Edgio

Log Fields (RTLD Bot)

Log data is reported as a JSON document. Log format determines whether log data identification information will be included and how the data is formatted. Each type of log format is described below.
  • JSON: This format includes:
    • Top-level name/value pairs that uniquely identify the set of log entries reported in the JSON document.
    • An object for each log entry associated with the current JSON document.
    View a sample log file.
  • JSON Array: This format generates a JSON document that contains an array of objects. Each object is a log entry associated with the current JSON document.
    View a sample log file.
  • JSON Lines: This format generates an invalid JSON document that contains an object on each line. Each object is a log entry associated with the current JSON document. This object is an exact match for an object contained by the Logs array.
    View a sample log file.
If log data uses either the JSON Array or JSON Lines log format, then it will not contain information that uniquely identifies a set of log data. If log data using one of these formats is delivered to a destination other than AWS S3, Azure Blob Storage, or Google Cloud Storage, then there is no way to check for gaps in sequence numbers when attempting to identify missing log data.
A log entry describes a HTTP/HTTPS request that was submitted to our CDN.

Top-Level Name/Value Pairs

Top-level name/value pairs are unavailable for the JSON Array and JSON Lines log formats. If you require this information, please choose the standard JSON log format.
Top-level name/value pairs are described below.
  • account_number (String): Customer AN. Identifies an environment by its legacy system-defined ID.
  • agent_id (String): Agent ID. Indicates the unique ID that identifies the Real-Time Log Delivery software agent that generated the log data.
  • datestamp (String): Date Stamp. Indicates the date on which the log data was generated.
    Syntax: YYYYMMDD
    Example: 20230412
  • logs (Array of objects): Log Data. Describes the log entries associated with the current JSON document. Each object contains a set of fields that describe the request/response for a single log entry.
  • profile_id (Integer): Profile ID. Identifies a RTLD profile by its system-defined ID.
  • seq_num (Integer): Sequence Number. Indicates the sequential number that identifies the order in which the log data was generated by the software agent identified by the agent_id field.
  • service (String): Service. This field always reports bot.

