HTTP access log entry fields
HTTP access log entry fields
| Name | Type | Required | Release introduced | Standard NCSA log field |
Monitoring & Alerting fields AT: activity tracker <Other category>: |
Description |
|---|---|---|---|---|---|---|
| type | String | Yes | 3.9.0 | No | The access log entry type, which will always be "http" for entries of this type. Used for differentiation from other access log entry types such as "s3-multi-delete", "mirror", or "proxy". | |
| server_name | String | Yes | 3.1.0 | Yes |
AT: target.hostAdress, (except S3.EXPIRE.OBJECT), responseData.bucketLocation For S3 request, NA for COS resource configuration API, S3.EXPIRE.OBJECT For activity tracker logSourceCRN, location, or message location portion etc if the container_region is not available on 4xx errors. |
The host name of the server to which the request was sent. It is the value of the part
before ":" in the "Host" header value, if any, or the resolved server name, or the server IP
address. For requests using virtual-host style addressing, this field will have the bucket name in it followed by the endpoint name. When virtual-host style addressing isn't used, this field might just be the endpoint IP address, or DNS name. It can potentially be anything because the accesser doesn't care what the value is since it can get the bucket name from the URL. If the LB exists and the requests using a status check, this field will be the IP of the LB. |
| remote_address | String | Yes | 3.1.0 | Yes | Returns the Internet Protocol (IP) address of the client or last proxy that sent the request. | |
| forwarded_for | String | No | 3.1.0 | Yes | AT: initiator.host.address, target.address, and
responseData.targetAddress.type such as "public", "private", and "direct", i.e.
translate access log "service"→ private, transfer "and"→ direct, (when not from Bluemix) |
The
HTTP X-Forwarded-For header field value from the request. This is generally the
IP address of the originating client in cases where the request has been proxied. When the client
connection mode is set to the proxy connection, and the customer plans to use IP whitelisting
capability, the rightmost proxy IP address of the forward-for is regarded as the
client originating IP if the IP access control is enforced. In IBM Cloud, the field is the client IP, if the LB exists. If the LB doesn’t exist and there is no proxy, this field shouldn’t exist too. |
| forwarded | String | no | Returns the protocol which is used to make the request ("http" or "https") | |||
| user | String | No | 3.1.0 (deprecated in 3.4.1) | Yes | Returns the login of the user who is making this request, if the user is authenticated. | |
| remote_user | String | No | 3.4.1 (replaces deprecated field "user"). | Yes | AT:initiator.id Empty for public access, REST.OPTIONS.OBJECT or S3.EXPIRED.OJECT, malformed or missing credential |
Returns the login of the user making this request, if the user has been authenticated. This
can be any of the following depending on the authentication mechanism used: basic auth: user name S3 auth: S3 credential key ID. (HMAC access key) IAM auth: IAM username (IAM token). This is the same as cloud_iam.subject_ibm_id. keystone auth: user ID from keystone token This will be blank for anonymous requests. At the time of failure, this field reflects the best knowledge of user information that has been processed so far; if the user information is not available, the field will not be shown in the access log. |
| timestamp_start | long | Yes | 3.1.0 | No | AT:eventTime | The time stamp, in seconds since epoch, when the request was received. |
| timestamp_finish | long | Yes | 3.1.0 | No | The time stamp, in seconds since epoch, when response processing was completed. | |
| time_start | String | Yes | 3.1.0 | Yes | A human-readable date string that is associated with timestampStart (ISO 8601). | |
| time_finish | String | Yes | 3.1.0 | No | A human-readable date string that is associated with timestampFinish (ISO 8601). | |
| request_method | String | Yes | 3.1.0 | Yes | AT:action | Returns the name of the HTTP method with which this request was made, for example, GET, POST, or PUT. |
| request_uri | String | Yes | 3.1.0 | Yes | The request URI | |
| protocol | String | Yes | 3.1.0 | Yes | Returns the name and version of the protocol the request uses in the form
protocol/majorVersion.minorVersion , for example, HTTP/1.1 . Moved into "https" field in ClevOS 3.14.2. |
|
| status | int | Yes | 3.1.0 | Yes | AT:reason.reasonCode | The status code that is returned in the response. |
| midstream_error | String | No | 3.1.0 | No | If a mid-stream error occurred during the processing of the HTTP response, this field shows the error that occurred. A mid-stream response error is defined as an error that occurs after initial HTTP response headers are sent. | |
| response_length | Long | Present for all primary access log entries. | 3.1.0 | Yes | The number of bytes actually written in response body. | |
| request_length | Long | No | 3.2.0 | No | For PUT or POST requests, the number of bytes read
from the request body. Note: For server-side copy requests, the request_length
indicates the number of bytes read from the copy source, even though no data is originating from the
client’s request body.
