1 of 20
2 of 20
3 of 20
4 of 20
5 of 20
6 of 20
7 of 20
8 of 20
9 of 20
10 of 20
11 of 20
12 of 20
13 of 20
14 of 20
15 of 20
16 of 20
17 of 20
18 of 20
19 of 20
20 of 20

doc

Real-Time Events

Real-Time Events is an Observe module that allows you to display data from your Azion Products and Services in real time. You can use Real-Time Events to perform complex searches and explore data from your Azion applications.

To access Real-Time Events, proceed as follows:

  1. Access Real-Time Manager.
  2. Click on the Products Menu on the top left corner.
  3. Select Real-Time Events in the Observe section.

You will see the following fields:

  1. Data Sources
  2. Time Filter
  3. Filter by
  4. Refresh

1. Data Sources

The first step to explore your data is choosing the Data Source, which represents the Azion product or service that generated the events.

When submitting a search, the Data Source represents the index from where you want to collect data.

Azion provides the following Data Sources:

Data Streaming

If you have contracted the Data Streaming product, this data source will display the event records of sending the data to your endpoints.

Variable Description
$client_id Unique Azion customer identifier.
$data_streamed Amount of bytes that was streamed in the streaming (attempt/sink/send).
$endpoint_type Endpoint type configured for sending data, such as: HTTP / HTTPS Post, Kafka, S3, etc.
$job_name Unique Azion identification for naming the type of streaming created (E.g.: Data Streaming HTTP, Data Streaming WAF).
$status_code The status code of the request, for example: 200. See more details here.
$streamed_lines Total amount of lines sent to the selected endpoint.
$time Date and time when the data is sent to the configured endpoint, for example: “01 June, 2021, 12:21:19”.
$url The URL where the client data was sent/sink.

Edge Applications

It displays the data from requests made to your Edge Applications at Azion.

Variables Description
$asn AS Number refers to Autonomous System Number Allocation which corresponds to a group of IP address networks managed by one or more network operators that have a clear and unique routing policy. Consulting the ASN Whois service for LACNIC, Azion’s ASN, for example, is AS52580. Choose the ASN type to represent a list of AS groups, filling in one address per line, with only the number without the prefix.
$bytes_sent Bytes sent to the user, including header and body.
$client Unique Azion customer identifier.
$city The remote client city name, for example, “Chicago”, ”Boston”. Geolocation detection by IP address.
$country The remote client country name, for example, “Russian Federation”, “United States”. Geolocation detection by IP address.
$host Host information sent on the request line; or HTTP header Host field.
$http_referrer Information from the last page the user was on before making the request.
$http_user_agent The identification of the application that made the request, for example: Mozilla/5.0 (Windows NT 10.0; Win64; x64).
$proxy_status HTTP code when the error is generated by Nginx, when no response is obtained from the upstream. Ex: ‘ 520’.
$remote_addr IP address of the origin that generated the request.
$remote_port Remote port of the origin that generated the request.
$request_id Unique request identifier. Example: ‘5f222ae5938482c32a822dbf15e19f0f’.
$request_length Request size, including request line, headers and body.
$request_method Request method; usually “GET” or “POST”.
$request_time Request processing time, with resolution in milliseconds.
$request_uri URI of the request made by the user, without the Host and Protocol information.
$scheme Request scheme “http” or “https”.
$sent_http_content_type “Content-Type” header sent in the origin’s response.
$server_addr IP address of the server that received the request.
$server_port Remote port of the server that received the request.
$server_protocol The connection established protocol, usually “HTTP/1.1” or “HTTP/2.0”.
$ssl_cipher Cipher string used to establish SSL connection.
$ssl_protocol The protocol for an established SSL connection, for example “TLS v1.2”.
$state Name of the remote client’s state, for example: “RS”, “SP”. Geolocation detection of IP address.
$status The status code of the request, for example: 200.
$time Request date and time, for example: “01 June, 2021, 12:21:19”.
$traceback It provides the names of the Rules Engine from your Edge Application and your Edge Firewall that are ran by the request.
$upstream_addr Upstream address and port. Example: ‘192.168.1.1:80’.
$upstream_bytes_received Number of bytes received by the origin’s Edge, if the content is not cached.
$upstream_bytes_sent Number of bytes sent to an upstream. Example: ‘2733’.
$upstream_cache_status Edge cache status. It can assume the values “MISS”, “BYPASS”, “EXPIRED”, “STALE”, “UPDATING”, “REVALIDATED” or “HIT”.
$upstream_response_time Time in milliseconds for Edge to receive all of the response from the origin, including headers and body (“-“ in case of cache).
$upstream_status HTTP response code obtained from the upstream server. EX: ‘200’.
$waf_attack_action It reports WAF’s action regarding the action ($BLOCK, $PASS, $LEARNING_BLOCK, $LEARNING_PASS).
$waf_attack_family It informs the classification of the WAF infraction detected in the request (SQL, XSS, TRAVERSAL, among others)
$waf_block It informs whether the WAF blocked the action or not; 0 when not blocked and 1 when blocked. When in “Learning Mode”, it will not be blocked, regardless of the return.
$waf_headers Request headers analyzed by WAF.
$waf_learning It informs if WAF is in learning mode, usually 0 or 1.
$waf_match List of infractions found in the request, it is formed by key-value elements; the key refers to the type of violation detected; the value shows the string that generated the infraction.
$waf_score It reports the score that will be increased in case of match.

