Logs uploader

Logs uploader automatically exports CDN resource logs to configured storage destinations in near real time, providing continuous visibility into request activity and cache behavior. Exported logs contain information about user requests processed by cache servers, and by mid-tier cache servers when Origin shielding is enabled.

Logs uploader must first be enabled and set up in the Gcore Customer Portal on the Gcore CDN page, or by contacting the Gcore support.

Configuring Logs uploader

In the CDN menu, click Logs and select Logs uploader. Control which fields are exported, how frequently the logs are delivered, and which storage service they are sent to. Supported destinations include Gcore Object Storage, S3-compatible platforms, FTP and SFTP servers, and HTTP(S) endpoints. This flexibility helps you integrate CDN logs into existing observability, analytics, or compliance workflows while effectively managing data volume and processing requirements. The Logs uploader screen has three tabs:

Configurations — link policies and targets to deliver logs
Policies — set export rules and schedules
Targets — connect upload destinations

To add a configuration you must first have a policy and a target.

Configurations
Policies
Targets

Configurations Tab

Select the Configurations tab to view a table of configurations:

Configuration ID
Click the column header to sort the table by configuration IDs.
Configuration name
Click the column header to sort the table by configuration names.
Click a configuration name to edit the configuration.

Use the search box at the top of the table to filter configurations by name or ID.

Policy
Click a policy name to edit the linked policy.
Target
Click a target name to edit the linked target.
Status
Linked target status is displayed in the Status column. To re-run the authentication check, click (refresh) at the end of the status message.
More options
Click ⋯ (more options) in the last column to Edit, Disable, or Delete the configuration in that row.
Add configuration
Click Add configuration (top right) to create a new configuration.

Add configurations

Go to Logs uploader, select the Configurations tab, and click Add configuration.

Enable configuration switch appears at the top of the Add configuration window; to disable the configuration, toggle the switch to the left.

Select the resources for this configuration:

All Resources
Specific Resource(s)

For all resources, including newly created:

Enter a Name for the configuration.

Select a Policy to link from the drop-down list.
Select a Target to link from the drop-down list.
Click Add configuration again to finish and return to the Logs uploader. The new target appears in the table on the Configurations tab.

Configurations with correctly configured targets show Authentication complete in the Status column; to re-run the authentication check, click (refresh) at the end of the status message.

Edit configurations

Go to Logs uploader and select the Configurations tab.
Click the configuration name in the Configurations column, or click ⋯ (more options) at the end of that row and select Edit.

Enable configuration switch appears at the top of the Edit configuration window; to disable the configuration, toggle the switch to the left.

Select the resources for this configuration:

All Resources
Specific Resource(s)

For all resources, including newly created:

Edit configuration Name.

Select a Policy to link from the drop-down list.
Select a Target to link from the drop-down list.
Click Save changes (top right) to return to the Logs uploader.

Configurations with correctly configured targets show Authentication complete in the Status column; to re-run the authentication check, click (refresh) at the end of the status message.

Enable, disable, or delete configurations

Go to Logs uploader and select the Configurations tab.
In the row with the configuration name, click ⋯ (more options) in the last column and select Enable, Disable, or Delete.

A configuration can also be enabled or disabled using the Enable configuration switch in Edit configuration or Add configuration windows.

Policies tab

Select the Policies tab for a table of policies:

Policy ID
Click the column header to order the table by policy IDs.
Policy name
- Click the column header to order the table by policy names.
- Click a policy name to edit the policy.

Use the search box at the top of the table to filter policies by name or ID.

Configuration
Click a configuration name to edit the linked configuration.
Click Select configuration at the top of the table, then choose one or more linked Configurations from the drop-down list to filter the policies table. Use the search box at the top of this drop-down list to filter list results by Configuration name or ID.
More options
Click ⋯ (more options) in the last column to Edit or Delete the policy in that row.
Add policy
Click Add policy (top right) to create a new policy.

