Data set parameters

Each stream type can collect different sets of data. A data set lets you define the format of the data received by your origin server, giving you the ability to selectively choose or ignore specific parameters from log data fields.

Raw logs data set

Raw logs data set parameters
Parameter Data element Description
Message exchange data Bytes The content bytes served in the response.
Client IP The IP address of the requesting client.
Forward hostname The hostname of the forward origin server where an edge server sends a request.
HTTP status code The HTTP response status returned to the client.
Http version The version of the HTTP protocol used for the transaction.
Protocol type The protocol of the monitored transaction, either HTTP or HTTPS.
Protocol version The version of the protocol. For example, 1.0 or 1.1.
Request host The value of the Host header of the request. It specifies the domain name of the server, and optionally the TCP port number on which the server is listening.
Request method The method of the request. For example: GET, POST, PUT, or HEAD.
Request path The path to a resource in the incoming URI. It doesn’t include query parameters.
Request port The port number for the service requested.
Response content length The value of the Content-Length header in the response. It indicates the size of the entity-body, in bytes, sent to the recipient.
Response content Type The value of the Content-Type header in the response. It informs about the type of returned content.
User-agent The value of the User-Agent header in the request. It lets the edge servers identify the application, operating system, vendor, and/or version of the requesting user agent.
Note: To monitor this parameter in your logs, you need to update you data stream's properties to include a Log Request Details behavior that logs the User-Agent header.
Query string The query string in the incoming URI from the client.
Request header data Accept-encoding The value of the Accept-Encoding header in the request. It informs which content encoding, usually a compression algorithm, the client is able to understand. For example, gzip or deflate.
Accept-language The value of the Accept-Language header in the request. It provides a list of acceptable human languages for response. For example, American English is en-US.
Authorization Provides credentials for HTTP authentication.
Cache-control The directives that must be obeyed by all caching mechanisms along the request-response chain.
Connection The control options for the current connection and lists the hop-by-hop request fields.
Request content-md5 An MD5 digest of the entity body. This digest allows for an end-to-end message integrity check (MIC) of the entity body.
Cookie Lists the HTTP cookie previously sent by the server in the Set-Cookie field.
Note: To monitor this parameter in your logs, you need to update you data stream's properties to include a Log Request Details behavior that logs the Cookie header.
DNT Requests a web application to disable tracking of an individual user. This is Mozilla's version of the X-Do-Not-Track header field and versions of Firefox, Safari, and IE9 support this.
Expect Indicates that the client requires particular server behaviors. A server that doesn't understand or is unable to comply with any of the values in this field responds with an appropriate error status, like 417 Expectation Failed error response code.
If-match Only performs an action if the client-supplied entity matches the same entity on the server. For example, when using a PUT method, a resource is only updated if it hasn't been modified since the user last updated it.
If-modified-since Allows a 304 Not Modified status to be returned if content is unchanged. This field is used to determine whether the item cached is older or newer.
If-none-match Returns a 304 Not Modified status if requested content is unchanged. It determines whether the item cached is identical to the requested one.
If-range Either sends the client any parts of the entity that are missing, or sends the client the full entity.
If-unmodified-since Only sends the response if the entity hasn't been modified since a specific time.
Range Requests a specific part of an entity by providing a single byte range or a set of byte ranges. Bytes are numbered from 0.
Referer The address of the resource from which the requested URI was followed.
Note: To monitor this parameter in your logs, you need to update you data stream's properties to include a Log Request Details behavior that logs the Referer header.
Request time Provides the time of the request.
TE The transfer encodings the user agent is willing to accept.
Upgrade Allows the client to specify what additional protocols it supports if the server needs to switch protocols.
Via Any proxies that processed the response.
X-forwarded-for The originating IP address of a client connecting to a web server through an HTTP proxy or load balancer.
X-requested-with Identifies Ajax requests.
Response header data Accept-ranges Whether the edge server supports partial requests. \
Access-control-allow-origin Whether the response can be shared within the given origin.
Age The time in seconds that the object has been in cache.
Allow Lists the supported methods, like GET, PUT or POST.
Cache-control Specifies the caching rules for the response.
Connection Controls whether the network connection stays open once the current transaction finishes.
Content-disposition Indicates how the content is to be displayed, whether on a screen or as a file download.
Content-encoding Specifies encodings were applied to the entity-body. It informs about how to decode to obtain the media-type referenced by the Content-Type header.
Content-language Lists the languages for the intended audiences.
Response content-md5 Checks the integrity of the message body.
Content-range Specifies where in a full body message a partial message belongs.
Date The date and time that the message originated.
ETag The version of a specific resource.
Expires The date and time the message expires.
Last-modified The date and time when the resource was last modified by the origin.
Link Links to a resource containing additional information.
P3P States the data that will be collected about requesting users.
Retry-after The length of time the user agent should wait before sending a follow-up request.
Server Information about the software that the origin server used to handle the request.
Set-cookie Allows cookies to be sent with the response.
Trailer Enables the use of metadata fields.
Transfer-encoding Enables the use of metadata fields.
Vary The headers used to determine whether to send the response to a subsequent request without any additional validation.
Via The protocols used to send the response from the originating server to the requesting client.
Warning Provides information about transformations made to the message’s entity body.
Www-authenticate The authentication method that should be used to gain access to a resource. It is required for all 401 Unauthorized response messages.
X-powered-by The type of technology the web application uses.
Network performance data Asnum Autonomous systems number for the client request.
Client rtt The round trip time (RTT) in milliseconds from when a request goes from a client to an edge server and back again to the starting point.
Download time The time in milliseconds from when the edge server first accepts the request to when it sends the last byte, not when the client acknowledges receiving the last byte.
Download status The overall download status of an object represented by a series of four boolean values. It provides data in the following format:
<first_byte><last_byte><full_object><if_aborted>
where:
  • <first_byte> specifies whether the edge server returned the first byte of the object.
    • 1 indicates that the server returned the first byte.
    • 0 indicates that it didn’t.
  • <last_byte> specifies whether the edge server the last byte of the object.
    • 1 indicates that the server returned the last byte.
    • 0 indicates that it didn’t.
  • <full_object> specifies if the edge server returned the full requested object.
    • 1 indicates the edge server returned the requested object.
    • 0 indicates that it didn't.
    Note: Returning a full object may not always mean returning the first and last bytes of an object. When you request a range of bytes, returning a full object means returning the first and last bytes of the requested range.
  • <if_aborted> specifies whether the client aborted the transaction.
    • 1 indicates that the client aborted the transaction.
    • 0 indicates that they didn’t.

