Logs API

Logs can be accessed at https://CONTROLLER-IP/api/analytics/logs, and it supports several query options described in detail below.

Logs Query Options

Option Description
type OPTIONAL; Type of Logs Requested; 0: Connection Logs, 1: Application Logs, 2: Event Logs; DEFAULT=Automatically detected based on the VS's app profile
virtualservice REQUIRED; Specify VS ID for scoping the results
start OPTIONAL; start time stamp in ISO8601 format; DEFAULT=zero
end OPTIONAL; end time stamp in ISO8601 format; DEFAULT=current time
duration OPTIONAL; if start time is not specified (or set to zero), this field, specified in seconds, determines the duration from end for which logs are returned. DEFAULT=zero(no limit)
page_size OPTIONAL; maximum number of records to return; DEFAULT=10
adf OPTIONAL; search logs matching Avi Defined (Significant) Filters; DEFAULT=True
udf OPTIONAL; search through logs meeting User Defined Filters; DEFAULT=False
nf OPTIONAL; search through the rest of the logs (i.e., logs that match neither ADF nor UDF); DEFAULT=False
format OPTIONAL: choose a format for the data; Options={'json','csv','txt'}; DEFAULT='json'
page OPTIONAL; For pagination support; DEFAULT=1
filter OPTIONAL; Format: OPERATOR(field,value); Can be specified multiple times; DEFAULT=None See more information about filters here.
cols OPTIONAL; A comma separated list of fields to include in the results; When groupby is specified, sum/avg/max/min functions can be used with field names (e.g., sum(tx_bytes) in L4 case, or sum(response_length+request_length) in L7); you can order on the first custom column by specifying orderby=col0; DEFAULT=All when groupby is not specified and is sum(1) otherwise
groupby OPTIONAL; Specify a field name to group the results on; DEFAULT=None
orderby OPTIONAL; Specify a field name to sort the results on; Prepend with '-' to sort in reverse order; DEFAULT=-report_timestamp when groupby is not specified and descending order on count of items in each group (-count) when groupby is specified
step OPTIONAL; Specify step values for each groupby fieldresults; This outputs a JSON object, by default, with counts of logs that fall in each step, along with the timestamp of the end of the step; TBD: Summarization functions for other columns DEFAULT=0
expstep OPTIONAL; If set to true, then instead of default linear increases by 'step', we use an exponentially increasing steps; e.g., if step=2 and expstep=True, then the intervals in the responses will be of form: 0-1, 1-2, 2-4, 4-8, 8-16, and so on.; DEFAULT=False
timeout OPTIONAL; Specify the timeout (in seconds) for this query; DEFAULT=5
download OPTIONAL; Boolean; If set to true, then the results in the requested format will be downloaded as file. Also, the defaults for other options will be set as follows: format is set to CSV; timeout is set to 10 seconds; page is set to 1; page_size is set to 10000; DEFAULT=False
debug OPTIONAL; Boolean; If set to true, then we include extra debugging info in the responses; DEFAULT=False

Logs Filters

Filters are specified in OPERATOR(FIELD,VALUE) format. Depending on the type of FIELD , different operators are supported. The following table shows the operators supported for each field type.

Refer to the following for the set of fields and their types for each log type:

Supported operators by field type

Field Type Operator Description
String sw starts with
nc not contains keyword
eq ==
ne !=
co contains keyword
Integer gt >
ge >=
ne !=
lt <
le <=
eq ==
IP Address sw starts with
eq ==
ne !=
Enumeration String gt >
ge >=
ne !=
lt <
le <=
eq ==
Boolean eq ==
ne !=
Message gt >
ge >=
ne !=
lt <
le <=
eq ==

