Logs API

Logs can be accessed at https://CONTROLLER-IP/api/analytics/logs, and it supports several query options described in detail below.

Logs Query Options

Option Description
type OPTIONAL; Type of Logs Requested; 0: Connection Logs, 1: Application Logs, 2: Event Logs; DEFAULT=Automatically detected based on the VS's app profile
virtualservice REQUIRED; Specify VS ID for scoping the results
start OPTIONAL; start time stamp in ISO8601 format; DEFAULT=zero
end OPTIONAL; end time stamp in ISO8601 format; DEFAULT=current time
duration OPTIONAL; if start time is not specified (or set to zero), this field, specified in seconds, determines the duration from end for which logs are returned. DEFAULT=zero(no limit)
page_size OPTIONAL; maximum number of records to return; DEFAULT=10
adf OPTIONAL; search logs matching Avi Defined (Significant) Filters; DEFAULT=True
udf OPTIONAL; search through logs meeting User Defined Filters; DEFAULT=False
nf OPTIONAL; search through the rest of the logs (i.e., logs that match neither ADF nor UDF); DEFAULT=False
format OPTIONAL: choose a format for the data; Options={'json','csv','txt'}; DEFAULT='json'
page OPTIONAL; For pagination support; DEFAULT=1
filter OPTIONAL; Format: OPERATOR(field,value); Can be specified multiple times; DEFAULT=None See more information about filters here.
cols OPTIONAL; A comma separated list of fields to include in the results; When groupby is specified, sum/avg/max/min functions can be used with field names (e.g., sum(tx_bytes) in L4 case, or sum(response_length+request_length) in L7); you can order on the first custom column by specifying orderby=col0; DEFAULT=All when groupby is not specified and is sum(1) otherwise
groupby OPTIONAL; Specify a field name to group the results on; DEFAULT=None
orderby OPTIONAL; Specify a field name to sort the results on; Prepend with '-' to sort in reverse order; DEFAULT=-report_timestamp when groupby is not specified and descending order on count of items in each group (-count) when groupby is specified
step OPTIONAL; Specify step values for each groupby fieldresults; This outputs a JSON object, by default, with counts of logs that fall in each step, along with the timestamp of the end of the step; TBD: Summarization functions for other columns DEFAULT=0
expstep OPTIONAL; If set to true, then instead of default linear increases by 'step', we use an exponentially increasing steps; e.g., if step=2 and expstep=True, then the intervals in the responses will be of form: 0-1, 1-2, 2-4, 4-8, 8-16, and so on.; DEFAULT=False
timeout OPTIONAL; Specify the timeout (in seconds) for this query; DEFAULT=5
download OPTIONAL; Boolean; If set to true, then the results in the requested format will be downloaded as file. Also, the defaults for other options will be set as follows: format is set to CSV; timeout is set to 10 seconds; page is set to 1; page_size is set to 10000; DEFAULT=False
debug OPTIONAL; Boolean; If set to true, then we include extra debugging info in the responses; DEFAULT=False
js_compat OPTIONAL: Boolean; If set to true, then we will convert uint64 numbers to string in log query response.

Logs Filters

Filters are specified in OPERATOR(FIELD,VALUE) format. Depending on the type of FIELD, different operators are supported. The following table shows the operators supported for each field type.

Refer to the following for the set of fields and their types for each log type:

Supported operators by field type

Field Type Operator Description
String eq ==
sw starts with
ne !=
co contains keyword
nc not contains keyword
Integer eq ==
lt <
le <=
gt >
ge >=
ne !=
IP Address eq ==
sw starts with
ne !=
Boolean eq ==
ne !=
Enumeration String eq ==
lt <
le <=
gt >
ge >=
ne !=
Message eq ==
lt <
le <=
gt >
ge >=
ne !=