|
|
| referer | String | No | 3.1.0 | Yes | The referrer entry from the http log. | |
| user_agent | String | Yes | 3.1.0 | Yes | AT:initiator.host.agent | The user agent from the http log. |
| request_latency | Long | Yes | 3.1.0 | No | The time, in milliseconds, from when the request was received until request processing is complete. | |
| request_id | String | Yes | 3.1.0 | No | AT:responseData.request_id | The request ID, a unique identifier that is generated for each request to assist with event correlation in the debug log. |
| remote_request_id | String | No | 3.13.5 | No | The Cleversafe request ID on the remote machine, in case a proxy is configured for the vault or container, to be able to trace the request. | |
| request_type | String | No | 3.4.0 | No |
AT:dataEvent, action dataEvent: true/false, message, target.typeURI, For example, action as "cloud-object-storage.object-batch.delete, cloud-object-storage.object-acl.create,cloud-object-storage.bucket.create, and target.typeTypeURI as "cloud-object-storage/bucket/retention" |
A string that captures the S3 request type.
REST.<HTTP_method>.<resource_type>For example, in the Resource Configuration API, the CONTAINER_CONFIG in the primary access log entry represents the command itself. Activity Tracker note: refer to the request type section for covered REST.* types in the Activity tracker. In addition, S3.Expiry and BATCH.DELETE are also included in the Activity tracker. |
| interface_type | String | Yes | 3.1.0 | No |
AT:objectType in the action field for the resource-configuration API (S3 is not mentioned) serviceName.objectType.action For example: cloud-object-storage.resource-config.update and target.typeURI, for example, cloud-object-storage/resource/config |
The API used to make the request. It supports s3, service, internal, and
resource-configuration. Activity Tracker note: Activity tracking is only applied when this value is "S3" or "resource-config". |
| stat | BaseChannel InOutStat | No | 3.1.0 | No | A JSON element with more latency information. | |
| upload_id | String | No | 3.10.1 | No | AT:correlationId | Upload UUID for multipart upload operations. |
| object_length | Long | No | 3.1.0 | No | The size of the object that is associated with this request. For delete requests, it is the
size of the object before its deletion, which is equal to
previous_object_length. Note: For 3.1, object length is not provided for delete
operations.
|
|
| object_id | String | No | 3.1.0 | No | The object ID, included for all SOH API requests. | |
| version_name | String | No | 3.2.0 | No | The version ID that is associated with the version of the object created/read/deleted. | |
| version_transient | Boolean | No | 3.2.0 | No | Represents whether the indicated version is a "transient" (true) or "permanent" (false) version of an object. Permanent versions are created on write if versioning is "Enabled" on a particular vault. Transient versions are created when versioning is "Suspended" or off. Transient versions can be overwritten while the current retention mode is not set to "Enabled". | |
| delete_marker | Boolean | No | 3.2.0 | No | True if the corresponding version ID is a delete marker. | |
| selective_logging_enabled | Boolean | No | 3.5.1 | No | True if this request was selected for selective debug logging. Otherwise, this field is omitted. | |
| last_modified | String (ISO 8601) | No | 3.8.0 | No | The last time the content of this object was modified. If no overwrites are done, the value is equal to the object creation time. | |
| last_changed | String (ISO 8601) | No | 3.8.0 | No | The last time the attributes of this object were modified. If no attribute modification is done, the value is equal to the last_modified time. | |
| e_tag | String | No | An identifier for a specific version of resource. | |||