Fields for HTTP Logs

Field Name Field Type Supported Operators Field Description
adf Boolean eq,ne
significant Integer gt,ge,ne,lt,le,eq
significance String sw,nc,eq,ne,co
udf Boolean eq,ne
virtualservice String sw,nc,eq,ne,co
report_timestamp Integer gt,ge,ne,lt,le,eq
service_engine String sw,nc,eq,ne,co
vcpu_id Integer gt,ge,ne,lt,le,eq
log_id Integer gt,ge,ne,lt,le,eq
client_ip IP Address sw,eq,ne
client_location String sw,nc,eq,ne,co
client_src_port Integer gt,ge,ne,lt,le,eq
client_dest_port Integer gt,ge,ne,lt,le,eq
client_rtt Integer gt,ge,ne,lt,le,eq
ssl_session_id String sw,nc,eq,ne,co
ssl_version String sw,nc,eq,ne,co
ssl_cipher String sw,nc,eq,ne,co
http_version String sw,nc,eq,ne,co
method String sw,nc,eq,ne,co
uri_path String sw,nc,eq,ne,co
rewritten_uri_path String sw,nc,eq,ne,co
uri_query String sw,nc,eq,ne,co
rewritten_uri_query String sw,nc,eq,ne,co
redirected_uri String sw,nc,eq,ne,co
server_side_redirect_uri String sw,nc,eq,ne,co
referer String sw,nc,eq,ne,co
user_agent String sw,nc,eq,ne,co
client_device String sw,nc,eq,ne,co
client_browser String sw,nc,eq,ne,co
client_os String sw,nc,eq,ne,co
xff String sw,nc,eq,ne,co
persistence_used Boolean eq,ne
host String sw,nc,eq,ne,co
etag String sw,nc,eq,ne,co
persistent_session_id Integer gt,ge,ne,lt,le,eq
request_content_type String sw,nc,eq,ne,co
response_content_type String sw,nc,eq,ne,co
request_length Integer gt,ge,ne,lt,le,eq
cache_hit Boolean eq,ne
cacheable Boolean eq,ne
network_security_policy_rule_name String sw,nc,eq,ne,co
http_security_policy_rule_name String sw,nc,eq,ne,co
http_request_policy_rule_name String sw,nc,eq,ne,co
http_response_policy_rule_name String sw,nc,eq,ne,co
pool String sw,nc,eq,ne,co
pool_name String sw,nc,eq,ne,co
server_ip IP Address sw,eq,ne
server_name String sw,nc,eq,ne,co
server_conn_src_ip IP Address sw,eq,ne
server_dest_port Integer gt,ge,ne,lt,le,eq
server_src_port Integer gt,ge,ne,lt,le,eq
server_rtt Integer gt,ge,ne,lt,le,eq
server_response_length Integer gt,ge,ne,lt,le,eq
server_response_code Integer gt,ge,ne,lt,le,eq
server_response_time_first_byte Integer gt,ge,ne,lt,le,eq
server_response_time_last_byte Integer gt,ge,ne,lt,le,eq
app_response_time Integer gt,ge,ne,lt,le,eq
data_transfer_time Integer gt,ge,ne,lt,le,eq
total_time Integer gt,ge,ne,lt,le,eq
response_length Integer gt,ge,ne,lt,le,eq
response_code Integer gt,ge,ne,lt,le,eq
response_time_first_byte Integer gt,ge,ne,lt,le,eq
response_time_last_byte Integer gt,ge,ne,lt,le,eq
compression_percentage Integer gt,ge,ne,lt,le,eq
compression Enumeration String gt,ge,ne,lt,le,eq
client_insights Enumeration String gt,ge,ne,lt,le,eq
connection_error_info Message gt,ge,ne,lt,le,eq
spdy_version String sw,nc,eq,ne,co
request_headers Integer gt,ge,ne,lt,le,eq
response_headers Integer gt,ge,ne,lt,le,eq
request_state Enumeration String gt,ge,ne,lt,le,eq
datascript_error_trace Message gt,ge,ne,lt,le,eq
all_request_headers String sw,nc,eq,ne,co
all_response_headers String sw,nc,eq,ne,co
user_id String sw,nc,eq,ne,co
significant_log Enumeration String gt,ge,ne,lt,le,eq List of enums which indicate why a log is significant
datascript_log String sw,nc,eq,ne,co Log created by the invocations of the DataScript api avi.vs.log()
microservice String sw,nc,eq,ne,co
microservice_name String sw,nc,eq,ne,co
headers_sent_to_server String sw,nc,eq,ne,co Request headers sent to backend server
headers_received_from_server String sw,nc,eq,ne,co Response headers received from backend server
server_ssl_session_id String sw,nc,eq,ne,co SSL session id for the backend connection.
server_connection_reused Boolean eq,ne Flag to indicate if connection from the connection pool was reused
server_ssl_session_reused Boolean eq,ne Flag to indicate if SSL session was reused.
vs_ip IP Address sw,eq,ne
body_updated Enumeration String gt,ge,ne,lt,le,eq
waf_log Message gt,ge,ne,lt,le,eq Presence of waf_log indicates that atleast 1 WAF rule was hit for the transaction
request_id Integer gt,ge,ne,lt,le,eq Unique HTTP Request ID