Add policies

Go to Logs uploader, select the Policies tab, and click Add policy.
Enter a Name for the policy.
Clear the Include empty logs checkbox to exclude empty logs.
Select Include logs from origin shielding to receive these logs.
This option is only available if Origin shielding is enabled for your account.
Use the multi-select picker to choose the Log fields to include:
- To remove a log field, click ✕ (close) on the chip with the field label. To remove all fields, click Clear at the bottom right of the picker field.
- To add a log field, click in the empty area of the picker field and select a log field to add from the drop-down list.
Enter one or more characters from the field label to filter the list.
To reorder fields, click Edit order at the bottom left to open the reorder panel, drag the ⋮⋮ handles to rearrange the fields in the list, and click Apply changes.
Change the Delimiter and the Separator, if needed.
Change or customize the log File name format template, if needed.
Change the logging Time interval, if needed.
Set the Log file size limit.
The Log file size limit applies before compression. The compressed file delivered to your endpoint may be up to 99% smaller.
Click Add policy again to finish and return to the Logs uploader. The new policy appears in the table on the Policies tab.

Edit policies

Go to Logs uploader and select the Policies tab.
Click the policy name in the Policy column, or click ⋯ (more options) at the end of that row and select Edit.
Edit policy Name.
Select the Include empty logs checkbox to receive empty logs.
Select Include logs from origin shielding to receive these logs.
This option is only available if Origin shielding is enabled for your account.
Use the multi-select picker to edit the Log fields to include:
- To remove a log field, click ✕ (close) on the chip with the field label. To remove all fields, click Clear at the bottom right of the picker field.
- To add a log field, click in the empty area of the picker field and select a log field to add from the drop-down list.
Enter one or more characters from the field label to filter the list.
To reorder fields, click Edit order at the bottom left to open the reorder panel, drag the ⋮⋮ handles to rearrange the fields in the list, and click Apply changes.

Edit the Delimiter and the Separtor.
Edit or customize the log File name format template.
Edit the logging Time interval.
Edit the Log file size limit.
The Log file size limit applies before compression. The compressed file delivered to your endpoint may be up to 99% smaller.
Click Save changes (top right) to return to the Policies tab.

Delete policies

Go to Logs uploader and select the Policies tab.
In the row with the policy name, click ⋯ (more options) in the last column and select Delete.

Targets tab

Select the Targets tab to view a table of targets:

Target ID
Click the column header to sort the table by target IDs.
Target name
- Click the column header to sort the table by target names.
- Click a target name to edit configuration or connection details.

Use the search box at the top of the table to filter targets by name or ID.

Configuration
- Click a configuration name to edit the linked configuration.
  Click Select configuration at the top of the table, then choose one or more linked Configurations from the drop-down list to filter the targets table. Use the search box at the top of this drop-down list to filter list results by Configuration name or ID.
Status
Target authentication status is displayed in the Status column. To re-run the authentication check, click (refresh) at the end of the status message.
More options
Click ⋯ (more options) in the last column to Edit or Delete the target in that row.
Add target
Click Add target (top right) to connect a new target.

Add targets

Go to Logs uploader, select the Targets tab, and click Add target.
Enter a Name for the target.
Select and configure a destination or delivery protocol and connection details for log export:

Gcore Object Storage

Select HTTP or HTTPS protocol and specify the Endpoint for the storage target.
Enter the Access key ID and the Secret Access Key.
Enter the storage region (location) and the name of an existing bucket.
Optionally, specify an existing folder within the bucket for receiving the logs.

Complete connection details are displayed when the storage is created.

Storage endpoint (hostname) and region (location) can be viewed and new keys generated by clicking ⋯ (more options) in the Actions column of the Object Storages table.

Click Add target again to finish configuration and return to the Logs uploader. The new target appears in the table on the Targets tab.

Correctly configured targets show Authentication complete in the Status column; to re-run the authentication check, click (refresh) at the end of the status message.

Edit targets

Go to Logs uploader and select the Targets tab.
Click the target name in the Target column, or click ⋯ (more options) at the end of that row and select Edit.

Target authentication status appears at the top of the Edit target window. To re-run the authentication check, click (refresh) next to the status message.

Edit target Name.
Select or configure the destination or delivery protocol and connection details for log export:

Gcore Object Storage

Select HTTP or HTTPS protocol and specify the Endpoint for the storage target.
Enter the Access key ID and the Secret Access Key.
Enter the storage region (location) and the name of an existing bucket.
Optionally, specify an existing folder within the bucket for receiving the logs.

Complete connection details are displayed when the storage is created.

