Logs uploader

Logs uploader automatically exports CDN resource logs to configured storage destinations in near real time, providing continuous visibility into request activity and cache behavior. Exported logs contain information about user requests processed by cache servers, and by mid-tier cache servers when Origin shielding is enabled.

Logs uploader must first be enabled and set up in the Gcore Customer Portal on the Gcore CDN page, or by contacting the Gcore support.

Configuring Logs uploader

In the CDN menu, click Logs and select Logs uploader. Control which fields are exported, how frequently the logs are delivered, and which storage service they are sent to. Supported destinations include Gcore Object Storage, S3-compatible platforms, FTP and SFTP servers, and HTTP(S) endpoints. This flexibility helps you integrate CDN logs into existing observability, analytics, or compliance workflows while effectively managing data volume and processing requirements. The Logs uploader screen has three tabs:

Configurations — link policies and targets to deliver logs
Policies — set export rules and schedules
Targets — connect upload destinations

To add a configuration you must first have a policy and a target.

Configurations
Policies
Targets

Configurations Tab

Select the Configurations tab to view a table of configurations:

Configuration ID
Click the column header to sort the table by configuration IDs.
Configuration name
Click the column header to sort the table by configuration names.
Click a configuration name to edit the configuration.

Use the search box at the top of the table to filter configurations by name or ID.

Policy
Click a policy name to edit the linked policy.
Target
Click a target name to edit the linked target.
Status
Linked target status is displayed in the Status column. To re-run the authentication check, click (refresh) at the end of the status message.
More options
Click ⋯ (more options) in the last column to Edit, Disable, or Delete the configuration in that row.
Add configuration
Click Add configuration (top right) to create a new configuration.

Add configurations

Go to Logs uploader, select the Configurations tab, and click Add configuration.

Enable configuration switch appears at the top of the Add configuration window; to disable the configuration, toggle the switch to the left.

Select the resources for this configuration:

All Resources
Specific Resource(s)

For all resources, including newly created:

Enter a Name for the configuration.

Select a Policy to link from the drop-down list.
Select a Target to link from the drop-down list.
Click Add configuration again to finish and return to the Logs uploader. The new target appears in the table on the Configurations tab.

Configurations with correctly configured targets show Authentication complete in the Status column; to re-run the authentication check, click (refresh) at the end of the status message.

Edit configurations

Go to Logs uploader and select the Configurations tab.
Click the configuration name in the Configurations column, or click ⋯ (more options) at the end of that row and select Edit.

Enable configuration switch appears at the top of the Edit configuration window; to disable the configuration, toggle the switch to the left.

Select the resources for this configuration:

All Resources
Specific Resource(s)

For all resources, including newly created:

Edit configuration Name.

Select a Policy to link from the drop-down list.
Select a Target to link from the drop-down list.
Click Save changes (top right) to return to the Logs uploader.

Configurations with correctly configured targets show Authentication complete in the Status column; to re-run the authentication check, click (refresh) at the end of the status message.

Enable, disable, or delete configurations

Go to Logs uploader and select the Configurations tab.
In the row with the configuration name, click ⋯ (more options) in the last column and select Enable, Disable, or Delete.

A configuration can also be enabled or disabled using the Enable configuration switch in Edit configuration or Add configuration windows.

Policies tab

Select the Policies tab for a table of policies:

Policy ID
Click the column header to order the table by policy IDs.
Policy name
- Click the column header to order the table by policy names.
- Click a policy name to edit the policy.

Use the search box at the top of the table to filter policies by name or ID.

Configuration
Click a configuration name to edit the linked configuration.
Click Select configuration at the top of the table, then choose one or more linked Configurations from the drop-down list to filter the policies table. Use the search box at the top of this drop-down list to filter list results by Configuration name or ID.
More options
Click ⋯ (more options) in the last column to Edit or Delete the policy in that row.
Add policy
Click Add policy (top right) to create a new policy.

