Real⁠-⁠Time Events

Preview

Real-Time Events is an Observe product that provides raw data, logs, from other Azion products in real time.

A set of preorganized variables are available to execute queries manually using different data sources. This allows you to get extensive, detailed information on behaviors, occurrences, and performance of your applications through logs.

You can use Real-Time Events to:

  • Perform complex searches.
  • Inspect possible attacks.
  • Perform debugging investigations.
  • Analyze application’s performance.
  • Analyze applications and platform savings.
  • Increase reliability of your data.
  • Decrease problem-solving time.
  • Improve content delivery based on actual data.
TaskGuide
See first stepsReal-Time Events first steps

Real-Time Events stores events logs from the last 168 hours, equivalent to 7 days. You’re able to query detailed data during that period.

The Activity History data source stores logs from the last 2 years.


Data Source represents the Azion product or service that generated the events you’ll query for. When submitting a query, the data source represents the index from where you want to collect data.

Selecting a data source tab is mandatory. You can choose between:

  • HTTP Requests
  • Edge Functions
  • Edge Functions Console
  • Image Processor
  • Tiered Cache
  • Edge DNS
  • Data Stream
  • Activity History

Each data source has a specific set of available variables, representing the specific information you can receive in your query. See each data source’s prerequisites and variables and their description next.

Requires: Edge Application Edge Firewall Web Application Firewall

Displays the event records from requests made to your edge applications and Edge Firewall instances.

VariableDescription
Bytes SentNumber of bytes sent to a client. This field is the result of a sum. Example: 191
Debug LogValue of any variable from the request set through a new Rules Engine behavior. Example: {\\\"idHash\\\":\\\"pQ04xXYD4JSYyOERu3mcwA==\\\",\\\"type\\\":\\\"product_screen_element_element_action\\\",\\\"message\\\":{\\\"event\\\":\\\"product_screen_element_element_action\\\",\\\"action\\\":\\\"value\\\",\\\"product\\\":\\\"value\\\",\\\"screen\\\":\\\"value\\\",\\\"element\\\":\\\"value\\\"},\\\"date\\\":\\\"2023-10-27T19:44:57.251Z\\\"}"
Geoloc ASNAutonomous System Number (ASN) Allocation queried from the MaxMind table. Example: AS52580 Azion Technologies Ltda.
Geoloc Country NameRemote client’s country detected via IP address geolocation. Example: United States, Russian Federation
Geoloc Region NameRemote client’s region detected via IP address geolocation. Example: California, Rio Grande do Sul
HostHost information sent on the request line. Stores: host name from the request line, or host name from the Host request header field, or the server name matching a request. Example: g1sdetynmxe0ao.map.azionedge.net
HTTP RefererAddress of the page the user made the request from. Example: https://example.com
HTTP User AgentEnd user’s application, operating system, vendor, and/or version. Value of the User-Agent header. Example: Mozilla/5.0 (Windows NT 10.0; Win64; x64)
Request LengthRequest length in bytes, including request line, headers, and body. This field is the result of a sum. Example: 167
Request MethodHTTP request method. Example: GET or POST
Request TimeRequest processing time elapsed since the first bytes were read from the client with resolution in milliseconds. This field is the result of a sum. Example: 1.19
Request UriURI of the request made by the end user, without the host and protocol information and with arguments. Example: /v1?v=bo%20dim
Remote AddressIP address of the origin that generated the request. Example: 127.0.0.1
Remote PortPort of the origin that generated the request. Example: 8080
SchemeRequest scheme. Example: HTTP or HTTPS
Server ProtocolVersion of the request protocol. Example: HTTP/1.1, HTTP/2.0, HTTP/3.0
Sent HTTP Content TypeContent-Type header sent in the origin’s response. Example: text/html; charset=UTF-8
SSL CipherCipher string used to establish TLS connection. Example: TLS_AES_256_GCM_SHA384
SSL ProtocolProtocol for an established TLS connection. Example: TLS v1.2
Stack TraceProvides the names of the Rules Engine from your edge application or your edge firewall that are run by the request. Example: {\\\"edge_firewall\\\":[\\\"Global - Set WAF\\\"]}
StatusHTTP status code of the request. Example: 200
Upstream AddrClient’s IP address and port. Can also store multiple servers or server groups. Example: 192.168.1.1:80. When the response is 127.0.0.1:1666, the upstream is Azion Cells Runtime.
Upstream Bytes ReceivedNumber of bytes received from the origin by the edge if the content isn’t cached. Example: 8304
Upstream Bytes SentNumber of bytes sent to the origin. Example: 2733
Upstream Cache StatusStatus of the local edge cache. Can be: MISS, BYPASS, EXPIRED, STALE, UPDATING, REVALIDATED, HIT, or -
Upstream Response TimeTime it takes for the edge to receive a default response from the origin in milliseconds, including headers and body. Example: 0.876. In case of cache, the response is -.
Upstream StatusHTTP status code of the origin. If a server can’t be selected, the variable keeps the 502 (Bad Gateway) status code. Example: 200. In case of cache, the response is -.
Waf BlockInforms whether WAF blocked the action or not. 0 when action wasn’t blocked; 1 when action was blocked. When in Learning Mode, it won’t be blocked regardless of the return.
Waf Ev HeadersWhen the request headers sent by the user are analyzed by the WAF module and tagged as blocked with $waf_block = 1, it contains a base64 encoded string. Otherwise, it contains a dash character -. It applies to both WAF Learning or Blocking modes.
Waf LearningInforms if WAF is in Learning mode. Returns 0 if it isn’t and 1 if it is.
Waf MatchList of infractions found in the end user’s request. It’s formed by key-value elements: the key refers to the type of violation detected; the value shows the string that generated the infraction. Example: 0:1402:HEADERS:cookie
Waf ScoreReports the score that will be increased in case of a match with the rules set for the WAF. Can be SQL, XSS, TRAVERSAL or RFI.
Waf Total BlockedTotal number of blocked requests. Example: 2
Waf Total ProcessedTotal number of processed requests. Example: 5