logs Array

The logs array contains an object for each log entry associated with the current JSON document. Each log entry describes a threat through the following fields:
  • account_number (String): Customer AN. (Category: General) Identifies an environment by its legacy system-defined ID.
  • action_type (String): Action Type. (Category: Event) Indicates the action that was triggered as a result of the violation. Valid values are:
    • ALERT: Indicates that an alert was generated in response to the rule violation.
    • BLOCK_REQUEST: Indicates that the request that violated a rule was blocked.
    • REDIRECT_302: Indicates that the request that violated a rule was redirected to a URL defined by your security policy.
    • CUSTOM_RESPONSE: Indicates that a custom response was returned to the client that submitted a request that violated a rule.
  • bot_manager_id (String): Bot Manager ID. (Category: General) Indicates the system-defined ID of the Bot Manager configuration that the request violated.
  • bot_manager_name (String): Bot Manager Name. (Category: General) Indicates the name of the Bot Manager configuration that the request violated.
  • bot_rule_config_id (String): Bot Rule ID. (Category: General) Indicates the system-defined ID of the bot rule that the request violated.
  • bot_rule_config_name (String): Bot Rule Name. (Category: General) Indicates the name of the bot rule that the request violated.
  • bot_score (Integer): Bot Score. (Category: Event) Indicates the request’s bot score. This score indicates our level of confidence that the request originated from a bot.
  • captcha_error_msg (String): CAPTCHA Error Msg. (Category: Event) Indicates the reCAPTCHA error message.
  • captcha_score (Decimal): CAPTCHA Score. (Category: Event) Indicates the request’s reCAPTCHA score. Returns 0.000000 if reCAPTCHA was not applied to the request.
  • captcha_status (String): CAPTCHA Status. (Category: Event) Indicates the result of a reCAPTCHA event. Valid values are:
    • STATUS_NONE: Indicates that reCAPTCHA was not applied to the request.
    • ISSUED_NO_GOOGLE_TOKEN: Indicates either a new browser session or that Google reCAPTCHA did not issue a token.
    • FAILED_RESULT_BOT: Indicates that the request failed Google reCAPTCHA.
    • FAILED_RESULT_ERROR: Indicates that an error occurred during the Google reCAPTCHA.
    • ECTOKEN_CORRUPTED: Indicates that a reCAPTCHA was served due to an invalid token. This status is typically reported when a user agent submits a request that includes a token that our service cannot decrypt.
    • ECTOKEN_IP_MISMATCH: Indicates that a reCAPTCHA was served due to an invalid token. This status is typically reported when a token is shared or the user’s IP address is modified after the initial token was generated.
    • ECTOKEN_UA_MISMATCH: Indicates that a reCAPTCHA was served due to an invalid token. This status is typically reported when a token is shared with another user agent (e.g., web browser) within the same machine.
    • ECTOKEN_EXPIRED: Indicates that a reCAPTCHA was served due to an expired token. This status is typically reported when a user agent (e.g., web browser) submits a request after the expiration of the previously solved reCAPTCHA.
  • challenge_status (String): Challenge Status. (Category: Event) Indicates the result of a browser challenge. Valid values are:
    • NONE: Indicates that a browser challenge was not issued.
    • IP_MISMATCH: Indicates that a browser challenge was served due to an invalid token. This status is typically reported when a token is shared or the user’s IP address is modified after the initial token was generated.
    • NO_TOKEN: Indicates that a browser challenge was served for a new session.
    • TOKEN_CORRUPTED: Indicates that a browser challenge was served due to an invalid token. This status is typically reported when a user agent submits a request that includes a token that our service cannot decrypt.
    • TOKEN_EXPIRED: Indicates that a browser challenge was served due to an expired token. This status is typically reported when a user agent (e.g., web browser) submits a request after the expiration of the previously solved browser challenge.
    • UA_MISMATCH: Indicates that a browser challenge was served due to an invalid token. This status is typically reported when a token is shared with another user agent (e.g., web browser) within the same machine.
    • WRONG_ANSWER: Indicates that a browser challenge was served because the user was unable to solve the previous browser challenge. This status may also be reported when the user agent (e.g., web browser) submits a tampered token.
  • client_city (String): City Name. (Category: Client Geography) Indicates the city from which the request originated.
  • client_country_code (String): Country Code. (Category: Client Geography) Indicates the two-character ISO 3166-1 code for the country from which the request originated.
  • client_country (String): Country Name. (Category: Client Geography) Indicates the country from which the request originated.
  • client_ip (String): Client IP. (Category: Client Network) Indicates the IP address for the device that submitted the request to our CDN.
  • client_tls_ja3_md5 (String): IP Address. (Category: Request) Indicates the JA3 fingerprint assigned to the request.
  • host (String): Host. (Category: Request Header) Indicates the Host header value sent in the client’s request to the CDN.
  • matched_on (String): Matched On. (Category: Event) Indicates the variable that identifies where the violation was found.
  • matched_value (String): Matched Value. (Category: Event) Indicates the value of the variable defined in the matched_on field.
  • method (String): Request Method. (Category: Request) Indicates the request’s HTTP method (e.g., GET, HEAD, and POST).
  • referer (String): Referer. (Category: Request Header) Indicates the Referer header value sent in the client’s request to the CDN. This header reports the URL of the site from which the request originated.
  • rule_id (Integer): Rule ID. (Category: Event) Indicates the ID for the rule that the request violated.
  • rule_message (String): Rule Message. (Category: Event) Provides a description of the rule that the request violated.
  • sam_id (String): SAM ID. (Category: General) Indicates the system-defined ID of the Security App configuration that the request violated.
  • sam_name (String): SAM Name. (Category: General) Indicates the name of the Security App configuration that the request violated.
  • timestamp (Decimal): Epoch Time. (Category: Response) Indicates the Unix time, in seconds, at which an edge server delivered the requested content to the client.
    Syntax: <SECONDS>.<MICROSECONDS>
  • token_validity (Integer): Token Validity Duration. (Category: Event) Indicates the number of seconds that a client that solves a browser challenge or passes reCAPTCHA will be allowed to request content without having to encounter a new browser challenge or reCAPTCHA.
  • url (String): URL. (Category: Request) Indicates the URL that was requested.
  • user_agent (String): User Agent. (Category: Request Header) Indicates the user agent that submitted the HTTP request to our CDN.
  • uuid (String): Event ID. (Category: Request) Indicates the unique ID assigned to the event.