Fields for HTTP Logs

Field Name Field Type Supported Operators Field Description
adf Boolean eq,ne
significant Integer eq,lt,le,gt,ge,ne
significance String eq,sw,ne,co,nc
udf Boolean eq,ne
virtualservice String eq,sw,ne,co,nc
report_timestamp Integer eq,lt,le,gt,ge,ne
service_engine String eq,sw,ne,co,nc
vcpu_id Integer eq,lt,le,gt,ge,ne
log_id Integer eq,lt,le,gt,ge,ne
client_ip IP Address eq,sw,ne
client_location String eq,sw,ne,co,nc
client_src_port Integer eq,lt,le,gt,ge,ne
client_dest_port Integer eq,lt,le,gt,ge,ne
client_rtt Integer eq,lt,le,gt,ge,ne
ssl_session_id String eq,sw,ne,co,nc
ssl_version String eq,sw,ne,co,nc
ssl_cipher String eq,sw,ne,co,nc
sni_hostname String eq,sw,ne,co,nc
http_version String eq,sw,ne,co,nc
method String eq,sw,ne,co,nc
uri_path String eq,sw,ne,co,nc
rewritten_uri_path String eq,sw,ne,co,nc
uri_query String eq,sw,ne,co,nc
rewritten_uri_query String eq,sw,ne,co,nc
redirected_uri String eq,sw,ne,co,nc
server_side_redirect_uri String eq,sw,ne,co,nc
referer String eq,sw,ne,co,nc
user_agent String eq,sw,ne,co,nc
client_device String eq,sw,ne,co,nc
client_browser String eq,sw,ne,co,nc
client_os String eq,sw,ne,co,nc
xff String eq,sw,ne,co,nc
persistence_used Boolean eq,ne
host String eq,sw,ne,co,nc
etag String eq,sw,ne,co,nc
persistent_session_id Integer eq,lt,le,gt,ge,ne
request_content_type String eq,sw,ne,co,nc
response_content_type String eq,sw,ne,co,nc
request_length Integer eq,lt,le,gt,ge,ne
cache_hit Boolean eq,ne
cacheable Boolean eq,ne
network_security_policy_rule_name String eq,sw,ne,co,nc
http_security_policy_rule_name String eq,sw,ne,co,nc
http_request_policy_rule_name String eq,sw,ne,co,nc
http_response_policy_rule_name String eq,sw,ne,co,nc
pool String eq,sw,ne,co,nc
pool_name String eq,sw,ne,co,nc
server_ip IP Address eq,sw,ne
server_name String eq,sw,ne,co,nc
server_conn_src_ip IP Address eq,sw,ne
server_dest_port Integer eq,lt,le,gt,ge,ne
server_src_port Integer eq,lt,le,gt,ge,ne
server_rtt Integer eq,lt,le,gt,ge,ne
server_response_length Integer eq,lt,le,gt,ge,ne
server_response_code Integer eq,lt,le,gt,ge,ne
server_response_time_first_byte Integer eq,lt,le,gt,ge,ne
server_response_time_last_byte Integer eq,lt,le,gt,ge,ne
app_response_time Integer eq,lt,le,gt,ge,ne
data_transfer_time Integer eq,lt,le,gt,ge,ne
total_time Integer eq,lt,le,gt,ge,ne
response_length Integer eq,lt,le,gt,ge,ne
response_code Integer eq,lt,le,gt,ge,ne
response_time_first_byte Integer eq,lt,le,gt,ge,ne
response_time_last_byte Integer eq,lt,le,gt,ge,ne
compression_percentage Integer eq,lt,le,gt,ge,ne
compression Enumeration String eq,lt,le,gt,ge,ne
client_insights Enumeration String eq,lt,le,gt,ge,ne
connection_error_info Message eq,lt,le,gt,ge,ne
spdy_version String eq,sw,ne,co,nc
request_headers Integer eq,lt,le,gt,ge,ne
response_headers Integer eq,lt,le,gt,ge,ne
request_state Enumeration String eq,lt,le,gt,ge,ne
datascript_error_trace Message eq,lt,le,gt,ge,ne
all_request_headers String eq,sw,ne,co,nc
all_response_headers String eq,sw,ne,co,nc
user_id String eq,sw,ne,co,nc
significant_log Enumeration String eq,lt,le,gt,ge,ne List of enums which indicate why a log is significant
datascript_log String eq,sw,ne,co,nc Log created by the invocations of the DataScript api avi.vs.log()