Add policies

Go to Logs uploader, select the Policies tab, and click Add policy.
Enter a Name for the policy.
Clear the Include empty logs checkbox to exclude empty logs.
Select Include logs from origin shielding to receive these logs.
This option is only available if Origin shielding is enabled for your account.
Use the multi-select picker to choose the Log fields to include:
- To remove a log field, click ✕ (close) on the chip with the field label. To remove all fields, click Clear at the bottom right of the picker field.
- To add a log field, click in the empty area of the picker field and select a log field to add from the drop-down list.
Enter one or more characters from the field label to filter the list.
To reorder fields, click Edit order at the bottom left to open the reorder panel, drag the ⋮⋮ handles to rearrange the fields in the list, and click Apply changes.
Change the Delimiter and the Separator, if needed.
Change or customize the log File name format template, if needed.
Change the logging Time interval, if needed.
Set the Log file size limit.
The Log file size limit applies before compression. The compressed file delivered to your endpoint may be up to 99% smaller.
Click Add policy again to finish and return to the Logs uploader. The new policy appears in the table on the Policies tab.

Edit policies

Go to Logs uploader and select the Policies tab.
Click the policy name in the Policy column, or click ⋯ (more options) at the end of that row and select Edit.
Edit policy Name.
Select the Include empty logs checkbox to receive empty logs.
Select Include logs from origin shielding to receive these logs.
This option is only available if Origin shielding is enabled for your account.
Use the multi-select picker to edit the Log fields to include:
- To remove a log field, click ✕ (close) on the chip with the field label. To remove all fields, click Clear at the bottom right of the picker field.
- To add a log field, click in the empty area of the picker field and select a log field to add from the drop-down list.
Enter one or more characters from the field label to filter the list.
To reorder fields, click Edit order at the bottom left to open the reorder panel, drag the ⋮⋮ handles to rearrange the fields in the list, and click Apply changes.

Edit the Delimiter and the Separtor.
Edit or customize the log File name format template.
Edit the logging Time interval.
Edit the Log file size limit.
The Log file size limit applies before compression. The compressed file delivered to your endpoint may be up to 99% smaller.
Click Save changes (top right) to return to the Policies tab.

Delete policies

Go to Logs uploader and select the Policies tab.
In the row with the policy name, click ⋯ (more options) in the last column and select Delete.

Targets tab

Select the Targets tab to view a table of targets:

Target ID
Click the column header to sort the table by target IDs.
Target name
- Click the column header to sort the table by target names.
- Click a target name to edit configuration or connection details.

Use the search box at the top of the table to filter targets by name or ID.

Configuration
- Click a configuration name to edit the linked configuration.
  Click Select configuration at the top of the table, then choose one or more linked Configurations from the drop-down list to filter the targets table. Use the search box at the top of this drop-down list to filter list results by Configuration name or ID.
Status
Target authentication status is displayed in the Status column. To re-run the authentication check, click (refresh) at the end of the status message.
More options
Click ⋯ (more options) in the last column to Edit or Delete the target in that row.
Add target
Click Add target (top right) to connect a new target.

Add targets

Go to Logs uploader, select the Targets tab, and click Add target.
Enter a Name for the target.
Select and configure a destination or delivery protocol and connection details for log export:

Gcore Object Storage

Select HTTP or HTTPS protocol and specify the Endpoint for the storage target.
Enter the Access key ID and the Secret Access Key.
Enter the storage region (location) and the name of an existing bucket.
Optionally, specify an existing folder within the bucket for receiving the logs.

Complete connection details are displayed when the storage is created.

Storage endpoint (hostname) and region (location) can be viewed and new keys generated by clicking ⋯ (more options) in the Actions column of the Object Storages table.

Click Add target again to finish configuration and return to the Logs uploader. The new target appears in the table on the Targets tab.

Correctly configured targets show Authentication complete in the Status column; to re-run the authentication check, click (refresh) at the end of the status message.