The Stack Trace variable can be used if you have the Debug Rules feature activated in your application. Find out more on How to debug rules created with Rules Engine.


Requires: Edge Functions

Displays the event records of requests made to your edge functions.

VariableDescription
Configuration IDUnique Azion configuration identifier set on virtual host configuration file. Example: 1595368520
Edge Functions Instance ID ListList of edge functions instances that were invoked during the request. Example: 10728
Edge Functions Initiator Type ListList of initiators used in the function separated by ;. Can be 1 (Edge Application) or 2 (Edge Firewall).
Edge Functions ListList of edge functions that were invocated during the request, in order. The order begins from left to right, meaning functions on the left were invocated first. Example: 3324;43
Edge Functions Solution IDIdentifier of your edge function. Example: 1321
Edge Functions TimeTotal execution time, in milliseconds, for the function during its processing. This field is the result of a sum. Example: 0.021
Function LanguageLanguage used in the function. Example: javascript
Virtual Host IDUnique ID available on Azion Real-Time Manager. Set on virtual host configuration file. Example: 2410001a

Displays the event records from edge applications using Edge Runtime returned by Cells Console.

VariableDescription
Configuration IDUnique Azion configuration identifier set on virtual host configuration file. Example: 1595368520
Function IDUnique Azion function identifier number. Can be found on Real-Time Manager’s function URL path or via API request. Example: 1111
IDRequest identifier. Aggregates multiple messages from a single request. Example: 240g95f04832f2872dd6e8ae308e8a73
LevelMessage with the level type for the function. Can be MDN, DEBUG, INFO, ERROR, LOG, or WARN
LineLog message generated by the Cells platform. Example: at async mainFetch (ext:deno_fetch/26_fetch.js:266:12)
Line SourceLog message category. Example: CONSOLE, RUNTIME
Solution IDUnique Azion ID set on virtual host configuration file for the solution. Example: 1441740010

Requires: Image Processor

Displays the event records of requests made to edge applications using Image Processor.