microservice String eq,sw,ne,co,nc
microservice_name String eq,sw,ne,co,nc
headers_sent_to_server String eq,sw,ne,co,nc Request headers sent to backend server
headers_received_from_server String eq,sw,ne,co,nc Response headers received from backend server
server_ssl_session_id String eq,sw,ne,co,nc SSL session id for the backend connection.
server_connection_reused Boolean eq,ne Flag to indicate if connection from the connection pool was reused
server_ssl_session_reused Boolean eq,ne Flag to indicate if SSL session was reused.
vs_ip IP Address eq,sw,ne
body_updated Enumeration String eq,lt,le,gt,ge,ne
waf_log Message eq,lt,le,gt,ge,ne Presence of waf_log indicates that atleast 1 WAF rule was hit for the transaction
client_ip6 String eq,sw,ne,co,nc IPv6 address of the client.
vs_ip6 String eq,sw,ne,co,nc Virtual IPv6 address of the VS.
server_ip6 String eq,sw,ne,co,nc IPv6 address of the Server.
server_conn_src_ip6 String eq,sw,ne,co,nc IPv6 address used to connect to Server.
request_id String eq,sw,ne,co,nc Unique HTTP Request ID
request_served_locally_remote_site_down Boolean eq,ne Flag to indicate if request was served locally because the remote site was down
http2_stream_id Integer eq,lt,le,gt,ge,ne Stream identifier corresponding to an HTTP2 request.
cipher_bytes String eq,sw,ne,co,nc Byte stream of client cipher list sent on SSL_R_NO_SHARED_CIPHER error.
client_cipher_list Message eq,lt,le,gt,ge,ne List of ciphers sent by client in TLS/SSL Client Hello. Only sent when TLS handshake fails due to no shared cipher.
client_log_filter_name String eq,sw,ne,co,nc Name of the Client Log Filter applied
saml_authentication_used Boolean eq,ne SAML authentication is used.
saml_session_cookie_valid Boolean eq,ne SAML authentication session cookie is valid.
saml_auth_request_generated Boolean eq,ne SAML authentication request is generated.
saml_auth_response_received Boolean eq,ne SAML authentication response is received.
saml_auth_session_id Integer eq,lt,le,gt,ge,ne SAML authentication session ID.
servers_tried Integer eq,lt,le,gt,ge,ne Number of servers tried during server reselect before the response is sent back.
paa_log Message eq,lt,le,gt,ge,ne Logs for the PingAccess authentication process.
cache_disabled_by_ds Boolean eq,ne Cache fetch and store is disabled by the Datascript policies.
grpc_status Integer eq,lt,le,gt,ge,ne GRPC response status sent in the GRPC trailer.
ocsp_status_resp_sent Boolean eq,ne OCSP Certificate Status response sent in the SSL/TLS connection handshake.
critical_error_encountered Boolean eq,ne Critical error encountered during request processing.
grpc_service_name String eq,sw,ne,co,nc The service called by the gRPC request.
grpc_method_name String eq,sw,ne,co,nc The method called by the gRPC request.
grpc_status_reason_phrase Enumeration String eq,lt,le,gt,ge,ne The reason phrase corresponding to the gRPC status code.
icap_log Message eq,lt,le,gt,ge,ne Log for the ICAP processing.
saml_log Message eq,lt,le,gt,ge,ne Logs for the SAML authentication/authorization process.
jwt_log Message eq,lt,le,gt,ge,ne Logs for the JWT Validation process.
ntlm_log Message eq,lt,le,gt,ge,ne NTLM auto-detection logs.
oob_log Message eq,lt,le,gt,ge,ne Logs for HTTP Out-Of-Band Requests