Edit targets

Go to Logs uploader and select the Targets tab.
Click the target name in the Target column, or click ⋯ (more options) at the end of that row and select Edit.

Target authentication status appears at the top of the Edit target window. To re-run the authentication check, click (refresh) next to the status message.

Edit target Name.
Select or configure the destination or delivery protocol and connection details for log export:

Gcore Object Storage

Select HTTP or HTTPS protocol and specify the Endpoint for the storage target.
Enter the Access key ID and the Secret Access Key.
Enter the storage region (location) and the name of an existing bucket.
Optionally, specify an existing folder within the bucket for receiving the logs.

Complete connection details are displayed when the storage is created.

Storage endpoint (hostname) and region (location) can be viewed and new keys generated by clicking ⋯ (more options) in the Actions column of the Object Storages table.

Click Save changes (top right) to return to the Logs uploader Targets tab.

Correctly configured targets show Authentication complete in the Status column; to re-run the authentication check, click (refresh) at the end of the status message.

Delete targets

Go to Logs uploader and select the Targets tab.
In the row with the target name, click ⋯ (more options) in the last column and select Delete.

Log schema and field definitions

Log format example

It’s OK if you find a field that’s not listed in the example. We occasionally add new fields to the end of the line. If some fields are added to logs, you’ll receive an email about the update.

"$remote_addr" "-" "$remote_user" "[$time_local]" "$request" "$status"  
"$body_bytes_sent" "$http_referer" "$http_user_agent" "$bytes_sent"  
"$edgename" "$scheme" "$host" "$request_time"  
"$upstream_response_time" "$request_length" "$http_range" "[$responding_node]"  
"$upstream_cache_status" "$upstream_response_length" "$upstream_addr"  
"$gcdn_api_client_id" "$gcdn_api_resource_id" "$uid_got" "$uid_set"  
"$geoip_country_code" "$geoip_city" "$shield_type" "$server_addr" "$server_port"  
"$upstream_status" "-" "$upstream_connect_time" "$upstream_header_time"  
"$shard_addr" "$geoip2_data_asnumber" "$connection" "$connection_requests"  
"$http_traceparent" "$http_x_forwarded_proto" "$gcdn_internal_status_code" "$ssl_cipher"  
"$ssl_session_id" "$ssl_session_reused" "$sent_http_content_type" "$tcpinfo_rtt" 
"$server_country_code" "$gcdn_tcpinfo_snd_cwnd" "$gcdn_tcpinfo_total_retrans" "$gcdn_rule_id" 

Log fields

The following table contains a complete list of available log fields. Fields formatted in italics relate to our internal CDN system, so you can ignore them.You can check other fields — they can be helpful for traffic analysis or statistics.