| content_embedded | Boolean | No | 3.15.4.3 | No | Indicates if an object has its content embedded in the content header. This field may be omitted when this question does not apply (e.g. non-object targeted API) or if it has not been determined yet (e.g. due to errors). | |
| x_trans_id | String | For Swift | 3.9.0 | No | Swift transaction ID header (similar to request-id). | |
| object_name | String | 3.8.2 | No | AT: target.name (manadatory for all object-level operation except Multi-Delete) | The object's name. | |
| error_code | String | For S3 | 3.8.2 | No | AT: reason.reasonType | For S3 API, if an error is encountered in
status, this field contains the English-language descriptive error code. |
| proxy_enabled | String | No | 3.8.2 | No | Will be true if proxy is enabled. | |
| proxy_source | String | No | 3.10.0 | No | The source vault that is specified in the proxy configuration. | |
| proxy_type | String | No | 3.10.0 | No | The protocol that is used for communication with the source vault. | |
| range | String | Ranged-read is performed. | 3.8.2 | No | The HTTP Range header, if a ranged read request was performed. | |
| vault_name | String | No container metadata. | 3.8.2 | No | The name of the vault that is associated with the request. | |
| previous_last_modified | String (ISO 8601) | No | 3.10.2 | No | Last time that the object content was modified before the current request. For example, if an object was created on March 5, 2016 at 10:01, the next content update to this object would create an access log entry with previous_last_modified set to March 5, 2016, 10:01. Null for non-overwrite operations. | |
| previous_object_length | Long | No | 3.10.2 | No | Object length before the current object length. That is, before the current requested operation. Null for non-overwrite operations. | |
| requested_location_constraint | String | For PUT BUCKET | 3.10.0 | No | The requested location constraint of a PUT BUCKET (vault or container) request; if none is specified, then an empty String. Appears in PUT BUCKET requests. | |
| storage_account_id | String | For StaaS | 3.9.0 | No | AT: responseData.serviceInstanceId | The Account ID of the owner of the container. In the case of a 409 (BucketAlreadyExists), it will return the Account ID associated to the context of the request. If this is using cloud IAM, then the supplied service instance is used. Otherwise, the account stored with the existing bucket is used. |
| storage_location_id | String | For StaaS | 3.9.0 | No | Storage Location ID | |
| storage_account_realm | String | for Staas | 3.11.0 | no | Storage Account Realm (will always be 00000000-0000-0000-0000-000000000002 for 3.9.0, thus not introduced in access log until 3.11.0) | |
| container_name | String | For StaaS, if container metadata exists. | 3.9.0 | No | AT: target.name | Container Name |
| container_id | UUID | For StaaS | 3.9.0 | No | Container UUID | |
| principals.identity | String | No | The field will be the storage_account_id plus the "realm”. | |||
| principals.aws | String | No | HMAC access key; blank if using IAM-style credentials or anonymous access. | |||
| container_creator_id | String | For StaaS (Present in container creation with impersonation) | 3.10.1 | No | ID of the manager local user that initiated container creation | |
| fanout_copy_count | Integer | For fanout writes | 3.7.2 | No | The number of copies that are requested in this fanout request. | |
| fanout_copy_index | Integer | For fanout reads | 3.7.2 | No | The zero-indexed fanout copy requested to be read. | |
| fanout_punch_index | Integer | For fanout individual deletes | 3.7.2 | No | The zero-indexed fanout copy requested to be deleted (punched). | |
| fanout_delete_all | Boolean | For fanout delete all. | 3.7.2 | No | Indicates request to delete all copies of fanout object. | |
| format | Integer | yes | 3.9.0 | No | The current version of the HTTP request log entry format | |