VariableDescription
Bytes SentNumber of bytes sent to a client. This field is the result of a sum. Example: 191
Configuration IDUnique Azion configuration identifier set on virtual host configuration file. Example: 1595368520
HostHost information sent on the request line. Stores: host name from the request line, or host name from the Host request header field, or the server name matching a request. Example: g1sdetynmxe0ao.map.azionedge.net
HTTP RefererAddress of the page the user made the request from. Example: https://example.com
HTTP User AgentEnd user’s application, operating system, vendor, and/or version. Value of the User-Agent header. Example: Mozilla/5.0 (Windows NT 10.0; Win64; x64)
Reference ErrorReference ID of the request. Generated when the status code is bigger than 400. Example: #AECFE66100000000C947B9B3B3BFBE46FFFFFFFF9401
Remote AddrIP address of the origin that generated the request. Example: 127.0.0.1
Remote PortPort of the origin that generated the request. Example: 8080
Request MethodHTTP request method. Example: GET or POST
Request TimeRequest processing time elapsed since the first bytes were read from the client with resolution in milliseconds. This field is the result of a sum. Example: 1.19
Request UriURI of the request made by the end user, without the host and protocol information and with arguments. Example: /v1?v=bo%20dim
SchemeRequest scheme. Example: HTTP or HTTPS
SolutionIdentifier of your edge application. Example: 1321
SSL CipherCipher string used to establish TLS connection. Example: TLS_AES_256_GCM_SHA384
SSL ProtocolProtocol for an established TLS connection. Example: TLS v1.2
SSL Session ReusedReturns r if an SSL session was reused or . if it wasn’t.
StatusHTTP status code of the request. Example: 200
TCP Info RTTRound-Trip Time (RTT) measured by the edge for the user. Available on systems that support the TCP_INFO socket option. Example: 72052
Upstream Cache StatusStatus of the local edge cache. Can be: MISS, BYPASS, EXPIRED, STALE, UPDATING, REVALIDATED, HIT, or -
Upstream Response TimeTime it takes for the edge to receive a default response from the origin in milliseconds, including headers and body. This field is the result of a sum. Example: 0.876. In case of cache, the response is -.
Upstream StatusHTTP status code of the origin. If a server can’t be selected, the variable keeps the 502 (Bad Gateway) status code. Example: 200. In case of cache, the response is -.

Requires: Tiered Cache

Displays the event records of requests made to edge applications using Tiered Cache.

VariableDescription
Bytes SentNumber of bytes sent to a client. This field is the result of a sum. Example: 191
Cache KeyThe stored object cache identification key for the content requested by a client. Example: /index.html
Cache TTLTime, in seconds, the cached object is considered valid (not expired). After the time expiration, when a new request occurs, Tiered Cache queries the data on the origin (upstream). Example: 31536000
Configuration IDUnique Azion configuration identifier set on virtual host configuration file. Example: 1595368520
HostHost information sent on the request line. Stores: host name from the request line, or host name from the Host request header field, or the server name matching a request. Example: g1sdetynmxe0ao.map.azionedge.net
Proxy HostHostname being proxied. Example: storage.googleapis.com:443
Proxy StatusHTTP error status code or origin when no response is obtained from the upstream. Example: 520. In case of cache, the response is -.
Proxy UpstreamOrigin (upstream) address. In some cases, the Tiered Cache origin can be Image Processor (IMS) to process the image and then cache it. Example: ims_http
Reference ErrorReference ID of the request. Generated when the status code is 4xx or 5xx. Example: #AECFE66100000000C947B9B3B3BFBE46FFFFFFFF9401
Remote AddrIP address of the origin that generated the request. Example: 127.0.0.1
Remote PortPort of the origin that generated the request. Example: 8080
Request LengthRequest length, including request line, headers, and body. This field is the result of a sum. Example: 167
Request MethodHTTP request method. Example: GET or POST
Request TimeRequest processing time elapsed since the first bytes were read from the client with resolution in milliseconds. This field is the result of a sum. Example: 1.19
Request UriURI of the request made by the end user, without the host and protocol information and with arguments. Example: /v1?v=bo%20dim
SchemeRequest scheme. Example: HTTP or HTTPS
Sent HTTP Content TypeContent-Type header sent in the origin’s response. Example: text/html; charset=UTF-8
Server ProtocolRequest protocol. Example: HTTP/1.1, HTTP/2.0, HTTP/3.0
SolutionIdentifier of your edge application. Example: 1321
StatusHTTP status code of the request. Example: 200
TCP info RTTRound-Trip Time (RTT) measured by the edge for the user. Available on systems that support the TCP_INFO socket option. Example: 72052
Upstream Bytes ReceivedNumber of bytes received by the origin’s edge if the content isn’t cached. Example: 8304
Upstream Cache StatusStatus of the local edge cache. Can be: MISS, BYPASS, EXPIRED, STALE, UPDATING, REVALIDATED, HIT, or -
Upstream Connect TimeTime it takes for the edge to establish a connection with the origin in milliseconds. In the case of TLS, it includes time spent on handshake. Example: 0.123. 0 in case of KeepAlive and - in case of cache.
Upstream Header TimeTime it takes for the edge to receive the response header from the origin in milliseconds. Example: 0.345. In case of cache, the response is -.
Upstream Response TimeTime it takes for the edge to receive a default response from the origin in milliseconds, including headers and body. Example: 0.876. In case of cache, the response is -.
Upstream StatusHTTP status code of the origin. If a server can’t be selected, the variable keeps the 502 (Bad Gateway) status code. Example: 200. In case of cache, the response is -.