Field	Log value example	Description
`$remote_addr`	`0.0.0.0`	User’s IP address
`$remote_user` (internal system variable)	`-`	Username used in Basic authentication
`[$time_local]`	`[26/Apr/2019:09:47:40 +0000]`	Local time in Common Log Format
`$request`	`GET /ContentCommon/images/image.png HTTP/1.1`	HTTP method, requested file path, and HTTP version
`$status`	`200`	Response status code from a CDN server
`$body_bytes_sent`	`1514283`	Number of bytes sent to a user, excluding the response header size
`$http_referer`	`https://example.com/videos/10`	Referrer – a URL requested by a user
`$http_user_agent`	`Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.116 YaBrowser/16.10.0.2309 Safari/537.36`	User agent that was used to send a request (browser or other application)
`$bytes_sent`	`1514848`	Number of bytes sent to a user
`$edgename`	`[dh-up-gc18]`	CDN server that forwarded the requested file
`$scheme`	`https`	Protocol (HTTP or HTTPS) of a request
`$host`	`cdn.example.com`	Requested hostname of a CDN resource
`$cname` (internal system variable)	`cdn.example.com`	Similar to the `$host` field, but derived from internal systems rather than the incoming HTTP request.
`$gcdn_vhost` (internal system variable)	`cdn.example.com[_cache_sharded]`	The vhost value as used internally in CDN
`$request_time`	`1.500`	Request processing time in seconds (accurate to milliseconds); time elapsed between the first bytes of a request being processed and logging after the last bytes were sent to a user
`$upstream_response_time`	`0.445`	Number of seconds (accurate to milliseconds) it took to receive a response from an origin. In case of multiple responses, commas and colons are used
`$request_length`	`157`	Request length (including request line, header, and request body)
`$http_range`	`bytes=0-1901653`	File fragment size in a Range request
`[$responding_node]`	`dh`	Responding data center
`$upstream_cache_status`	`MISS`	Status of a requested file in CDN cache: HIT: response served from the CDN cache. STALE: outdated response that failed to update (origin not responding or responding incorrectly). UPDATING: outdated response still updating from a previous request. REVALIDATED: response matching one on an origin (based on the `proxy_cache_revalidate` directive). EXPIRED: response that has expired in cache but still matches one on an origin; a request was sent to re-cache it. MISS: response served directly from an origin rather than from cache. BYPASS: response for the first file request after clearing the cache (the first request from each CDN server results in BYPASS; subsequent requests on that server result in HIT).
`$upstream_response_length`	`10485760`	Response length from an origin in bytes. In case of multiple responses, commas and colons are used
`$upstream_addr`	`0.0.0.0:80`	Origin’s IP address and port
`$gcdn_api_client_id` (internal system variable)	`123`	Your ID in our system
`$gcdn_api_resource_id` (internal system variable)	`01`	Your CDN-resource ID in our system
`$uid_got` (internal system variable)	`-`	Cookie name and received user ID
`$uid_set` (internal system variable)	`-`	Cookie name and provided user ID
`$geoip_country_code`	`KZ`	User’s country code according to the ISO 3166 standard (Alpha-2 code)
`$geoip_city`	`-`	User’s city code
`$shield_type` (internal system variable)	`shield_no`	Indicates whether Origin Shielding is enabled: shield_old – enabled shield_no – disabled
`$server_addr` (internal system variable) / `real_server_addr`	`0.0.0.0`	IP address of an Anycast zone or CDN server
`$server_port` (internal system variable)	`80`	Requested port
`$upstream_status`	`206`	Origin response code
`$upstream_connect_time`	`0.000`	Number of seconds (accurate to milliseconds) it took to access an origin server
`$upstream_header_time`	`0.200`	Number of seconds (accurate to milliseconds) it took to receive a response header from an origin server
`$shard_addr` (internal system variable)	`0.0.0.0`	IP address of a CDN server that was first to accept a request if the Cache Sharding feature is enabled
`$geoip2_data_asnumber`	`asnumber`	Number of an autonomous system that sent a request
`$connection` (internal system variable)	`2897494295`	Connection serial number
`$connection_requests` (internal system variable)	`1`	Current number of requests made through a connection
`$http_traceparent` (internal system variable)	`00-d5fe1dc9035165ce36952daf29686b6c-14330be33197dd1a-01`	Unique request identifier. More info in the Traceparent guide
`$http_x_forwarded_proto`	`-`	Initial protocol of an incoming request (HTTP or HTTPS)
`$gcdn_internal_status_code` (internal system variables)	`-`	Initial status code. Possible values are: `-`, or `1000-1200`