| headers | Map<String, List<String>> | No | 3.8.2 | No | Logs request headers if enabled via advance configuration. | |
| is_secure | boolean | yes | 3.10.2 | no | Indicates whether the request was made over a secure HTTPS connection | |
| cipher_suite | String | no (present if secure request) | 3.10.2 | no | If the request was secure, indicates the SSL cipher suite that was used; If not secure, this will be null. Moved into "https" field in 3.14.2. | |
| encryption_method | String | no (present if header is present and request is successful, or if the request is using key protect) | 3.10.2 | no | Returns the encryption method. | |
| key_crn_location | String | No, Only for container creation when it is Key Protect or HPCS enabled. | 3.14.8 | no | The location field of the Root Key CRN being used in container creation. | |
| container_region | String | No. Only for container creation. | 3.14.8 | no | AT: logSourceCRN, AT event routing, responseData.bucketLocation This field is not available for 4xx errors (or 5xx error), AT looks up server_name for location instead. |
The region string configured for the container being created. This applies to all operations. It will be logged for success and failure cases that can get to a point where we can acquire the container_region information (So some front end checks won't have this information). |
| bucket_protection | BucketRetentionLogObject | for PUT BUCKET_PROTECTION, GET BUCKET_PROTECTION, and bucket deletion | 3.12.0 | no | AT: responseData.bucketProtction on (status and permanent_retention_enabled) | Relevant information when an operation is performed using the retention configuration (protection) sub-resource. |
| object_protection | ObjectRetentionLogObject | for object upload with protection, PUT OBJECT_PROTECTION, GET OBJECT_PROTECTION, POST OBJECT_LEGAL_HOLD, GET OBJECT_LEGAL_HOLD, POST OBJECT_RETENTION_EXTENSION, object deletion, any operation that fails due to a 451 UNAVAILABLE FOR LEGAL REASONS | 3.12.0 | no | AT: responseData.objectProtection on (retention_period and legal_hold_count) | Relevant information when an operation is performed relating to object protection. |
| aspera | AsperaRequestInfo | for Aspera requests | 3.13.4 | no | Information corresponding to the Aspera request, specifically related to the retry attempts. | |
| sse_kms | SseKmsRequestInfo | for Key Protect requests | 3.12.1 | no | Information about the Key Protect request, specifically related to the latency of the HTTP request made to key protect. | |
| error_message | String | no | 3.12.1 | no | AT: message | This field is present when the “status” field gives insufficient information regarding the
partial or complete failure of an attempted operation, stemming from an internal or SDK error. The
error handling sections in design documentation detail the specific scenarios in which this field
should be populated. The activity tracker filters error_message by keywords to inform the user of the detail of a subset of errors, such as invalid client IP addresses, to inform the end-user of a potential security risk. |
| object_count | Integer | for POST OBJECT_MULTI_DELETE | 3.13.0 | no | The number of objects deleted in a multiple object deletion. | |
| object_lifecycle | ObjectLifecycle contains object transition and object expiration. object transition - cloud only object expiration - all modes |
for objects with a lifecycle policy | 3.13.3 | no | AT:action | Information related an object's lifecycle if a policy exists. This will contain a list of lifecycle_actions which are equivalent to the lifecycle rules associated with an object. This structure of information will appear when writing an object, overwriting an object's content, or restoring an object from the archived state. |
| expiration | ExpiryAction | Yes | A single object contains information about an object's expiration (i.e. to be deleted at
some future time) Note: Must be populated if object_lifecycle is
present.
