Real-Time Events
Real-Time Events is an Observe module that allows you to display data from your Azion Products and Services in real time. You can use Real-Time Events to perform complex searches and explore data from your Azion applications.
To access Real-Time Events, proceed as follows:
- Access Real-Time Manager.
- Click on the Products Menu on the top left corner.
- Select Real-Time Events in the Observe section.
You will see the following fields:
1. Data Sources
The first step to explore your data is choosing the Data Source, which represents the Azion product or service that generated the events.
When submitting a search, the Data Source represents the index from where you want to collect data.
Azion provides the following Data Sources:
Data Streaming
If you have contracted the Data Streaming product, this data source will display the event records of sending the data to your endpoints.
| Variable | Description |
|---|---|
| $client_id | Unique Azion customer identifier. |
| $data_streamed | Amount of bytes that was streamed in the streaming (attempt/sink/send). |
| $endpoint_type | Endpoint type configured for sending data, such as: HTTP / HTTPS Post, Kafka, S3, etc. |
| $job_name | Unique Azion identification for naming the type of streaming created (E.g.: Data Streaming HTTP, Data Streaming WAF). |
| $status_code | The status code of the request, for example: 200. See more details here. |
| $streamed_lines | Total amount of lines sent to the selected endpoint. |
| $time | Date and time when the data is sent to the configured endpoint, for example: “01 June, 2021, 12:21:19”. |
| $url | The URL where the client data was sent/sink. |
Edge Applications
It displays the data from requests made to your Edge Applications at Azion.
| Variables | Description |
|---|---|
| $asn | AS Number refers to Autonomous System Number Allocation which corresponds to a group of IP address networks managed by one or more network operators that have a clear and unique routing policy. Consulting the ASN Whois service for LACNIC, Azion’s ASN, for example, is AS52580. Choose the ASN type to represent a list of AS groups, filling in one address per line, with only the number without the prefix. |
| $bytes_sent | Bytes sent to the user, including header and body. |
| $client | Unique Azion customer identifier. |
| $city | The remote client city name, for example, “Chicago”, ”Boston”. Geolocation detection by IP address. |
| $country | The remote client country name, for example, “Russian Federation”, “United States”. Geolocation detection by IP address. |
| $host | Host information sent on the request line; or HTTP header Host field. |
| $http_referrer | Information from the last page the user was on before making the request. |
| $http_user_agent | The identification of the application that made the request, for example: Mozilla/5.0 (Windows NT 10.0; Win64; x64). |
| $proxy_status | HTTP code when the error is generated by Nginx, when no response is obtained from the upstream. Ex: ‘ 520’. |
| $remote_addr | IP address of the origin that generated the request. |
| $remote_port | Remote port of the origin that generated the request. |
| $request_id | Unique request identifier. Example: ‘5f222ae5938482c32a822dbf15e19f0f’. |
| $request_length | Request size, including request line, headers and body. |
| $request_method | Request method; usually “GET” or “POST”. |
| $request_time | Request processing time, with resolution in milliseconds. |
| $request_uri | URI of the request made by the user, without the Host and Protocol information. |
| $scheme | Request scheme “http” or “https”. |
| $sent_http_content_type | “Content-Type” header sent in the origin’s response. |
| $server_addr | IP address of the server that received the request. |
| $server_port | Remote port of the server that received the request. |
| $server_protocol | The connection established protocol, usually “HTTP/1.1” or “HTTP/2.0”. |
| $ssl_cipher | Cipher string used to establish SSL connection. |
| $ssl_protocol | The protocol for an established SSL connection, for example “TLS v1.2”. |
| $state | Name of the remote client’s state, for example: “RS”, “SP”. Geolocation detection of IP address. |
| $status | The status code of the request, for example: 200. |
| $time | Request date and time, for example: “01 June, 2021, 12:21:19”. |
| $traceback | It provides the names of the Rules Engine from your Edge Application and your Edge Firewall that are ran by the request. |
| $upstream_addr | Upstream address and port. Example: ‘192.168.1.1:80’. |
| $upstream_bytes_received | Number of bytes received by the origin’s Edge, if the content is not cached. |
| $upstream_bytes_sent | Number of bytes sent to an upstream. Example: ‘2733’. |
| $upstream_cache_status | Edge cache status. It can assume the values “MISS”, “BYPASS”, “EXPIRED”, “STALE”, “UPDATING”, “REVALIDATED” or “HIT”. |
| $upstream_response_time | Time in milliseconds for Edge to receive all of the response from the origin, including headers and body (“-“ in case of cache). |
| $upstream_status | HTTP response code obtained from the upstream server. EX: ‘200’. |
| $waf_attack_action | It reports WAF’s action regarding the action ($BLOCK, $PASS, $LEARNING_BLOCK, $LEARNING_PASS). |
| $waf_attack_family | It informs the classification of the WAF infraction detected in the request (SQL, XSS, TRAVERSAL, among others) |
| $waf_block | It informs whether the WAF blocked the action or not; 0 when not blocked and 1 when blocked. When in “Learning Mode”, it will not be blocked, regardless of the return. |
| $waf_headers | Request headers analyzed by WAF. |
| $waf_learning | It informs if WAF is in learning mode, usually 0 or 1. |
| $waf_match | List of infractions found in the request, it is formed by key-value elements; the key refers to the type of violation detected; the value shows the string that generated the infraction. |
| $waf_score | It reports the score that will be increased in case of match. |
The $traceback variable can be used if you have the Debug rules option activated in your application. See more on Debugging rules on Edge Application.