`$ssl_cipher` (internal system variable)	`ECDHE-RSA-AES256-GCM-SHA384`	Cipher name used for an established SSL connection
`$ssl_session_id` (internal system variable)	`28a4184139cb43cdc79006cf2d1a4ac93bdc****`	Session ID of an established SSL connection
`$ssl_session_reused` (internal system variable)	`r`	Shows whether a session was reused (`r`) or not (`.`)
`$sent_http_content_type`	`application/json`	Value of the `Content-Type` HTTP header, indicating the MIME type of a transmitted file
`$tcpinfo_rtt`	`21`	Average time (latency) it takes to transfer a packet to/from a server. The unit of time is microseconds
`$server_country_code`	`PL`	Server’s country code according to the ISO 3166 standard (Alpha-2 code)
`$gcdn_tcpinfo_snd_cwnd`	`45`	Size of the TCP Congestion window, i.e., the maximum number of TCP segments that the connection can send before an acknowledgment is required.
`$tcpi_total_retrans`	`10`	Total number of retransmitted packets over the life of the connection.
`$gcdn_rule_id`	`100700`	Initial rule ID (beta). Possible values are: `-`, or `100700`
`$query_string`	`id=123&sort=asc&filter=active`	Contains the raw query parameters from the request URI
`$timestamp` (Internal variable)	`02/Jan/2006:15:04:05 -0700`	Internal variable; Resulting in empty value
`$ip` (Internal variable)	`0.0.0.0`	Internal variable; Resulting in empty value
`$country` (Internal variable)		Internal variable; Resulting in empty value
`$media_type` (Internal variable)	`flv` or `cmaf`, or other	Internal variable; Resulting in empty value
`$size` (Internal variable)	`1232313`	Internal variable; Resulting in empty value
`$duration` (Internal variable)	`340`	Internal variable; Resulting in empty value
`$session_id` (Internal variable)	`162-2023042113480001010713019109705502.1682085118901`	Internal variable; Resulting in empty value
`$domain` (Internal variable)	`domain.example.com`	Internal variable; Resulting in empty value
`$name` (Internal variable)	`stream-2995186406511346425`	Internal variable; Resulting in empty value
`$edge` (Internal variable)	`0.0.0.0`	Internal variable; Resulting in empty value
`$code` (Internal variable)	`200`	Internal variable; Resulting in empty value
`$region` (Internal variable)		Internal variable; Resulting in empty value
`$http_x_forwarded_for`	`203.0.113.45, 198.51.100.17`	Contains the value of the X-Forwarded-For HTTP request header as sent by the client or added by upstream proxies/load balancers.
`$http_cookie`	`session_id=abc123; theme=dark; csrftoken=9f8e7d`	Contains the raw value of the Cookie HTTP request header sent by the client.
`$request_method`	`GET`	Contains the HTTP method used by the client for the request.
`$request_uri_path`	`/api/v1/users`	Represents the path portion of the request URI, without any query string parameters.
`$sent_http_cache_control`	`max-age=3600, public`	Contains the value of the Cache-Control HTTP response header as sent by NGINX to the client. It reflects the caching directives applied to the response, which control how browsers, proxies, and CDNs may cache and reuse the content.
`$sent_http_content_length`	`53214`	Contains the value of the Content-Length HTTP response header as sent by NGINX to the client. It represents the size of the response body in bytes, as declared in the response headers.
`$server_protocol`	`HTTP/1.1`	Contains the protocol version used by NGINX to communicate.
`$upstream_http_content_length`	`1048576`	Contains the value of the Content-Length HTTP response header received from the upstream server.
`$request_uri`	`/api/v1/users?id=42&sort=asc`	Contains the original request URI as sent by the client, including the path and the query string.
`$request_status`		(Deprecated)
`$gcdn_host` (internal system variable - Deprecated)
`$fastedge_field1` (internal system variable)		Used for passing additional context from FastEdge into raw logs
`$http_last_modified`	`Wed, 21 Oct 2015 07:28:00 GMT`	Value of the Last-Modified request header sent by the client.
`$http_accept`	`text/html,application/xhtml+xml`	Value of the Accept request header indicating acceptable response content types.
`$http_age`	`3600`	Value of the Age request header, typically used by caches to indicate object age in seconds.
`$http_head_size`	`512`	Size (in bytes) of the HTTP request headers received from the client.
`$http_return_head_size`	`430`	Size (in bytes) of the HTTP response headers returned to the client.
`$sent_http_content_range`	`bytes 0-1023/4096`	Value of the Content-Range response header sent to the client.
`$upstream_http_location`	`/redirect/path`	Value of the Location response header received from the upstream server (commonly for redirects).

