Access logs provide detailed information associated with all requests that pass through Distil. For fraud and security alerting, they help augment your SIEM data and log analyses by mapping Distil values to logins or accounts/users.
NOTE: Distil periodically adds new log fields and definitions to the API logs. Any processes written to parse the Distil logs should be configured to accept additional logs fields beyond the currently defined log fields. This helps prevent a disruption in the log parsing as additional log fields are added.
The table below lists all names, data types, and definitions for Distil API security access logs. For web security access logs, please see the Distil web security support article.
|
Field |
Type |
Definition |
|
|
1 |
account_id |
int |
Distil-assigned account ID |
|
2 |
domain_id |
int |
Distil-assigned domain ID |
|
3 |
ip |
string |
Visitor’s IP address |
|
4 |
request_time |
double |
Time of the request |
|
5 |
request_url |
string |
URL requested by the visitor |
|
6 |
http_status_code |
string |
HTTP status code returned to the user |
|
7 |
bytes_sent |
int |
Bytes sent from Distil to the visitor |
|
8 |
http_referrer |
string |
Visitor-provided HTTP referrer |
|
9 |
user_agent |
string |
Visitor-provided user agent |
|
10 |
geo_ip_country_code |
string |
Country of the request |
|
11 |
geo_ip_organization |
string |
Organization that owns the visitor’s |
|
12 |
whitelist |
long |
Bitwise code that describes why the request was whitelisted, if the request was whitelisted. |
|
13 |
violations |
long |
Threat that triggered the action Distil took on the request |
|
14 |
distil_action |
string |
Action Distil took on the request |
|
15 |
distil_token |
string |
Distil hashed version of the visitor’s identifier. |
|
16 |
distil_token_group |
string |
Distil identifier group (this is only used for Invalid, currently). |
|
17 |
raw_token |
string |
The raw token value Distil read from the request. |
|
18 |
raw_token_location |
string |
The location of the raw token. For example, ‘ARG auth_token’ for an ‘auth_token’ passed as a URL argument. |
|
19 |
server_serial |
string |
Distil-served handling request |
|
20 |
server_ip |
string |
IP address of the Distil appliance (or server) that handled the request |
|
21 |
origin_http_status_code |
string |
The HTTP status code returned from the origin to Distil |
|
22 |
origin_response_time |
string |
Time it took for the upstream server to respond to the request |
|
23 |
origin_content_type |
string |
Type of file requested by the visitor |
|
24 |
origin_response_length |
string |
Length of the response from origin server |
|
25 |
requests_per_minute |
double |
The number of API requests made per minute during the visitor’s session |
|
26 |
requests_per_session |
double |
The total number of API requests during the visitor’s session |
|
27 |
session_length_seconds |
double |
The duration of the visitor’s session |
|
28 |
nginx_worker_pid |
int |
Distil server process handling request |
|
29 |
request_id |
string |
Distil-computed ID for the request |
|
30 |
is_billable |
boolean |
Whether or not the request is billable |
|
31 |
hsig |
string |
Header signature |
Comments