|
|||
| notification_sent | Boolean | no | 3.14.0 | no | Set to true if the operation attempted to send a notification using the Notification Service. | |
| https | HttpsAccessLogInfo | for secure HTTP requests | 3.14.2 | no | Relevant information regarding an HTTPS request. Fields include: protocol: Returns the name and version of the protocol the request uses in the form protocol/majorVersion.minorVersion, for example, HTTP/1.1. cipher_suite: If the request was secure, indicates the SSL cipher suite that was used; If not secure, this will be null |
|
| ibm_client_originating_ip | String | no | 3.14.3 | no | AT:initiator.host.address, responseData.targetAddress.type as (as "webui") | This field represents the trusted client IP that an intermediary trusted IBM service passes to COS. This field applies to both S3 API and Resource Configuration API. It is an optional field which is required when a trusted-service is used for IP access control for a bucket. |
| auth_decisions_copy_source | AuthDecisions | no | 3.17.2 | no | (same format as auth_decisions) |
S3 API: Represents the opcode of the S3 action the client is attempting on a source. |
| object_lock_configuration | ObjectLockConfiguration |
Bucket-Level configuration for buckets enabled for Object Lock: Object Lock enablement and Object Lock default retention |
3.17.2 | no | Information related to the Object Lock configuration for a bucket including enablement, default retention and the last modified time of the configuration. | |
| object_lock_protection | ObjectLockProtection |
Object-Level protection for objects with Object Lock Protection: Object Lock legal hold and Object Lock retention |
3.17.2 | no | Information related to the Object Lock protection for an object including legal hold, last modified time for legal hold, retention and last modified time for retention | |
| resource_group_id | String | no | 3.14.11 | no | AT:resourceGroupId | The resource group id associated with the IBM account id |
| request_body | String | no | 3.15.5 | no | AT:requestData | Returns a JSON format element when a patch request is successful. The content of this element is depended on which following parameters are set in this patch request. The parameters include firewall, activity tracking, monitoring, notification, hard quota. |
| replication | Object | No | 3.20.0 | no | Contains replication-related information. Present on user-initiated requests that trigger replication(s) and replication requests that are initiated by background replication agent . | |
| trace_id | String | No | 3.20.0 | No | The W3C trace id associated with the request. |
The following code is an example of a Service API to config Container allowed_IP PATCH /b/<bucket.name> operation:
{
"server_name": "10.137.16.68",
"remote_address": "9.47.30.38",
"remote_user": "admin",
"timestamp_start": "1548093957416",
"timestamp_finish": "1548093957517",
"time_start": "21/Jan/2019:18:05:57 +0000",
"time_finish": "21/Jan/2019:18:05:57 +0000",
"request_method": "PATCH",
"request_uri": "/container/container-vault-fdffec2d-e9c6-4546-b2e9-601575ce7a40",
"protocol": "HTTP/1.1",
"status": 200,
"response_length": "589",
"user_agent": "JetEngine/1.0",
"request_latency": "101",
"request_id": "1591acac-e03d-4908-9573-6f7798c372b3",
"request_type": "REST.PATCH.CONTAINER",
"interface_type": "service",
"selective_logging_enabled": true,
"object_name": "/container/container-vault-fdffec2d-e9c6-4546-b2e9-601575ce7a40",
"storage_account_id": "container-user93d95e64-2607-43ee-91d5-a933019b145f",
"storage_location_id": "449984a3-05be-783d-011b-90a1558aad65",
"container_id": "b64984b4-6da7-494f-a836-8c0c43ab1132",
"is_secure": false,
"principals": {
"identity": "ad28f191-b2d7-724a-01cf-7722c2bba250@00000000-0000-0000-0000-000000000000",
"username": "admin@default"
},
"type": "http",
"format": 1
}
The following code is an example of a Service API to retrieve allowed_IP using GET /b/<bucket.name> operation:
{
"server_name": "10.137.16.68",
"remote_address": "9.47.30.38",
"remote_user": "admin",
"timestamp_start": "1548093955482",
"timestamp_finish": "1548093955487",
"time_start": "21/Jan/2019:18:05:55 +0000",
"time_finish": "21/Jan/2019:18:05:55 +0000",
"request_method": "GET",
"request_uri": "/container/container-vault-fdffec2d-e9c6-4546-b2e9-601575ce7a40",
"protocol": "HTTP/1.1",
"status": 200,
"response_length": "499",
"user_agent": "JetEngine/1.0",
"request_latency": "5",
"request_id": "c91b941f-950f-428a-8fba-54e285b1e9cc",
"request_type": "REST.GET.CONTAINER",
"interface_type": "service",
"selective_logging_enabled": true,
"object_name": "/container/container-vault-fdffec2d-e9c6-4546-b2e9-601575ce7a40",
"storage_account_id": "container-user93d95e64-2607-43ee-91d5-a933019b145f",
"storage_location_id": "449984a3-05be-783d-011b-90a1558aad65",
"container_id": "b64984b4-6da7-494f-a836-8c0c43ab1132",
"is_secure": false,
"principals": {
"identity": "ad28f191-b2d7-724a-01cf-7722c2bba250@00000000-0000-0000-0000-000000000000",
"username": "admin@default"
},
"type": "http",
"format": 1
}