Internal status codes

Reason	HTTP Code	Internal Code	Comment
Country ACL	403	1001
Referer ACL	403	1002
IP ACL	403	1003
User-Agent ACL	403	1004
Secure Token	403	1005	If the requested link passes the authenticity check, the `$secure_link` variable is set to the link extracted from the request URI. Otherwise, `$secure_link` is set to an empty string
Secure Token	410	1006	If the link has a limited lifetime and the time has expired, the `$secure_link` variable is set to `"0"`.
WAF	403	1007	Request blocked by WAF
Bot challenge / Testcookie	307	1008	Redirection sent by bot challenge (testcookie)
Blocklist	403	1009	Request blocked by bot protection blocklist
HTTP method	405	1200	`AllowedHttpMethods` enabled AND HTTP request method not in `AllowedHttpMethods` list
Streaming disabled .(ts\|m3u8)	402	1201	Streaming feature disabled for the client
LE Validation /.well-known/acme-challenge/	404	1202	We return `404` if `http_user_agent` is not in the list `“cert-manager-challenges	acme.zerossl.com	Cpanel-HTTP-Client	Buypass validation client	Google-Certificates-Bridge	vercel-fetch	win-acme	Typhoeus	Go-http-client”`.
check `$http_x_cdn_requestor` not empty	403	1203	Non-authorized request to shield
Force Return	ANY	1204	Status code option, this internal code indicates that the response was generated by this feature

WAAP log fields

If your CDN resource has WAAP enabled, the Logs uploader automatically appends WAAP security event fields to each request log line, alongside the CDN fields described above. You receive a single merged log entry per request, so the CDN access data and the matching WAAP security verdict arrive correlated and on the same delivery channel as your existing CDN logs - no separate file, no extra configuration on your side.

Eligibility. WAAP fields are added only for resources that have WAAP enabled and use the current edge protection architecture. For resources without WAAP, the existing CDN log line is unchanged.

DDoS protection logs are not exported through the Logs uploader. Only per-request WAAP security events are included. DDoS attack analytics remain available through the WAAP API and dashboard.

WAAP fields

The following fields are appended to each request log line when WAAP is enabled on the resource.

Field	Log value example	Description
`$waap_id`	`7f3c1e92-...`	Unique WAAP request identifier. Use it to correlate a log line with the WAAP Request Details API.
`$waap_decision`	`blocked`	Final security decision computed by WAAP at the edge. See Decision and optional action values below for the full value list and semantics.
`$waap_optional_action`	`captcha`	Additional action that was returned to the client alongside the decision (CAPTCHA or non-interactive challenge). See Decision and optional action values below.
`$waap_passed_incident_id`	`9a8b4f70-...`	Identifier of a previous WAAP incident that the request passed (for example, after a successful CAPTCHA solve in an earlier request from the same session). Empty if not applicable.
`$waap_request_type`	`regular`	WAAP request classification (for example, `regular`, `injected`).
`$waap_country`	`DE`	Country of the client IP, resolved by WAAP (Alpha-2 ISO 3166 code).
`$waap_organization`	`Deutsche Telekom AG`	Network organization that owns the client IP, resolved by WAAP.
`$waap_range`	`203.0.113.0/24`	Network range associated with the client IP.
`$waap_session_id`	`8c1f0d2a-...`	WAAP session identifier. Groups successive requests that WAAP attributes to the same client.
`$waap_session_request_number`	`42`	Sequence number of this request within the WAAP session.
`$waap_conviction_action`	`block`	Action prescribed by the matched rule. Possible values include `allow`, `block`, `monitor`, `captcha`, `handshake`. Empty if no rule matched.
`$waap_conviction_rule_id`	`100245`	ID of the WAAP rule that matched the request.
`$waap_conviction_rule_name`	`SQLi attempt`	Human-readable name of the matched WAAP rule.
`$waap_conviction_scope`	`policy`	Scope at which the rule was applied (for example, `policy`, `global`, `custom`).
`$waap_conviction_reference_id`	`signature:sqli-101`	Reference identifier of the conviction (rule signature, tag, or template reference).
`$waap_conviction_incident_id`	`4d2e8b1c-...`	Identifier of the WAAP incident raised for this request.
`$waap_conviction_template`	`OWASP CRS`	Template or ruleset family the matched rule belongs to.

