Cloud Object Storage (COS) access logs record information about users' access to COS resources, including object upload (
PUT), object deletion (
DELETE), and object getting (
GET). By analyzing access logs, you can perform audit backtracking, such as deleting resource records and collecting statistics on popular resources. This document introduces how to analyze COS access logs.
COS logs have been collected to Cloud Log Service (CLS). For more information, please see Enabling Real-Time Log Feature on COS.
COS access logs record information such as the source bucket, user ID, and request method.
|4||eventTime||Event time (request end time, which is a timestamp in UTC+0 time zone)||2018-12-01T11:02:33Z|
|5||eventSource||Access domain name||examplebucket-1250000000.cos.ap-guangzhou.myqcloud.com|
|8||userSecretKeyId||User access KeyId||AKIDNYVCdoJQyGJ5brTf|
|9||reservedField||Reserved field||Displayed as
|11||deltaDataSize||Change in storage made by the request (in bytes)||808|
|12||reqPath||Requested file path||/folder/text.txt|
|14||userAgent||User agent (UA)||cos-go-sdk-v5.2.9|
|15||resHttpCode||HTTP return code||404|
|17||resErrorMsg||Error message||The specified key does not exist.|
|19||resTotalTime||Total time used by the request (in milliseconds, i.e., the time between the last byte of the response and the first byte of the request)||4295|
|20||logSourceType||Source type of the log||
|21||storageClass||Storage class||STANDARD, STANDARD_IA, ARCHIVE|
|22||accountId||Bucket owner ID||100000000001|
|23||resTurnAroundTime||Time used by the request server (in milliseconds, i.e., the time between the first byte of the response and the last byte of the request)||4295|
|24||requester||Requester||Root account ID, sub-account ID, or
|26||objectSize||Object size, in bytes||808. If you use multipart upload,
|27||versionId||Object version ID||Random string|
|28||targetStorageClass||Destination storage class, recorded for replication requests||STANDARD, STANDARD_IA, ARCHIVE|
|29||referer||HTTP referer of the request||
|30||requestUri||Request URI||"GET /fdgfdgsf%20/%E6%B5%AE%E7%82%B9%E6%95%B0 HTTP/1.1"|
An object file cannot be accessed, and the cause needs to be located.
Go to the COS access log search page, and enter the object name as the keyword to search for logs.
According to the time column chart, 14 logs are recorded on the last day. For the drill-down analysis of the 14 log records, click the quick analysis bar on the left to view the resHttpCode information.
According to the quick analysis, there are 6 request log records whose resHttpCode is not 200: resHttpCode is 403 for 5 log records and 204 for 1 log record. Click to search for these logs quickly.
According to the logs, the 5 log records whose error code is Access Deny are object access failure logs. According to the logs whose resHttpCode is 204, object access failed because user
1000****** performed object deletion at around 20:16 on August 24 in the COS console.
Collect statistics on the top 10 most visited buckets of the day
(reqMethod:"GET") | select bucketName, count(*) group by bucketName
Collect statistics on the access trend of a certain bucket
* | select time_series(__TIMESTAMP__, '1m', '%Y-%m-%dT%H:%i:%s+08:00', '0') AS time, count(*) as pv, reqMethod group by time, reqMethod order by time limit 200
Collect statistics on the top 10 visitors of the error requests
resHttpCode:>200 | select remoteIp, count(*) group by remoteIp
Collect statistics on the bucket distribution of the failed operations
resHttpCode:>200 | select bucketName, count(*) group by bucketName
User request efficiency trend
* | select time_series(__TIMESTAMP__, '5m', '%Y-%m-%d %H:%i:%s', '0') as time,round(sum(case when resHttpCode=200 then 1.00 else 0.00 end) / cast(count(*) as double) * 100,1) as "Request efficiency" group by time limit 1000
User request source distribution
* | select ip_to_province(remoteIp) as province , count(*) as c group by province order by c desc limit 50