Requires: Edge DNS

Displays the event records of queries made to Edge DNS.

VariableDescription
LevelLevel of the log generator: ERROR, WARN, INFO, DEBUG, or TRACE
Q TypeDefinition of the type of record that’ll be used. Example: PTR, A, AAAA, HTTPS, NS, SRV
Resolution TypeMethod types used to resolve hosts. Example: standard
Status CodeHTTP status code of the request. Example: 200
Solution IDIdentifier of your Edge DNS instance. Example: 1321
UUIDUnique request identifier. Example: b204b8c3-e463-4c3d-af3d-025703a4
Zone IDUnique identifier of the Edge DNS zone. Example: 1340

Requires: Data Stream

Displays the event records of data sent to endpoints using Data Stream.

VariableDescription
Configuration IDUnique Azion configuration identifier set on virtual host configuration file. Example: 1595368520
Data StreamedTotal amount of data streamed, in bytes, to the configured endpoint. This field is the result of a sum. Example: 1270
Endpoint TypeType of endpoint used in the configured Data Stream. Can be: HTTP_POST, S3, ELASTICSEARCH, QRADAR, AWS_KINESIS_FIREHOSE, KAFKA, DATADOG, BIG_QUERY, SPLUNK, AZURE_MONITOR, AZURE_BLOB_STORAGE
Job NameUnique Azion identifier for the type of streaming created. Example: Data Stream HTTP, Data Stream WAF
Status CodeHTTP status code of the request. Example: 200
Streamed LinesTotal amount of lines streamed to the configured endpoint. Maximum value of 2000. This field is the result of a sum. Example: 837
URLThe URL to which the client data was sent/sink. Example for a HTTP POST endpoint: https://log-receiver.azion.com:9200

Displays the event records of activies performed on an account on Azion Console registered by Activity History. Use the Real-Time Events GraphQL API to query up to 2 years of logs.

VariableDescription
Account IDAccount’s identifier on Azion. Example: 8437
Author EmailEmail address of the Console user who performed the action. Example: myemail@gmail.com
Author NameName of the Console user who performed the action. Example: Hannah
CommentEditable space available for users to add comments when performing changes. Example: Action performed during investigation
Referer HeaderHeader Referer from the page from which the API was called. Returns when the API call is made from an UI. Example: Test 123
Remote PortPort of the origin that generated the request. Example: 80
Resource IDUnique identifier of the resource that was created or modified. Example: 8190
Resource TypeIdentifier of the resource that was created or modified. Example: edge_application
Request DataData received on the payload of the request generated by the user. Example: {"test": 123}
TitleTitle of the activity, composed of: model name, name, and type of activity. Example: Pathorigin Default Origin was changed
TypeType of performed action on Real-Time Manager: CREATED, CHANGED, DELETED, or SIGNED UP
User AgentHeader User-Agent sent in the request. Example: curl 1.2.6
User IDUnique identifier of the user that executed the action. Example: 999
User IPIP address of the user/origin that generated the request. Example: 127.0.0.1

The Time filter allows you to refine the period for the events record search result. It’s selected by default for Last 15 minutes.

You can filter by:

  • Last 15 minutes
  • Last 1 hour
  • Last 3 hours
  • Last 6 hours
  • Last 12 hours
  • Last day
  • Last 2 days
  • Last 3 days
  • Las 5 days
  • Last 7 days
  • Custom time range

By using the Custom time range option, you can customize your search by selecting a date and time range during the last 168 hours.

You can change the time range as many times as you want to investigate your logs.


After you complete the filters and search for results, your logs will appear in a table. You can select an item to open the More details view, containing all variables of that data source.

Each variable is a different log, which equals to a different action performed by the edge. The information shown varies according to the specifics of each variable.


These are the default limits:

ScopeLimit
Log retention7 days
Available inUp to 3 minutes
GraphQL API data transferred10,000 lines
GraphQL API maximum fields10 fields
GraphQL API maximum payload5 GB
GraphQL API queries120 requests per minute

Contributors