All WAAP fields are best-effort: a field is empty ("") when WAAP did not compute a value for the request (for example, no rule matched, or the request was served before WAAP analysis completed). Treat empty values as “not applicable”, not “zero”.

Decision and optional action values

The $waap_decision field gives the final security verdict that WAAP applied at the edge:

Value	Meaning
`passed`	Request was allowed because it matched a previously cleared WAAP incident (for example, the client had already solved a CAPTCHA for an earlier request in the same session). The original incident identifier is exported in `$waap_passed_incident_id`.
`allowed`	Request was explicitly allowed by a matched WAAP rule.
`monitored`	Request was logged in monitor mode without applying the rule action. Useful for shadow testing rules before enforcement.
`blocked`	Request was blocked at the edge, or a challenge was issued and is pending client resolution (see the note below).
empty (`""`)	No WAAP verdict was produced for this request (for example, traffic that did not go through WAAP analysis).

The $waap_optional_action field describes any additional action applied alongside the decision:

Value	Meaning
`captcha`	A CAPTCHA challenge was served to the client.
`challenge`	A non-interactive challenge was issued (for example, a JavaScript or cookie handshake).
empty (`""`)	No additional action was applied.

Challenged requests are recorded as blocked. Logs are written at the edge as soon as the response is sent, before WAAP knows whether the client will solve the challenge. When the client passes the challenge, subsequent requests from the same session are exported with $waap_decision="passed" and $waap_passed_incident_id pointing back to the original incident, so you can trace the final outcome by joining the two log lines on the session identifier. The full per-incident result is also available through the WAAP Request Details API.

Log schema versioning

Each exported log line carries a schema version field that identifies the JSON payload version (for example, "v":"5"). The version is incremented whenever fields are added, renamed, or removed. We add new fields in a backwards-compatible way where possible (existing field names and positions are preserved), so most schema changes do not require parser updates on your side. Breaking changes are announced in advance through the standard CDN update notifications. Pin your downstream parsers (SIEM, ETL) to a known version and check the v value to detect schema changes safely.

How near real time log exporting works

The Time interval setting in a Policy defines the frequency with which the logs are archived and exported. This interval is 5 minutes by default and can be set to between 5 and 60 minutes. If CDN servers are not requested and the Do not send empty logs checkbox is not selected when configuring Logs uploader, an empty log file (± 20 bytes) will be sent to the storage target.

Account settings

Developer Tools

CDN

FastEdge

Edge Cloud

AI

Gclaw

Managed DNS

Hosting

Object Storage

Video Streaming

DDoS protection

Edge Proxy

WAAP

Configuring Logs uploader

Log schema and field definitions

WAAP log fields

How near real time log exporting works

Account settings

Developer Tools

CDN

FastEdge

Edge Cloud

AI

Gclaw

Managed DNS

Hosting

Object Storage

Video Streaming

DDoS protection

Edge Proxy

WAAP

Documentation Index

​Configuring Logs uploader

​Log schema and field definitions

​WAAP log fields

​How near real time log exporting works

Configuring Logs uploader

Log schema and field definitions

WAAP log fields

How near real time log exporting works