Storage endpoint (hostname) and region (location) can be viewed and new keys generated by clicking ⋯ (more options) in the Actions column of the Object Storages table.

Click Save changes (top right) to return to the Logs uploader Targets tab.

Correctly configured targets show Authentication complete in the Status column; to re-run the authentication check, click (refresh) at the end of the status message.

Delete targets

Go to Logs uploader and select the Targets tab.
In the row with the target name, click ⋯ (more options) in the last column and select Delete.

Log schema and field definitions

Log format example

It’s OK if you find a field that’s not listed in the example. We occasionally add new fields to the end of the line. If some fields are added to logs, you’ll receive an email about the update.

"$remote_addr" "-" "$remote_user" "[$time_local]" "$request" "$status"  
"$body_bytes_sent" "$http_referer" "$http_user_agent" "$bytes_sent"  
"$edgename" "$scheme" "$host" "$request_time"  
"$upstream_response_time" "$request_length" "$http_range" "[$responding_node]"  
"$upstream_cache_status" "$upstream_response_length" "$upstream_addr"  
"$gcdn_api_client_id" "$gcdn_api_resource_id" "$uid_got" "$uid_set"  
"$geoip_country_code" "$geoip_city" "$shield_type" "$server_addr" "$server_port"  
"$upstream_status" "-" "$upstream_connect_time" "$upstream_header_time"  
"$shard_addr" "$geoip2_data_asnumber" "$connection" "$connection_requests"  
"$http_traceparent" "$http_x_forwarded_proto" "$gcdn_internal_status_code" "$ssl_cipher"  
"$ssl_session_id" "$ssl_session_reused" "$sent_http_content_type" "$tcpinfo_rtt" 
"$server_country_code" "$gcdn_tcpinfo_snd_cwnd" "$gcdn_tcpinfo_total_retrans" "$gcdn_rule_id" 

Log fields

The following table contains a complete list of available log fields. Fields formatted in italics relate to our internal CDN system, so you can ignore them.You can check other fields — they can be helpful for traffic analysis or statistics.