The $traceback variable can be used if you have the Debug rules option activated in your application. See more on Debugging rules on Edge Application.

Edge Functions

Edge Functions lets you build edge-native applications or add functionality to your origin applications with event-driven functions. It is built using Azion Cells, our core technology designed for low-memory consumption, reliability, and speed.

Variables Description
$client_id Unique Azion customer identifier.
$configuration_id Unique Azion configuration identifier.
$function_id Unique Azion function identifier.
$message_content Message used in the console.log, for debugging.
$message_level Message level, it can be MDN, DEBUG, INFO, ERROR, LOG or WARN.
$message_source The source of the message. It can be “CONSOLE” when messages are generated by the Console API or “RUNTIME” when it’s related to an error message.
$time Request date and time.

Note: to query the Edge Functions logs use console_from_event.log as described in the Debbuging documentation.

Edge Pulse

If you are using the Azion Pulse in your Edge Applications, the Edge Pulse data source will display the performance data measured from the user’s browser (RUM).

Variable Description
$browser The UUID generated for the client browser used on the request.
$client_id Unique Azion customer identifier.
$contentdownload Time used to download the requested content.
$dns DNS resolution time.
$downlink It returns the average volume of data received (Mb/s).
$effectivetype The effective type of the connection (2g, 3g, 4g).
$hostname Hostname of the current URL.
$locationhref It returns the complete URL of the current page.
$navigation.contentDownload Time used to download the content.
$navigation.dns DNS resolution time.
$navigation.networkDuration Duration without query browser waiting.
$navigation.PageLoadTime Time from the start of navigation to the full page load.
$navigation.redirectCount It returns the number of redirects since the last navigation without redirection in the context of the current navigation.
$navigation.renderTime Time the browser was rendered after browsing.
$navigation.ssl Standard protocol used to maintain a secure traffic connection.
$navigation.tcp Internet protocol that returns the data that makes up the page.
$navigation.ttfb Time until the arrival of the first byte of the requested page.
$navigation.type It returns the type of navigation without redirection.
$navigation.typeBackForward Type of navigation through the session history.
$navigation.typeNavigate It returns the type of the last navigation without redirection, for example: by clicking on a link, entering the URL in the address bar or submitting a form.
$navigation.typeReload Type of navigation for the reload operation, that is, when the page was reloaded.
$navigation.typeReserved Any type of navigation not defined by those previously mentioned (typeNavigate, typeReload).
$networkApi.downlink It returns the average volume of data received (Mb/s).
$networkduration Duration without query browser waiting.
$pageloadtime Time from the start of navigation to the full page load.
$platform Operating system architecture (for example Linux x86_64, Iphone, etc).
$redirectcount It returns the number of redirects since the last navigation, without redirection in the context of the current navigation.
$referrer It returns the previous url to the current page. That is, the url by which the user arrived at “locationHref”. If the access originated directly from the current page (not through a link, but for example, through a bookmark), its value will be an empty string. It does not provide DOM access to the reference page.
$rendertime The amount of time it took to render the page.
$ssl Standard protocol used to maintain a secure traffic connection. If the requested url has secure connection, returns the time it took for authenticating.
$tcp Internet protocol that returns the data that makes up the page. The time it takes for the TCP handshake is the time between the connection start and connection end.
$time Request date and time.
$timestamp Request date and time.
$ttfb Time until the arrival of the first byte of the requested page. Time To First Byte is the time between the start of the navigation and when the first byte of response data is received.
$type It returns the type of navigation without redirection. Indicates how the navigation to this page/script was done (E.g.: navigation, reload).
$typebackforward Type of navigation through the session history.
$typenavigate It returns the type of the last navigation without redirection, for example: by clicking on a link, entering the URL in the address bar or submitting a form.
$typereload Type of navigation for the reload operation, that is, when the page was reloaded.
$typereserved Any type of navigation not defined by those previously mentioned (typeNavigate, typeReload).
$userAgent It identifies the client UA browser.
$version The version of Azion Log used.