Fields for L4 Logs

Field Name Field Type Supported Operators Field Description
adf Boolean eq,ne
significant Integer eq,lt,le,gt,ge,ne
significance String eq,sw,ne,co,nc
udf Boolean eq,ne
virtualservice String eq,sw,ne,co,nc
vs_ip IP Address eq,sw,ne
client_ip IP Address eq,sw,ne
client_location String eq,sw,ne,co,nc
client_src_port Integer eq,lt,le,gt,ge,ne
client_dest_port Integer eq,lt,le,gt,ge,ne
start_timestamp Integer eq,lt,le,gt,ge,ne
report_timestamp Integer eq,lt,le,gt,ge,ne
total_time Integer eq,lt,le,gt,ge,ne
connection_ended Boolean eq,ne
client_rtt Integer eq,lt,le,gt,ge,ne
mss Integer eq,lt,le,gt,ge,ne
rx_bytes Integer eq,lt,le,gt,ge,ne
tx_bytes Integer eq,lt,le,gt,ge,ne
total_bytes Integer eq,lt,le,gt,ge,ne
rx_pkts Integer eq,lt,le,gt,ge,ne
tx_pkts Integer eq,lt,le,gt,ge,ne
total_pkts Integer eq,lt,le,gt,ge,ne
out_of_orders Integer eq,lt,le,gt,ge,ne
retransmits Integer eq,lt,le,gt,ge,ne
timeouts Integer eq,lt,le,gt,ge,ne
zero_window_size_events Integer eq,lt,le,gt,ge,ne
service_engine String eq,sw,ne,co,nc
vcpu_id Integer eq,lt,le,gt,ge,ne
log_id Integer eq,lt,le,gt,ge,ne
network_security_policy_rule_name String eq,sw,ne,co,nc
pool String eq,sw,ne,co,nc
pool_name String eq,sw,ne,co,nc
server_ip IP Address eq,sw,ne
server_name String eq,sw,ne,co,nc
server_conn_src_ip IP Address eq,sw,ne
server_dest_port Integer eq,lt,le,gt,ge,ne
server_src_port Integer eq,lt,le,gt,ge,ne
server_rtt Integer eq,lt,le,gt,ge,ne
server_total_bytes Integer eq,lt,le,gt,ge,ne
server_rx_bytes Integer eq,lt,le,gt,ge,ne
server_tx_bytes Integer eq,lt,le,gt,ge,ne
server_total_pkts Integer eq,lt,le,gt,ge,ne
server_rx_pkts Integer eq,lt,le,gt,ge,ne
server_tx_pkts Integer eq,lt,le,gt,ge,ne
server_out_of_orders Integer eq,lt,le,gt,ge,ne
server_retransmits Integer eq,lt,le,gt,ge,ne
server_timeouts Integer eq,lt,le,gt,ge,ne
server_zero_window_size_events Integer eq,lt,le,gt,ge,ne
significant_log Enumeration String eq,lt,le,gt,ge,ne List of enums which indicate why a log is significant
num_transaction Integer eq,lt,le,gt,ge,ne
average_turntime Integer eq,lt,le,gt,ge,ne
num_window_shrink Integer eq,lt,le,gt,ge,ne
server_num_window_shrink Integer eq,lt,le,gt,ge,ne
num_syn_retransmit Integer eq,lt,le,gt,ge,ne
microservice String eq,sw,ne,co,nc
microservice_name String eq,sw,ne,co,nc
proxy_protocol Enumeration String eq,lt,le,gt,ge,ne Version of proxy protocol used to convey client connection information to the back-end servers. A value of 0 indicates that proxy protocol is not used. A value of 1 or 2 indicates the version of proxy protocol used.
ssl_session_id String eq,sw,ne,co,nc
ssl_version String eq,sw,ne,co,nc
ssl_cipher String eq,sw,ne,co,nc
dns_fqdn String eq,sw,ne,co,nc
dns_ips IP Address eq,sw,ne
dns_qtype Enumeration String eq,lt,le,gt,ge,ne
gslbservice String eq,sw,ne,co,nc
gslbservice_name String eq,sw,ne,co,nc
gslbpool_name String eq,sw,ne,co,nc
dns_response Message eq,lt,le,gt,ge,ne
dns_etype Enumeration String eq,lt,le,gt,ge,ne
protocol Enumeration String eq,lt,le,gt,ge,ne
dns_request Message eq,lt,le,gt,ge,ne
client_ip6 String eq,sw,ne,co,nc IPv6 address of the client.
vs_ip6 String eq,sw,ne,co,nc IPv6 address of the VIP of the VS.
server_ip6 String eq,sw,ne,co,nc IPv6 address of the Backend Server.
server_conn_src_ip6 String eq,sw,ne,co,nc IPv6 address used to connect to Backend Server.
sni_hostname String eq,sw,ne,co,nc
sip_log Message eq,lt,le,gt,ge,ne SIP related logging information
client_log_filter_name String eq,sw,ne,co,nc Name of the Client Log Filter applied
ds_log String eq,sw,ne,co,nc Datascript Log
persistence_used Boolean eq,ne Persistence applied during server selection
ocsp_status_resp_sent Boolean eq,ne OCSP Response sent in the SSL/TLS connection Handshake.

Fields for Event Logs

Field Name Field Type Supported Operators Field Description
report_timestamp Integer eq,lt,le,gt,ge,ne
obj_type Enumeration String eq,lt,le,gt,ge,ne
event_id Enumeration String eq,lt,le,gt,ge,ne
module Enumeration String eq,lt,le,gt,ge,ne
internal Enumeration String eq,lt,le,gt,ge,ne
context Enumeration String eq,lt,le,gt,ge,ne
obj_uuid String eq,sw,ne,co,nc
obj_name String eq,sw,ne,co,nc
reason_code Enumeration String eq,lt,le,gt,ge,ne Reason code for generating the event. This would be added to the alert where it would say alert generated on event with reason
event_details Message eq,lt,le,gt,ge,ne
details_summary String eq,sw,ne,co,nc Summary of event details
related_uuids String eq,sw,ne,co,nc related objects corresponding to the events
event_description String eq,sw,ne,co,nc Event Description for each Event in the table view
event_pages String eq,sw,ne,co,nc Pages in which event should come up
ignore_event_details_display Boolean eq,ne
is_security_event Boolean eq,ne
tenant_name String eq,sw,ne,co,nc
tenant String eq,sw,ne,co,nc