Edge Functions
Edge Functions lets you build edge-native applications or add functionality to your origin applications with event-driven functions. It is built using Azion Cells, our core technology designed for low-memory consumption, reliability, and speed.
| Variables | Description |
|---|---|
| $client_id | Unique Azion customer identifier. |
| $configuration_id | Unique Azion configuration identifier. |
| $function_id | Unique Azion function identifier. |
| $message_content | Message used in the console.log, for debugging. |
| $message_level | Message level, it can be MDN, DEBUG, INFO, ERROR, LOG or WARN. |
| $message_source | The source of the message. It can be “CONSOLE” when messages are generated by the Console API or “RUNTIME” when it’s related to an error message. |
| $time | Request date and time. |
Note: to query the Edge Functions logs use console_from_event.log as described in the Debbuging documentation.
Edge Pulse
If you are using the Azion Pulse in your Edge Applications, the Edge Pulse data source will display the performance data measured from the user’s browser (RUM).
| Variable | Description |
|---|---|
| $browser | The UUID generated for the client browser used on the request. |
| $client_id | Unique Azion customer identifier. |
| $contentdownload | Time used to download the requested content. |
| $dns | DNS resolution time. |
| $downlink | It returns the average volume of data received (Mb/s). |
| $effectivetype | The effective type of the connection (2g, 3g, 4g). |
| $hostname | Hostname of the current URL. |
| $locationhref | It returns the complete URL of the current page. |
| $navigation.contentDownload | Time used to download the content. |
| $navigation.dns | DNS resolution time. |
| $navigation.networkDuration | Duration without query browser waiting. |
| $navigation.PageLoadTime | Time from the start of navigation to the full page load. |
| $navigation.redirectCount | It returns the number of redirects since the last navigation without redirection in the context of the current navigation. |
| $navigation.renderTime | Time the browser was rendered after browsing. |
| $navigation.ssl | Standard protocol used to maintain a secure traffic connection. |
| $navigation.tcp | Internet protocol that returns the data that makes up the page. |
| $navigation.ttfb | Time until the arrival of the first byte of the requested page. |
| $navigation.type | It returns the type of navigation without redirection. |
| $navigation.typeBackForward | Type of navigation through the session history. |
| $navigation.typeNavigate | It returns the type of the last navigation without redirection, for example: by clicking on a link, entering the URL in the address bar or submitting a form. |
| $navigation.typeReload | Type of navigation for the reload operation, that is, when the page was reloaded. |
| $navigation.typeReserved | Any type of navigation not defined by those previously mentioned (typeNavigate, typeReload). |
| $networkApi.downlink | It returns the average volume of data received (Mb/s). |
| $networkduration | Duration without query browser waiting. |
| $pageloadtime | Time from the start of navigation to the full page load. |
| $platform | Operating system architecture (for example Linux x86_64, Iphone, etc). |
| $redirectcount | It returns the number of redirects since the last navigation, without redirection in the context of the current navigation. |
| $referrer | It returns the previous url to the current page. That is, the url by which the user arrived at “locationHref”. If the access originated directly from the current page (not through a link, but for example, through a bookmark), its value will be an empty string. It does not provide DOM access to the reference page. |
| $rendertime | The amount of time it took to render the page. |
| $ssl | Standard protocol used to maintain a secure traffic connection. If the requested url has secure connection, returns the time it took for authenticating. |
| $tcp | Internet protocol that returns the data that makes up the page. The time it takes for the TCP handshake is the time between the connection start and connection end. |
| $time | Request date and time. |
| $timestamp | Request date and time. |
| $ttfb | Time until the arrival of the first byte of the requested page. Time To First Byte is the time between the start of the navigation and when the first byte of response data is received. |
| $type | It returns the type of navigation without redirection. Indicates how the navigation to this page/script was done (E.g.: navigation, reload). |
| $typebackforward | Type of navigation through the session history. |
| $typenavigate | It returns the type of the last navigation without redirection, for example: by clicking on a link, entering the URL in the address bar or submitting a form. |
| $typereload | Type of navigation for the reload operation, that is, when the page was reloaded. |
| $typereserved | Any type of navigation not defined by those previously mentioned (typeNavigate, typeReload). |
| $userAgent | It identifies the client UA browser. |
| $version | The version of Azion Log used. |
WAF
If you have contracted the Web Application Firewall product, the WAF Events data source will display the requests analyzed by WAF to allow you to map the score assigned to the request, the WAF rules that matched, the reason for the block and more.