Fields for L4 Logs

Field Name Field Type Supported Operators Field Description
adf Boolean eq,ne
significant Integer gt,ge,ne,lt,le,eq
significance String sw,nc,eq,ne,co
udf Boolean eq,ne
virtualservice String sw,nc,eq,ne,co
vs_ip IP Address sw,eq,ne
client_ip IP Address sw,eq,ne
client_location String sw,nc,eq,ne,co
client_src_port Integer gt,ge,ne,lt,le,eq
client_dest_port Integer gt,ge,ne,lt,le,eq
start_timestamp Integer gt,ge,ne,lt,le,eq
report_timestamp Integer gt,ge,ne,lt,le,eq
total_time Integer gt,ge,ne,lt,le,eq
connection_ended Boolean eq,ne
client_rtt Integer gt,ge,ne,lt,le,eq
mss Integer gt,ge,ne,lt,le,eq
rx_bytes Integer gt,ge,ne,lt,le,eq
tx_bytes Integer gt,ge,ne,lt,le,eq
total_bytes Integer gt,ge,ne,lt,le,eq
rx_pkts Integer gt,ge,ne,lt,le,eq
tx_pkts Integer gt,ge,ne,lt,le,eq
total_pkts Integer gt,ge,ne,lt,le,eq
out_of_orders Integer gt,ge,ne,lt,le,eq
retransmits Integer gt,ge,ne,lt,le,eq
timeouts Integer gt,ge,ne,lt,le,eq
zero_window_size_events Integer gt,ge,ne,lt,le,eq
service_engine String sw,nc,eq,ne,co
vcpu_id Integer gt,ge,ne,lt,le,eq
log_id Integer gt,ge,ne,lt,le,eq
network_security_policy_rule_name String sw,nc,eq,ne,co
pool String sw,nc,eq,ne,co
pool_name String sw,nc,eq,ne,co
server_ip IP Address sw,eq,ne
server_name String sw,nc,eq,ne,co
server_conn_src_ip IP Address sw,eq,ne
server_dest_port Integer gt,ge,ne,lt,le,eq
server_src_port Integer gt,ge,ne,lt,le,eq
server_rtt Integer gt,ge,ne,lt,le,eq
server_total_bytes Integer gt,ge,ne,lt,le,eq
server_rx_bytes Integer gt,ge,ne,lt,le,eq
server_tx_bytes Integer gt,ge,ne,lt,le,eq
server_total_pkts Integer gt,ge,ne,lt,le,eq
server_rx_pkts Integer gt,ge,ne,lt,le,eq
server_tx_pkts Integer gt,ge,ne,lt,le,eq
server_out_of_orders Integer gt,ge,ne,lt,le,eq
server_retransmits Integer gt,ge,ne,lt,le,eq
server_timeouts Integer gt,ge,ne,lt,le,eq
server_zero_window_size_events Integer gt,ge,ne,lt,le,eq
significant_log Enumeration String gt,ge,ne,lt,le,eq List of enums which indicate why a log is significant
num_transaction Integer gt,ge,ne,lt,le,eq
average_turntime Integer gt,ge,ne,lt,le,eq
num_window_shrink Integer gt,ge,ne,lt,le,eq
server_num_window_shrink Integer gt,ge,ne,lt,le,eq
num_syn_retransmit Integer gt,ge,ne,lt,le,eq
microservice String sw,nc,eq,ne,co
microservice_name String sw,nc,eq,ne,co
proxy_protocol Enumeration String gt,ge,ne,lt,le,eq Version of proxy protocol used to convey client connection information to the back-end servers. A value of 0 indicates that proxy protocol is not used. A value of 1 or 2 indicates the version of proxy protocol used.
ssl_session_id String sw,nc,eq,ne,co
ssl_version String sw,nc,eq,ne,co
ssl_cipher String sw,nc,eq,ne,co
dns_fqdn String sw,nc,eq,ne,co
dns_ips IP Address sw,eq,ne
dns_qtype Enumeration String gt,ge,ne,lt,le,eq
gslbservice String sw,nc,eq,ne,co
gslbservice_name String sw,nc,eq,ne,co
gslbpool_name String sw,nc,eq,ne,co
dns_response Message gt,ge,ne,lt,le,eq
dns_etype Enumeration String gt,ge,ne,lt,le,eq
protocol Enumeration String gt,ge,ne,lt,le,eq
dns_request Message gt,ge,ne,lt,le,eq

Fields for Event Logs

Field Name Field Type Supported Operators Field Description
report_timestamp Integer gt,ge,ne,lt,le,eq
obj_type Enumeration String gt,ge,ne,lt,le,eq
event_id Enumeration String gt,ge,ne,lt,le,eq
module Enumeration String gt,ge,ne,lt,le,eq
internal Enumeration String gt,ge,ne,lt,le,eq
context Enumeration String gt,ge,ne,lt,le,eq
obj_uuid String sw,nc,eq,ne,co
obj_name String sw,nc,eq,ne,co
reason_code Enumeration String gt,ge,ne,lt,le,eq Reason code for generating the event. This would be added to the alert where it would say alert generated on event with reason
event_details Message gt,ge,ne,lt,le,eq
details_summary String sw,nc,eq,ne,co Summary of event details
related_uuids String sw,nc,eq,ne,co related objects corresponding to the events
event_description String sw,nc,eq,ne,co Event Description for each Event in the table view
event_pages String sw,nc,eq,ne,co Pages in which event should come up
ignore_event_details_display Boolean eq,ne
is_security_event Boolean eq,ne
tenant_name String sw,nc,eq,ne,co
tenant String sw,nc,eq,ne,co