Real-Time Events
Preview
Real-Time Events is an Observe product that provides raw data, logs, from other Azion products in real time.
A set of preorganized variables are available to execute queries manually using different data sources. This allows you to get extensive, detailed information on behaviors, occurrences, and performance of your applications through logs.
You can use Real-Time Events to:
- Perform complex searches.
- Inspect possible attacks.
- Perform debugging investigations.
- Analyze application’s performance.
- Analyze applications and platform savings.
- Increase reliability of your data.
- Decrease problem-solving time.
- Improve content delivery based on actual data.
Implementation
| Task | Guide |
|---|---|
| See first steps | Real-Time Events first steps |
Events storage
Real-Time Events stores events logs from the last 168 hours, equivalent to 7 days. You’re able to query detailed data during that period.
The Activity History data source stores logs from the last 2 years.
Data sources
Data Source represents the Azion product or service that generated the events you’ll query for. When submitting a query, the data source represents the index from where you want to collect data.
Selecting a data source tab is mandatory. You can choose between:
- HTTP Requests
- Edge Functions
- Edge Functions Console
- Image Processor
- Tiered Cache
- Edge DNS
- Data Stream
- Activity History
Each data source has a specific set of available variables, representing the specific information you can receive in your query. See each data source’s prerequisites and variables and their description next.
HTTP Requests
Requires:
Displays the event records from requests made to your edge applications and Edge Firewall instances.
| Variable | Description |
|---|---|
| Bytes Sent | Number of bytes sent to a client. This field is the result of a sum. Example: 191 |
| Debug Log | Value of any variable from the request set through a new Rules Engine behavior. Example: {\\\"idHash\\\":\\\"pQ04xXYD4JSYyOERu3mcwA==\\\",\\\"type\\\":\\\"product_screen_element_element_action\\\",\\\"message\\\":{\\\"event\\\":\\\"product_screen_element_element_action\\\",\\\"action\\\":\\\"value\\\",\\\"product\\\":\\\"value\\\",\\\"screen\\\":\\\"value\\\",\\\"element\\\":\\\"value\\\"},\\\"date\\\":\\\"2023-10-27T19:44:57.251Z\\\"}" |
| Geoloc ASN | Autonomous System Number (ASN) Allocation queried from the MaxMind table. Example: AS52580 Azion Technologies Ltda. |
| Geoloc Country Name | Remote client’s country detected via IP address geolocation. Example: United States, Russian Federation |
| Geoloc Region Name | Remote client’s region detected via IP address geolocation. Example: California, Rio Grande do Sul |
| Host | Host information sent on the request line. Stores: host name from the request line, or host name from the Host request header field, or the server name matching a request. Example: g1sdetynmxe0ao.map.azionedge.net |
| HTTP Referer | Address of the page the user made the request from. Example: https://example.com |
| HTTP User Agent | End user’s application, operating system, vendor, and/or version. Value of the User-Agent header. Example: Mozilla/5.0 (Windows NT 10.0; Win64; x64) |
| Request Length | Request length in bytes, including request line, headers, and body. This field is the result of a sum. Example: 167 |
| Request Method | HTTP request method. Example: GET or POST |
| Request Time | Request processing time, in seconds, since the first bytes were read from the client. This field is the result of a sum. Example: 0.234 |
| Request Uri | URI of the request made by the end user, without the host and protocol information and with arguments. Example: /v1?v=bo%20dim |
| Remote Address | IP address of the origin that generated the request. Example: 127.0.0.1 |
| Remote Port | Port of the origin that generated the request. Example: 8080 |
| Scheme | Request scheme. Example: HTTP or HTTPS |
| Server Protocol | Version of the request protocol. Example: HTTP/1.1, HTTP/2.0, HTTP/3.0 |
| Sent HTTP Content Type | Content-Type header sent in the origin’s response. Example: text/html; charset=UTF-8 |
| SSL Cipher | Cipher string used to establish TLS connection. Example: TLS_AES_256_GCM_SHA384 |
| SSL Protocol | Protocol for an established TLS connection. Example: TLS v1.2 |
| Stack Trace | Provides the names of the Rules Engine from your edge application or your edge firewall that are run by the request. Example: {\\\"edge_firewall\\\":[\\\"Global - Set WAF\\\"]} |