Field	Log value example	Description
`$remote_addr`	`0.0.0.0`	User’s IP address
`$remote_user` (internal system variable)	`-`	Username used in Basic authentication
`[$time_local]`	`[26/Apr/2019:09:47:40 +0000]`	Local time in Common Log Format
`$request`	`GET /ContentCommon/images/image.png HTTP/1.1`	HTTP method, requested file path, and HTTP version
`$status`	`200`	Response status code from a CDN server
`$body_bytes_sent`	`1514283`	Number of bytes sent to a user, excluding the response header size
`$http_referer`	`https://example.com/videos/10`	Referrer – a URL requested by a user
`$http_user_agent`	`Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.116 YaBrowser/16.10.0.2309 Safari/537.36`	User agent that was used to send a request (browser or other application)
`$bytes_sent`	`1514848`	Number of bytes sent to a user
`$edgename`	`[dh-up-gc18]`	CDN server that forwarded the requested file
`$scheme`	`https`	Protocol (HTTP or HTTPS) of a request
`$host`	`cdn.example.com`	Requested hostname of a CDN resource
`cname` (internal system variable)	`cdn.example.com`	Similar to the `$host` field, but derived from internal systems rather than the incoming HTTP request.
`gcdn_vhost` (internal system variable)	`cdn.example.com[_cache_sharded]`	The vhost value as used internally in CDN
`$request_time`	`1.500`	Request processing time in seconds (accurate to milliseconds); time elapsed between the first bytes of a request being processed and logging after the last bytes were sent to a user
`$upstream_response_time`	`0.445`	Number of seconds (accurate to milliseconds) it took to receive a response from an origin. In case of multiple responses, commas and colons are used
`$request_length`	`157`	Request length (including request line, header, and request body)
`$http_range`	`bytes=0-1901653`	File fragment size in a Range request
`[$responding_node]`	`dh`	Responding data center
`$upstream_cache_status`	`MISS`	Status of a requested file in CDN cache: HIT: response served from the CDN cache. STALE: outdated response that failed to update (origin not responding or responding incorrectly). UPDATING: outdated response still updating from a previous request. REVALIDATED: response matching one on an origin (based on the `proxy_cache_revalidate` directive). EXPIRED: response that has expired in cache but still matches one on an origin; a request was sent to re-cache it. MISS: response served directly from an origin rather than from cache. BYPASS: response for the first file request after clearing the cache (the first request from each CDN server results in BYPASS; subsequent requests on that server result in HIT).
`$upstream_response_length`	`10485760`	Response length from an origin in bytes. In case of multiple responses, commas and colons are used
`$upstream_addr`	`0.0.0.0:80`	Origin’s IP address and port
`$gcdn_api_client_id` (internal system variable)	`123`	Your ID in our system
`$gcdn_api_resource_id` (internal system variable)	`01`	Your CDN-resource ID in our system
`$uid_got` (internal system variable)	`-`	Cookie name and received user ID
`$uid_set` (internal system variable)	`-`	Cookie name and provided user ID
`$geoip_country_code`	`KZ`	User’s country code according to the ISO 3166 standard (Alpha-2 code)
`$geoip_city`	`-`	User’s city code
`$shield_type` (internal system variable)	`shield_no`	Indicates whether Origin Shielding is enabled: shield_old – enabled shield_no – disabled
`$server_addr` (internal system variable) / `real_server_addr`	`0.0.0.0`	IP address of an Anycast zone or CDN server
`$server_port` (internal system variable)	`80`	Requested port
`$upstream_status`	`206`	Origin response code
`$upstream_connect_time`	`0.000`	Number of seconds (accurate to milliseconds) it took to access an origin server
`$upstream_header_time`	`0.200`	Number of seconds (accurate to milliseconds) it took to receive a response header from an origin server
`$shard_addr` (internal system variable)	`0.0.0.0`	IP address of a CDN server that was first to accept a request if the Cache Sharding feature is enabled
`$geoip2_data_asnumber`	`asnumber`	Number of an autonomous system that sent a request
`$connection` (internal system variable)	`2897494295`	Connection serial number
`$connection_requests` (internal system variable)	`1`	Current number of requests made through a connection
`$http_traceparent` (internal system variable)	`00-d5fe1dc9035165ce36952daf29686b6c-14330be33197dd1a-01`	Unique request identifier. More info in the Traceparent guide
`$http_x_forwarded_proto`	`-`	Initial protocol of an incoming request (HTTP or HTTPS)
`$gcdn_internal_status_code` (internal system variables)	`-`	Initial status code. Possible values are: `-`, or `1000-1200`
`$ssl_cipher` (internal system variable)	`ECDHE-RSA-AES256-GCM-SHA384`	Cipher name used for an established SSL connection
`$ssl_session_id` (internal system variable)	`28a4184139cb43cdc79006cf2d1a4ac93bdc****`	Session ID of an established SSL connection
`$ssl_session_reused` (internal system variable)	`r`	Shows whether a session was reused (`r`) or not (`.`)
`$sent_http_content_type`	`application/json`	Value of the `Content-Type` HTTP header, indicating the MIME type of a transmitted file
`$tcpinfo_rtt`	`21`	Average time (latency) it takes to transfer a packet to/from a server. The unit of time is microseconds
`$server_country_code`	`PL`	Server’s country code according to the ISO 3166 standard (Alpha-2 code)
`$gcdn_tcpinfo_snd_cwnd`	`45`	Size of the TCP Congestion window, i.e., the maximum number of TCP segments that the connection can send before an acknowledgment is required.
`$tcpi_total_retrans`	`10`	Total number of retransmitted packets over the life of the connection.
`$gcdn_rule_id`	`100700`	Initial rule ID (beta). Possible values are: `-`, or `100700`
`query_string`	`id=123&sort=asc&filter=active`	Contains the raw query parameters from the request URI
`timestamp` (Internal variable)	`02/Jan/2006:15:04:05 -0700`	Internal variable; Resulting in empty value
`ip` (Internal variable)	`0.0.0.0`	Internal variable; Resulting in empty value
`country` (Internal variable)		Internal variable; Resulting in empty value
`media_type` (Internal variable)	`flv` or `cmaf`, or other	Internal variable; Resulting in empty value
`size` (Internal variable)	`1232313`	Internal variable; Resulting in empty value
`duration` (Internal variable)	`340`	Internal variable; Resulting in empty value
`session_id` (Internal variable)	`162-2023042113480001010713019109705502.1682085118901`	Internal variable; Resulting in empty value
`domain` (Internal variable)	`domain.example.com`	Internal variable; Resulting in empty value
`name` (Internal variable)	`stream-2995186406511346425`	Internal variable; Resulting in empty value
`edge` (Internal variable)	`0.0.0.0`	Internal variable; Resulting in empty value
`code` (Internal variable)	`200`	Internal variable; Resulting in empty value
`region` (Internal variable)		Internal variable; Resulting in empty value
`$http_x_forwarded_for`	`203.0.113.45, 198.51.100.17`	Contains the value of the X-Forwarded-For HTTP request header as sent by the client or added by upstream proxies/load balancers.
`$http_cookie`	`session_id=abc123; theme=dark; csrftoken=9f8e7d`	Contains the raw value of the Cookie HTTP request header sent by the client.
`request_method`	`GET`	Contains the HTTP method used by the client for the request.
`request_uri_path`	`/api/v1/users`	Represents the path portion of the request URI, without any query string parameters.
`sent_http_cache_control`	`max-age=3600, public`	Contains the value of the Cache-Control HTTP response header as sent by NGINX to the client. It reflects the caching directives applied to the response, which control how browsers, proxies, and CDNs may cache and reuse the content.
`sent_http_content_length`	`53214`	Contains the value of the Content-Length HTTP response header as sent by NGINX to the client. It represents the size of the response body in bytes, as declared in the response headers.
`server_protocol`	`HTTP/1.1`	Contains the protocol version used by NGINX to communicate.
`upstream_http_content_length`	`1048576`	Contains the value of the Content-Length HTTP response header received from the upstream server.
`request_uri`	`/api/v1/users?id=42&sort=asc`	Contains the original request URI as sent by the client, including the path and the query string.
`request_status`		(Deprecated)
`gcdn_host` (internal system variable - Deprecated)
`fastedge_field1` (internal system variable)		Used for passing additional context from FastEdge into raw logs