Example: 0000 indicates that the request was entirely served from the cache.

Edge IP The IP address of the edge server that served the response to the client. This is useful when resolving issues with your account representative.
Error code f29 If there is an error during forwarding requests from an edge server, a string indicating the problem is logged here.
Error code r14 If there is an error serving the request, a string indicating the problem is logged here.
Last byte The last byte of the object was served by this response. 0 would indicate part of a byte-range response.
Mid mile latency The time it takes the Akamai platform to process a request. Usually, it is the time for a complete request and response cycle, but these values could be separated.
Net origin latency The time in milliseconds from when the last byte of the request leaves the edge server that is closest to the data center to when this edge server receives the first byte of the response from the data center.

This value includes:

  • Time the origin takes to process the request before delivering the response
  • Network latency between an edge server and a data center

This value shouldn't include:

  • Time to establish the connection with the origin
    Note: If included, the origin connection time may or may not include the TCP and SSL/TLS establishment times or any possible failover and retry cycles that may have happened.
  • Network time or computing events that may have happened upstream in the Akamai transaction
Geo Area The area where the request originated.
City The city where the request originated.
Country The country where the request originated.
Latitude The latitude where the request originated.
Longitude The longitude where the request originated.
Region The region where the request originated. The region may be a state, province, or other large territory.
Zip The zip code the request was sent from.
Network data Bandwidth Specifies the bandwidth usage.
Network The network that originated the request.
Network type The type of network that originated the request. For example, cable.
Proxy The proxy or browser type. For exmaple, transparent.
Throughput The average throughput.
Cache data Cacheable Indicates whether the object was cacheable.
  • 1 indicates that the server determined, based on response headers and metadata, that the object was cacheable.
  • 0 indicates that it wasn’t.
Cache Hierarchy Categorizes the bytes served to the client by the forward server type that sent them. It provides data in the following order:
<peer_server>/<parent_server>/<origin_server>/<NetStorage>/<Akamai_origin>
where:
  • <peer_server> are the bytes served by an in-region peer edge server.
  • <parent_server> are the bytes served by a parent edge server.
  • <origin_server> are the bytes served by the origin server.
  • <NetStorage> are the bytes served from NetStorage.
  • <Akamai_origin> are the bytes served by any edge server that a request was forwarded to.

Example:5096/5096/0/0/0 indicates that the bytes of an object were served by an in-region peer server and a parent server.

Cache Hit Indicates whether the requested object was served entirely from the cache memory.
  • 1 indicates the edge server retrieved the entire object from the cache.
  • 0 indicates that the server had to fetch some bytes of the object.
Cache Stats Logs the bytes served entirely from the cache. It provides data in the following format:
<bytes_from_cache>/<total_bytes_to_client>
where:
  • <bytes_from_cache> are the bytes of the object or requested range served from the cache.
  • <total_bytes_to_client> are the bytes of the object or requested range sent to the client.
    Note: For regular objects, either none or all bytes of the object come from the cache.

Example: 2048/2048 indicates that 2048 of the bytes requested by the client have been sent.