| Status | HTTP status code of the request. Example: 200 |
| Upstream Addr | Client’s IP address and port. Can also store multiple servers or server groups. Example: 192.168.1.1:80. When the response is 127.0.0.1:1666, the upstream is Azion Cells Runtime. |
| Upstream Bytes Received | Number of bytes received from the origin by the edge if the content isn’t cached. Example: 8304 |
| Upstream Bytes Sent | Number of bytes sent to the origin. Example: 2733 |
| Upstream Cache Status | Status of the local edge cache. Can be: MISS, BYPASS, EXPIRED, STALE, UPDATING, REVALIDATED, HIT, or - |
| Upstream Response Time | Time it takes for the edge to receive a default response from the origin in seconds, including headers and body. Example: 0.876. In case of cache, the response is - |
| Upstream Status | HTTP status code of the origin. If a server can’t be selected, the variable keeps the 502 (Bad Gateway) status code. Example: 200. In case of cache, the response is - |
| Waf Block | Informs whether WAF blocked the action or not. 0 when action wasn’t blocked; 1 when action was blocked. When in Learning Mode, it won’t be blocked regardless of the return. |
| Waf Ev Headers | When the request headers sent by the user are analyzed by the WAF module and tagged as blocked with $waf_block = 1, it contains a base64 encoded string. Otherwise, it contains a dash character -. It applies to both WAF Learning or Blocking modes. |
| Waf Learning | Informs if WAF is in Learning mode. Returns 0 if it isn’t and 1 if it is. |
| Waf Match | List of infractions found in the end user’s request. It’s formed by key-value elements: the key refers to the type of violation detected; the value shows the string that generated the infraction. Example: 0:1402:HEADERS:cookie |
| Waf Score | Reports the score that will be increased in case of a match with the rules set for the WAF. Can be SQL, XSS, TRAVERSAL or RFI. |
| Waf Total Blocked | Total number of blocked requests. Example: 2 |
| Waf Total Processed | Total number of processed requests. Example: 5 |
The Stack Trace variable can be used if you have the Debug Rules feature activated in your application. Find out more on How to debug rules created with Rules Engine.
Edge Functions
Requires:
Displays the event records of requests made to your edge functions.
| Variable | Description |
|---|---|
| Configuration ID | Unique Azion configuration identifier set on virtual host configuration file. Example: 1595368520 |
| Edge Functions Instance ID List | List of edge functions instances that were invoked during the request. Example: 10728 |
| Edge Functions Initiator Type List | List of initiators used in the function separated by ;. Can be 1 (Edge Application) or 2 (Edge Firewall). |
| Edge Functions List | List of edge functions that were invocated during the request, in order. The order begins from left to right, meaning functions on the left were invocated first. Example: 3324;43 |
| Edge Functions Solution ID | Identifier of your edge function. Example: 1321 |
| Edge Functions Time | Total execution time, in seconds, for the function during its processing. This field is the result of a sum. Example: 0.021 |
| Function Language | Language used in the function. Example: javascript |
| Virtual Host ID | Unique ID available on Azion Real-Time Manager. Set on virtual host configuration file. Example: 2410001a |
Edge Functions Console
Displays the event records from edge applications using Azion Runtime returned by Cells Console.
| Variable | Description |
|---|---|
| Configuration ID | Unique Azion configuration identifier set on virtual host configuration file. Example: 1595368520 |
| Function ID | Unique Azion function identifier number. Can be found on Real-Time Manager’s function URL path or via API request. Example: 1111 |
| ID | Request identifier. Aggregates multiple messages from a single request. Example: 240g95f04832f2872dd6e8ae308e8a73 |
| Level | Message with the level type for the function. Can be MDN, DEBUG, INFO, ERROR, LOG, or WARN |
| Line | Log message generated by the Cells platform. Example: at async mainFetch (ext:deno_fetch/26_fetch.js:266:12) |
| Line Source | Log message category. Example: CONSOLE, RUNTIME |
| Solution ID | Unique Azion ID set on virtual host configuration file for the solution. Example: 1441740010 |
Image Processor
Requires:
Displays the event records of requests made to edge applications using Image Processor.