WAF

If you have contracted the Web Application Firewall product, the WAF Events data source will display the requests analyzed by WAF to allow you to map the score assigned to the request, the WAF rules that matched, the reason for the block and more.

Variable Description
$attack_family It tells you the attack families, categories where our Web Application Firewall identifies the attack and classifies it according to the OWASP Top 10.
$blocked It informs whether the WAF blocked the action or not; 0 when not blocked and 1 when blocked. When in “Learning Mode”, it will not be blocked, regardless of the return.
$client_id Unique Azion customer identifier.
$geoloc_country_name Name of the remote client’s country, for example “Russian Federation”, “United States”.
Detection by IP address geolocation.
$host Host information sent on the request line; or Host field of the HTTP header.
$remote_address IP address of the origin that generated the request.
$server_protocol The connection established protocol, usually “HTTP/1.1” or “HTTP/2.0”.
$time Request date and time.
$total_blocked It informs the total number of blocked requests.
$total_processed It informs the total number of processed requests.
$waf_action It reports WAF’s action regarding the action ($BLOCK, $PASS, $LEARNING_BLOCK, $LEARNING_PASS).
$waf_args The request arguments.
$waf_learning It informs if WAF is in learning mode, usually 0 or 1.
$waf_match List of infractions found in the request, it is formed by key-value elements; the key refers to the type of violation detected; the value shows the string that generated the infraction.
$waf_score It reports the score that will be increased in case of match.
$waf_server Hostname used in the request.
$waf_uri URI used in the request.

2. Time Filter

Real-Time Events keeps the events from the last 168 hours. The Time Filter allows you to refine the event search result, and is selected by default for Last 15 minutes, but you can change the scope of the search by selecting:

  • Last 15 minutes
  • Last 30 minutes
  • Last 1 hour
  • Last 3 hours
  • Last 6 hours
  • Last 12 hours
  • Last day
  • Last 2 days
  • Last 3 days
  • Last 5 days
  • Last 7 days

Note: by using the Custom field, you can also customize your search by selecting a time range during the last 168 hours.


3. Filter by

In the Filter by field, you can optionally filter your search results using a keyword or phrase.

When submitting a search with a blank Filter by field, you will get all existing records in the Data Origin for the selected time filter.

The searches are restricted to a particular field, using the notation: key='value', such as status='200'. In this case, you will filter only the records which have these specified pair, value and key. As key, you can use the variables from the tables above, but note that each Data Source has its own list of variables.

Time filter is done using the Time Filter or Custom fields, for this reason it is not possible to use the “timestamp” key in the filter.

You may search for more complex field compositions. Use the notations AND, OR and NOT in the search field to combine the fields, such as status='200' AND scheme='https'.

The Filter by field uses SQL language, therefore you must use “equals” (=) after the key and “single quotes” ( ‘ ) around values, for example: status='200'.

If you intend to search for a more generic value, you can use the “like” operator instead of “equals”, exactly like you use in SQL queries. The final query for this search can be host like '%mydomain%'.

Depending on the size of our data, the query limit may exceed. If this happens, please filter by a short time filter.


4. Refresh

The search always returns the results ordered by the time of the event, from the most recent to the oldest.

You can use the Refresh button to update the returned data, repeating the last search performed.


Didn’t find what you were looking for? Open a support ticket.