Sample Log Data

Sample log data that contains two log entries is provided below for all three log formats.
JSON
1{
2 "agent_id": "0DEE0000ECE5C764",
3 "seq_num": 1,
4 "platform": "bot",
5 "account_number": "0001",
6 "profile_id": 11359,
7 "datestamp": "20230804",
8 "logs": [{
9 "rule_id": 70001,
10 "rule_msg": "Known Bot: Explicit Known Bot Token",
11 "matched_on": "TX:bot_type",
12 "matched_value": "bingbot",
13 "client_city": "Boydton",
14 "client_country_code": "US",
15 "client_country": "United States",
16 "client_ip": "203.0.113.40",
17 "bot_score": 0,
18 "captcha_status": "STATUS_NONE",
19 "captcha_score": 0.000000,
20 "captcha_error_msg": "",
21 "token_validity": 0,
22 "challenge_status": "NONE",
23 "action_type": "ALERT",
24 "account_number": "0001",
25 "bot_manager_id": "1YJrUfZu",
26 "bot_manager_name": "Bot Manager Ver 1.1",
27 "bot_rule_config_id": "",
28 "bot_rule_config_name": "",
29 "sam_id": "mihehHPO",
30 "sam_name": "SA Policy V2",
31 "host": "docs.edg.io",
32 "referer": "",
33 "method": "GET",
34 "timestamp": 1691171341.3249193758,
35 "url": "https://docs.edg.io/applications/v6/sites_frameworks/getting_started/react",
36 "user_agent": "Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko; compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm) Chrome/103.0.5060.134 Safari/537.36",
37 "uuid": "92235942417369961984987122750567933450",
38 "client_tls_ja3_md5": "27f25487242c869a283ccc2989f8ee79"
39 }, {
40 "rule_id": 70001,
41 "rule_msg": "Known Bot: Explicit Known Bot Token",
42 "matched_on": "TX:bot_type",
43 "matched_value": "bingbot",
44 "client_city": "",
45 "client_country_code": "US",
46 "client_country": "United States",
47 "client_ip": "203.0.113.41",
48 "bot_score": 0,
49 "captcha_status": "STATUS_NONE",
50 "captcha_score": 0.000000,
51 "captcha_error_msg": "",
52 "token_validity": 0,
53 "challenge_status": "NONE",
54 "action_type": "ALERT",
55 "account_number": "0001",
56 "bot_manager_id": "1YJrUfZu",
57 "bot_manager_name": "Bot Manager Ver 1.1",
58 "bot_rule_config_id": "",
59 "bot_rule_config_name": "",
60 "sam_id": "mihehHPO",
61 "sam_name": "SA Policy V2",
62 "host": "docs.edg.io",
63 "referer": "",
64 "method": "GET",
65 "timestamp": 1691171355.3249207817,
66 "url": "https://docs.edg.io/_next/static/chunks/pages/_error-effe22be6ff34abe.js",
67 "user_agent": "Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko; compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm) Chrome/103.0.5060.134 Safari/537.36",
68 "uuid": "643276692636218266817817063441997253530",
69 "client_tls_ja3_md5": "27f25487242c869a283ccc2989f8ee79"
70 }
71 ]
72}
JSON_Array
1[{
2 "rule_id": 70001,
3 "rule_msg": "Known Bot: Explicit Known Bot Token",
4 "matched_on": "TX:bot_type",
5 "matched_value": "bingbot",
6 "client_city": "Boydton",
7 "client_country_code": "US",
8 "client_country": "United States",
9 "client_ip": "203.0.113.40",
10 "bot_score": 0,
11 "captcha_status": "STATUS_NONE",
12 "captcha_score": 0.000000,
13 "captcha_error_msg": "",
14 "token_validity": 0,
15 "challenge_status": "NONE",
16 "action_type": "ALERT",
17 "account_number": "0001",
18 "bot_manager_id": "1YJrUfZu",
19 "bot_manager_name": "Bot Manager Ver 1.1",
20 "bot_rule_config_id": "",
21 "bot_rule_config_name": "",
22 "sam_id": "mihehHPO",
23 "sam_name": "SA Policy V2",
24 "host": "docs.edg.io",
25 "referer": "",
26 "method": "GET",
27 "timestamp": 1691171341.3249193758,
28 "url": "https://docs.edg.io/applications/v6/sites_frameworks/getting_started/react",
29 "user_agent": "Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko; compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm) Chrome/103.0.5060.134 Safari/537.36",
30 "uuid": "92235942417369961984987122750567933450",
31 "client_tls_ja3_md5": "27f25487242c869a283ccc2989f8ee79"
32 }, {
33 "rule_id": 70001,
34 "rule_msg": "Known Bot: Explicit Known Bot Token",
35 "matched_on": "TX:bot_type",
36 "matched_value": "bingbot",
37 "client_city": "",
38 "client_country_code": "US",
39 "client_country": "United States",
40 "client_ip": "203.0.113.41",
41 "bot_score": 0,
42 "captcha_status": "STATUS_NONE",
43 "captcha_score": 0.000000,
44 "captcha_error_msg": "",
45 "token_validity": 0,
46 "challenge_status": "NONE",
47 "action_type": "ALERT",
48 "account_number": "0001",
49 "bot_manager_id": "1YJrUfZu",
50 "bot_manager_name": "Bot Manager Ver 1.1",
51 "bot_rule_config_id": "",
52 "bot_rule_config_name": "",
53 "sam_id": "mihehHPO",
54 "sam_name": "SA Policy V2",
55 "host": "docs.edg.io",
56 "referer": "",
57 "method": "GET",
58 "timestamp": 1691171355.3249207817,
59 "url": "https://docs.edg.io/_next/static/chunks/pages/_error-effe22be6ff34abe.js",
60 "user_agent": "Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko; compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm) Chrome/103.0.5060.134 Safari/537.36",
61 "uuid": "643276692636218266817817063441997253530",
62 "client_tls_ja3_md5": "27f25487242c869a283ccc2989f8ee79"
63 }
64]
JSON_Lines
1{"rule_id": 70001,"rule_msg": "Known Bot: ...}
2{"rule_id": 70001,"rule_msg": "Known Bot: ...}