| Variable | Description |
|---|---|
| Bytes Sent | Number of bytes sent to a client. This field is the result of a sum. Example: 191 |
| Configuration ID | Unique Azion configuration identifier set on virtual host configuration file. Example: 1595368520 |
| Host | Host information sent on the request line. Stores: host name from the request line, or host name from the Host request header field, or the server name matching a request. Example: g1sdetynmxe0ao.map.azionedge.net |
| HTTP Referer | Address of the page the user made the request from. Example: https://example.com |
| HTTP User Agent | End user’s application, operating system, vendor, and/or version. Value of the User-Agent header. Example: Mozilla/5.0 (Windows NT 10.0; Win64; x64) |
| Reference Error | Reference ID of the request. Generated when the status code is bigger than 400. Example: #AECFE66100000000C947B9B3B3BFBE46FFFFFFFF9401 |
| Remote Addr | IP address of the origin that generated the request. Example: 127.0.0.1 |
| Remote Port | Port of the origin that generated the request. Example: 8080 |
| Request Method | HTTP request method. Example: GET or POST |
| Request Time | Request processing time, in seconds, since the first bytes were read from the client. This field is the result of a sum. Example: 0.234 |
| Request Uri | URI of the request made by the end user, without the host and protocol information and with arguments. Example: /v1?v=bo%20dim |
| Scheme | Request scheme. Example: HTTP or HTTPS |
| Solution | Identifier of your edge application. Example: 1321 |
| SSL Cipher | Cipher string used to establish TLS connection. Example: TLS_AES_256_GCM_SHA384 |
| SSL Protocol | Protocol for an established TLS connection. Example: TLS v1.2 |
| SSL Session Reused | Returns r if an SSL session was reused or . if it wasn’t. |
| Status | HTTP status code of the request. Example: 200 |
| TCP Info RTT | Round-Trip Time (RTT) in microseconds measured by the edge for the user. Available on systems that support the TCP_INFO socket option. Example: 72052 |
| Upstream Cache Status | Status of the local edge cache. Can be: MISS, BYPASS, EXPIRED, STALE, UPDATING, REVALIDATED, HIT, or - |
| Upstream Response Time | Time it takes for the edge to receive a default response from the origin in seconds, including headers and body. This field is the result of a sum. Example: 0.876. In case of cache, the response is - |
| Upstream Status | HTTP status code of the origin. If a server can’t be selected, the variable keeps the 502 (Bad Gateway) status code. Example: 200. In case of cache, the response is -. |
Tiered Cache
Requires:
Displays the event records of requests made to edge applications using Tiered Cache.
| Variable | Description |
|---|---|
| Bytes Sent | Number of bytes sent to a client. This field is the result of a sum. Example: 191 |
| Cache Key | The stored object cache identification key for the content requested by a client. Example: /index.html |
| Cache TTL | Time, in seconds, the cached object is considered valid (not expired). After the time expiration, when a new request occurs, Tiered Cache queries the data on the origin (upstream). Example: 31536000 |
| Configuration ID | Unique Azion configuration identifier set on virtual host configuration file. Example: 1595368520 |
| Host | Host information sent on the request line. Stores: host name from the request line, or host name from the Host request header field, or the server name matching a request. Example: g1sdetynmxe0ao.map.azionedge.net |
| Proxy Host | Hostname being proxied. Example: storage.googleapis.com:443 |
| Proxy Status | HTTP error status code or origin when no response is obtained from the upstream. Example: 520. In case of cache, the response is -. |
| Proxy Upstream | Origin (upstream) address. In some cases, the Tiered Cache origin can be Image Processor (IMS) to process the image and then cache it. Example: ims_http |
| Reference Error | Reference ID of the request. Generated when the status code is 4xx or 5xx. Example: #AECFE66100000000C947B9B3B3BFBE46FFFFFFFF9401 |
| Remote Addr | IP address of the origin that generated the request. Example: 127.0.0.1 |
| Remote Port | Port of the origin that generated the request. Example: 8080 |
| Request Length | Request length, including request line, headers, and body. This field is the result of a sum. Example: 167 |
| Request Method | HTTP request method. Example: GET or POST |
| Request Time | Request processing time, in seconds, since the first bytes were read from the client. This field is the result of a sum. Example: 0.234 |
| Request Uri | URI of the request made by the end user, without the host and protocol information and with arguments. Example: /v1?v=bo%20dim |
| Scheme | Request scheme. Example: HTTP or HTTPS |
| Sent HTTP Content Type | Content-Type header sent in the origin’s response. Example: text/html; charset=UTF-8 |
| Server Protocol | Request protocol. Example: HTTP/1.1, HTTP/2.0, HTTP/3.0 |
| Solution | Identifier of your edge application. Example: 1321 |
| Status | HTTP status code of the request. Example: 200 |
| TCP info RTT | Round-Trip Time (RTT) in microseconds measured by the edge for the user. Available on systems that support the TCP_INFO socket option. Example: 72052 |
| Upstream Bytes Received | Number of bytes received by the origin’s edge if the content isn’t cached. Example: 8304 |
| Upstream Cache Status | Status of the local edge cache. Can be: MISS, BYPASS, EXPIRED, STALE, UPDATING, REVALIDATED, HIT, or - |
| Upstream Connect Time | Time it takes for the edge to establish a connection with the origin, in seconds. In the case of TLS, it includes time spent on handshake. Example: 0.123. Returns 0 for KeepAlive and - for cache |
| Upstream Header Time | Time it takes for the edge to receive the response header from the origin, in seconds. Example: 0.345. In case of cache, the response is - |
| Upstream Response Time | Time it takes for the edge to receive a default response from the origin in seconds, including headers and body. Example: 0.876. In case of cache, the response is - |
| Upstream Status | HTTP status code of the origin. If a server can’t be selected, the variable keeps the 502 (Bad Gateway) status code. Example: 200. In case of cache, the response is -. |
Edge DNS
Requires:
Displays the event records of queries made to Edge DNS.