Internal status codes

Reason	HTTP Code	Internal Code	Comment
Country ACL	403	1001
Referer ACL	403	1002
IP ACL	403	1003
User-Agent ACL	403	1004
Secure Token	403	1005	If the requested link passes the authenticity check, the `$secure_link` variable is set to the link extracted from the request URI. Otherwise, `$secure_link` is set to an empty string
Secure Token	410	1006	If the link has a limited lifetime and the time has expired, the `$secure_link` variable is set to `"0"`.
WAF	403	1007	Request blocked by WAF
Bot challenge / Testcookie	307	1008	Redirection sent by bot challenge (testcookie)
Blocklist	403	1009	Request blocked by bot protection blocklist
HTTP method	405	1200	`AllowedHttpMethods` enabled AND HTTP request method not in `AllowedHttpMethods` list
Streaming disabled .(ts\|m3u8)	402	1201	Streaming feature disabled for the client
LE Validation /.well-known/acme-challenge/	404	1202	We return `404` if `http_user_agent` is not in the list `“cert-manager-challenges	acme.zerossl.com	Cpanel-HTTP-Client	Buypass validation client	Google-Certificates-Bridge	vercel-fetch	win-acme	Typhoeus	Go-http-client”`.
check `$http_x_cdn_requestor` not empty	403	1203	Non-authorized request to shield
Force Return	ANY	1204	Status code option, this internal code indicates that the response was generated by this feature

How near real time log exporting works

The Time interval setting in a Policy defines the frequency with which the logs are archived and exported. This interval is 5 minutes by default and can be set to between 5 and 60 minutes. If CDN servers are not requested and the Do not send empty logs checkbox is not selected when configuring Logs uploader, an empty log file (± 20 bytes) will be sent to the storage target.

Account settings

CDN

FastEdge

Edge Cloud

Edge AI

Managed DNS

Hosting

Storage

Video Streaming

DDoS protection

WAAP

Configuring Logs uploader

Log schema and field definitions

How near real time log exporting works

Account settings

CDN

FastEdge

Edge Cloud

Edge AI

Managed DNS

Hosting

Storage

Video Streaming

DDoS protection

WAAP

​Configuring Logs uploader

​Log schema and field definitions

​How near real time log exporting works

Configuring Logs uploader

Log schema and field definitions

How near real time log exporting works