| Variable | Description |
|---|---|
| $attack_family | It tells you the attack families, categories where our Web Application Firewall identifies the attack and classifies it according to the OWASP Top 10. |
| $blocked | It informs whether the WAF blocked the action or not; 0 when not blocked and 1 when blocked. When in “Learning Mode”, it will not be blocked, regardless of the return. |
| $client_id | Unique Azion customer identifier. |
| $geoloc_country_name | Name of the remote client’s country, for example “Russian Federation”, “United States”. Detection by IP address geolocation. |
| $host | Host information sent on the request line; or Host field of the HTTP header. |
| $remote_address | IP address of the origin that generated the request. |
| $server_protocol | The connection established protocol, usually “HTTP/1.1” or “HTTP/2.0”. |
| $time | Request date and time. |
| $total_blocked | It informs the total number of blocked requests. |
| $total_processed | It informs the total number of processed requests. |
| $waf_action | It reports WAF’s action regarding the action ($BLOCK, $PASS, $LEARNING_BLOCK, $LEARNING_PASS). |
| $waf_args | The request arguments. |
| $waf_learning | It informs if WAF is in learning mode, usually 0 or 1. |
| $waf_match | List of infractions found in the request, it is formed by key-value elements; the key refers to the type of violation detected; the value shows the string that generated the infraction. |
| $waf_score | It reports the score that will be increased in case of match. |
| $waf_server | Hostname used in the request. |
| $waf_uri | URI used in the request. |
2. Time Filter
Real-Time Events keeps the events from the last 168 hours. The Time Filter allows you to refine the event search result, and is selected by default for Last 15 minutes, but you can change the scope of the search by selecting:
- Last 15 minutes
- Last 30 minutes
- Last 1 hour
- Last 3 hours
- Last 6 hours
- Last 12 hours
- Last day
- Last 2 days
- Last 3 days
- Last 5 days
- Last 7 days
Note: by using the Custom field, you can also customize your search by selecting a time range during the last 168 hours.
3. Filter by
In the Filter by field, you can optionally filter your search results using a keyword or phrase.
When submitting a search with a blank Filter by field, you will get all existing records in the Data Origin for the selected time filter.
The searches are restricted to a particular field, using the notation: key='value', such as status='200'. In this case, you will filter only the records which have these specified pair, value and key. As key, you can use the variables from the tables above, but note that each Data Source has its own list of variables.
Time filter is done using the Time Filter or Custom fields, for this reason it is not possible to use the “timestamp” key in the filter.
You may search for more complex field compositions. Use the notations AND, OR and NOT in the search field to combine the fields, such as status='200' AND scheme='https'.
The Filter by field uses SQL language, therefore you must use “equals” (=) after the key and “single quotes” ( ‘ ) around values, for example: status='200'.
If you intend to search for a more generic value, you can use the “like” operator instead of “equals”, exactly like you use in SQL queries. The final query for this search can be host like '%mydomain%'.
Depending on the size of our data, the query limit may exceed. If this happens, please filter by a short time filter.
4. Refresh
The search always returns the results ordered by the time of the event, from the most recent to the oldest.
You can use the Refresh button to update the returned data, repeating the last search performed.
Didn’t find what you were looking for? Open a support ticket.