Follow

Distil Access Log Values - Web Security

Access logs provide detailed information associated with all requests that pass through Distil. For fraud and security alerting, they help augment your SIEM data and log analyses by mapping Distil values to logins or accounts/users.

NOTE: Distil periodically adds new log fields and definitions to the web logs. Any processes written to parse the Distil logs should be configured to accept additional logs fields beyond the currently defined log fields. This helps prevent a disruption in the log parsing as additional log fields are added.

The table below lists all names, data types, and definitions for Distil web security access logs. For API security access logs, please see the Distil API security support article.

NOTE: Access logs differ according to your Distil version. The latest updated platform provides additional fields (47-65) not available in the legacy platform.

 

 

Field

Type

Definition

 1

account_id

int

Distil-assigned account ID

 2

domain_id

int

Distil-assigned domain ID

 3

ip

string

Visitor IP address

 4

request_time

double

Time of the request

 5

request_url

string

URL requested by the visitor

 6

http_status_code

string

HTTP status code returned to the user

 7

bytes_sent

int

Bytes sent from Distil to the visitor

 8

http_referrer

string

Visitor-provided HTTP referrer

 9

user_agent

string

Visitor-provided user agent

10

geo_ip_country_code

string

Country of the request

11

allowed

int

Distil-computed allowed code. Distil traffic classification.


NOTE: The allowed code is superseded by the distil_action (column 50) code in the new platform.

12

violations

long

Distil-computed violation code.

13

unique_id

string

Distil-computed unique ID for the visitor


NOTE: Superseded by ZUID in the new platform.This is a match for cookie value D_UID

14

origin_cache_status

string

Indicates if the object was served from Distil’s cache, if caching is enabled on the appliance.

15

informed_id

string

Distil-computed unformed ID for the visitor

NOTE: Superseded by ZID in the new platform. This is a match for cookie value D_IID.

16

primitive_id

string

Distil-computed primitive ID for the visitor


NOTE: This is a match for cookie value D_PID. The D_PID cookie is deprecated in the new platform, but will still be present and logged in the new platform.

17

valid_ajax

string

Indicates whether or not a valid x-distil-ajax token was present on the request

18

origin_response_time

string

Time in milliseconds for the first byte of data to be returned form the origin to the Distil appliance

19

request_id

string

Distil-computed ID for the request. Also identified as the trace value on error and threat response pages and identification pages

20

origin_bytes_sent

string

Bytes returned from the origin to Distil

21

server_ip

string

IP address of the Distil appliance (or server) that handled the request

22

origin_http_status_code

string

The HTTP status code returned from the origin to Distil

23

pages_per_minute

double

The calculated average of requests over the course of an established session for one single visitor.

NOTE: Does not include whitelisted requests or AJAX requests.

24

pages_per_session

double

The total number of pages requested during the visitor’s session

25

session_length_seconds

double

The duration of the visitor’s session

26

known_signature_id

int

Used by Distil support. Indicates additional threat information.

27

origin_server_address

string

The IP address of the selected origin server

28

request_protocol

string

Indicates whether the request was made to Distil using HTTP or HTTPS

29

server_serial

string

Distil-generated value indicating which Distil server processed the request

30

nginx_worker_pid

int

Distil server process which handled the request

31

origin_content_type

string

Content type of the object returned by the origin to Distil

32

load_balancer_request_time

long

Time the Distil load balancer received the request


NOTE: This field is generally related to global cloud deployments.

33

seed_id

string

Distil-calculated value that is a concatenated string involving the IP of first access and a GUID hash.

NOTE: This is a match for cookie value D_SID.

34

geo_ip_organization

string

GEO_IP as determined in real-time using Distil’s GeoIP database

35

http_accept

string

HTTP accept header

36

http_accept_encoding

string

HTTP accept encoding header

37

http_accept_language

string

HTTP accept language header

38

http_connection

string

HTTP connection header

39

http_request_length

int

HTTP request length

40

real_ip_header_value

string

Full value in the HTTP header configured for identifying the true client IP address by Distil

41

http_host

string

HTTP host header

42

machine_learning_score

double

Distil machine learning request score

43

hsig

string

Distil-computed value identifying the order and structure of the received HTTP request headers

44

zid

string

Distil-computed ID for the visitor


NOTE: This is a match for cookie value D_ZID.

45

zuid

string

Distil-computed hi-def fingerprint for the visitor


NOTE: This is a match for cookie value UUID.

46

data_center_id

int

Datacenter ID. Distil-computed ID specific to the datacenter in which the responding server is located.

The fields below (47-[end]) are only available in the updated platform.

47

distil_domain_unique _id

string

Distil-computed unique identifier for the domain


Check with ops if this is/isn’t in legacy

48

whitelist

int

Bitwise code that describes why the request was whitelisted, if the request was whitelisted.

49

is_billable

boolean

Whether or not the request is billable

50

distil_action

string

Name of the action Distil took on the request

51

js_additional_threats

string

Used by Distil support. Indicates additional threat information.

52

js_known_violators_additional_threats

string

Used by Distil support. Indicates additional threat information.

53

[this field is intentionally blank]

[n/a]

[this field is intentionally blank]

54

[this field is intentionally blank]

[n/a]

[this field is intentionally blank]

55

[this field is intentionally blank]

[n/a]

[this field is intentionally blank]

56

http_accept_charset

string

HTTP Accept-Charset Header

57

[this field is intentionally blank]

[n/a]

[this field is intentionally blank]

58

[this field is intentionally blank]

[n/a]

[this field is intentionally blank]

59

[this field is intentionally blank]

[n/a]

[this field is intentionally blank]

60

[this field is intentionally blank]

[n/a]

[this field is intentionally blank]

61

path_security_type

string

Path type, either web security or API security

62

identification_provider

string

Identification service used to determine visitor’s ID.

65

path_rule_scope_id

string

UUID identifier for match rule scope

 

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

Comments