Cache Status Specifies whether a request was a cache hit or a cache miss and indicates the server type that provided the object.
  • 0 indicates that the content was non-cacheable.
  • 1 indicates that the object was served from a child edge server.
  • 2 indicates that the object was served from an in-region peer edge server or a parent edge server.
  • 3 indicates that the object was served from the origin server.
  • 4 indicates that the response to the request had a code status other than: 200, 203, 301, 302, 410. It also indicates that the object was served from the cache.
Waf data Anom scr Anomaly scores for the triggered rules.
This is a comma-delimited list. For example, 1=1,2=15,3=0,4=0,5=0,6=0,7=0,8=0,9=16,10=0,11=16,12=:-958051-973307-973331,13=:-5-5-5,14=:XSS-ANOMALY
Note: This field's value is URL-encoded.
Deny actions The resulting actions of the deny rules triggered by the request as specified in the Deny rules field.
  • 3 indicates that the rule denied the request. See About rules in the Cloud Monitor Help.
This is a semicolon-delimited list. For example, 3;3;3;3;3
Note: This field's value is URL-encoded.
Deny data Additional information about the risk group that triggered the deny action.
Note: This field's value is URL and Base64-encoded to prevent control characters from impacting parsing.
Deny msg The messages reported by the deny rules triggered by the request.

This is a semicolon-delimited list. For example, Cross-site Scripting \(XSS\) Attack;HTTP Response Splitting Attack

Note: This field's value is URL-encoded.

See About rules in the Cloud Monitor Help.

Deny rules Identifiers of all deny rules triggered by the request.

This is a colon-delimited list. For example, 950004;950910;950002

See About rules in the Cloud Monitor Help.

Deny slrs The locations in the request that triggered each deny rule.

This is a semicolon-delimited list. For example, ARGS:v;REQUEST_HEADERS:My-Test-Header

P action The resulting action for a slow POST attack, either W for warn, or A for deny (abort).
Policy id The identifier of the firewall policy applied to the request.

See Security policies in the Cloud Security Help.

P rate The recorded rate in bytes per second of a slow POST attack. For example, 10.
Rule set The version of your rule set, either 1.6.1 or KRS 1.0. This document provides information about the KRS 1.0 data set.

See Protect against web application attacks in the Cloud Security Help.

Risk groups Risk groups whose rule thresholds have been triggered.

This is a colon-delimited list. For example, :SQL-INJECTION-ANOMALY:XSS-ANOMALY:INBOUND-ANOMALY

See KONA WAF rules.

Risk tuples Identifiers of the rules triggered within each risk group from the Risk groups field.

Within a colon-delimited risk group, multiple rules are hyphen-delimited. For example, :-950001-950901:-958001-958051:-950001-950901

Risk scores Risk scores of each triggered rule from the Risk tuples field.

Within a colon-delimited risk group, each rule’s score is hyphen-delimited. For example, :-5-5:-5-5:-5-

Waf version The version of a Web Application Firewall (WAF) data set. This is version 2.0.

See Update rule set in the Cloud Monitor Help.

Warn actions The resulting actions of the warn rules triggered by the request as specified in the Warn rules field.
  • 2 indicates that the rule logged an alert. See About rules in the Cloud Monitor Help.
This is a semicolon-delimited list. For example, 2;2;2;2;2
Note: This field's value is URL-encoded.
Warn data The user data of the triggered rules from the Warn rules field. User data is a specific string within a selector that triggered the rule.

This is a colon-delimited list. For example, .addimport;%0a

Note: This field's value is URL and Base64-encoded to prevent control characters from impacting parsing.

See About rules in the Cloud Monitor Help.

Warn msg The messages reported by the warn rules triggered by the request.

This is a semicolon-delimited list. For example: Cross-site Scripting \(XSS\) Attack;HTTP Response Splitting Attack

Note: This field's value is URL-encoded.

See About rules in the Cloud Monitor Help.

Warn rules Identifiers of the rules triggered by the request. This is a semicolon-delimited list. For example, 950004;950910;950002

See About rules in the Cloud Monitor Help.

Warn slrs The selectors of the triggered rules from the Warn rules field. A selector is the location of the request or response that triggered the rule, such as the name of an HTTP header.

This is a semicolon-delimited list. For example: ARGS:v;REQUEST_HEADERS:My-Test-Header

Warn tags The tags of the triggered rules from the Warn rules field . Tags are used for classification and categorization.

This is a semicolon-delimited list. For example, WEB_ATTACK\/XSS;WEB_ATTACK/HTTP_RESPONSE_SPLITTING

See KONA WAF rules.

Aggregated metrics data set

Aggregated metrics data set parameters
Metric Description
Edge response time Specifies the latency observed for requests that results from:
  • a cache-hit at Akamai
  • a cache-miss at Akamai
  • a cache-hit at child or parent level
  • a cache-miss at child or parent level
  • non-cacheable requests
CDN offload Specifies the count of requests that were either a cache-hit or a cache-miss, as well as the offload rate over the period.
HTTP status code The count of requests that resulted in 2xx, 3xx, 4xx, and 5xx error codes.
Origin response time The time in milliseconds from when the last byte of the request leaves the edge server that is closest to the data center to when this edge server receives the first byte of the response from the data center.

This value includes:

  • Time the origin takes to process the request before delivering the response
  • Network latency between an edge server and a data center

This value shouldn't include:

  • Time to establish the connection with the origin
    Note: If included, the origin connection time may or may not include the TCP and SSL/TLS establishment times or any possible failover and retry cycles that may have happened.
  • Network time or computing events that may have happened upstream in the Akamai transaction
Traffic volumes Specifies the requests sent per second to edge and bytes per second received from edge.