned to browser. | int |
| OriginatorRayID | The RayID of the request that issued the challenge/jschallenge. | string |
| RayID | The RayID of the request. | string |
| RuleID | The security product-specific RuleID triggered by this request. | string |
| Source | The security product triggered by this request. Possible sources are : unknown | asn | country | ip | iprange | securitylevel | zonelockdown | waf | firewallrules | uablock | ratelimit | bic | hot | l7ddos | botfight | apishield | botmanagement | dlp | firewallmanaged | firewallcustom. | string |