| Variable | Description |
|---|---|
| Level | Level of the log generator: ERROR, WARN, INFO, DEBUG, or TRACE |
| Q Type | Definition of the type of record that’ll be used. Example: PTR, A, AAAA, HTTPS, NS, SRV |
| Resolution Type | Method types used to resolve hosts. Example: standard |
| Status Code | HTTP status code of the request. Example: 200 |
| Solution ID | Identifier of your Edge DNS instance. Example: 1321 |
| UUID | Unique request identifier. Example: b204b8c3-e463-4c3d-af3d-025703a4 |
| Zone ID | Unique identifier of the Edge DNS zone. Example: 1340 |
Data Stream
Requires:
Displays the event records of data sent to endpoints using Data Stream.
| Variable | Description |
|---|---|
| Configuration ID | Unique Azion configuration identifier set on virtual host configuration file. Example: 1595368520 |
| Data Streamed | Total amount of data streamed, in bytes, to the configured endpoint. This field is the result of a sum. Example: 1270 |
| Endpoint Type | Type of endpoint used in the configured Data Stream. Can be: HTTP_POST, S3, ELASTICSEARCH, QRADAR, AWS_KINESIS_FIREHOSE, KAFKA, DATADOG, BIG_QUERY, SPLUNK, AZURE_MONITOR, AZURE_BLOB_STORAGE |
| Job Name | Unique Azion identifier for the type of stream created. Example: Data Stream HTTP, Data Stream WAF |
| Status Code | HTTP status code of the request. Example: 200 |
| Streamed Lines | Total amount of lines streamed to the configured endpoint. Maximum value of 2000. This field is the result of a sum. Example: 837 |
| URL | The URL to which the client data was sent/sink. Example for a HTTP POST endpoint: https://log-receiver.azion.com:9200 |
Activity History
Displays the event records of activies performed on an account on Azion Console registered by Activity History. Use the Real-Time Events GraphQL API to query up to 2 years of logs.
| Variable | Description |
|---|---|
| Account ID | Account’s identifier on Azion. Example: 8437 |
| Author Email | Email address of the Console user who performed the action. Example: myemail@gmail.com |
| Author Name | Name of the Console user who performed the action. Example: Hannah |
| Comment | Editable space available for users to add comments when performing changes. Example: Action performed during investigation |
| Referer Header | Header Referer from the page from which the API was called. Returns when the API call is made from an UI. Example: Test 123 |
| Remote Port | Port of the origin that generated the request. Example: 80 |
| Resource ID | Unique identifier of the resource that was created or modified. Example: 8190 |
| Resource Type | Identifier of the resource that was created or modified. Example: edge_application |
| Request Data | Data received on the payload of the request generated by the user. Example: {"test": 123} |
| Title | Title of the activity, composed of: model name, name, and type of activity. Example: Pathorigin Default Origin was changed |
| Type | Type of performed action on Real-Time Manager: CREATED, CHANGED, DELETED, or SIGNED UP |
| User Agent | Header User-Agent sent in the request. Example: curl 1.2.6 |
| User ID | Unique identifier of the user that executed the action. Example: 999 |
| User IP | IP address of the user/origin that generated the request. Example: 127.0.0.1 |
Date time picker
The Time filter allows you to refine the period for the events record search result. It’s selected by default for Last 15 minutes.
You can filter by:
- Last 15 minutes
- Last 1 hour
- Last 3 hours
- Last 6 hours
- Last 12 hours
- Last day
- Last 2 days
- Last 3 days
- Las 5 days
- Last 7 days
- Custom time range
By using the Custom time range option, you can customize your search by selecting a date and time range during the last 168 hours.
You can change the time range as many times as you want to investigate your logs.
Data exhibition
After you complete the filters and search for results, your logs will appear in a table. You can select an item to open the More details view, containing all variables of that data source.
Each variable is a different log, which equals to a different action performed by the edge. The information shown varies according to the specifics of each variable.
Limits
These are the default limits:
| Scope | Limit |
|---|---|
| Log retention | 7 days |
| Available in | Up to 3 minutes |
| GraphQL API data transferred | 10,000 lines |
| GraphQL API maximum fields | 10 fields |
| GraphQL API maximum payload | 5 GB |
| GraphQL API queries | 120 requests per minute |
Contributors
