Standard logging reference
The following sections apply to both standard logging (v2) and standard logging (legacy).
Topics
Timing of log file delivery
CloudFront delivers logs for a distribution up to several times an hour. In general, a log file contains information about the requests that CloudFront received during a given time period. CloudFront usually delivers the log file for that time period to your destination within an hour of the events that appear in the log. Note, however, that some or all log file entries for a time period can sometimes be delayed by up to 24 hours. When log entries are delayed, CloudFront saves them in a log file for which the file name includes the date and time of the period in which the requests occurred, not the date and time when the file was delivered.
When creating a log file, CloudFront consolidates information for your distribution from all of the edge locations that received requests for your objects during the time period that the log file covers.
CloudFront can save more than one file for a time period depending on how many requests CloudFront receives for the objects associated with a distribution.
CloudFront begins to reliably deliver access logs about four hours after you enable logging. You might get a few access logs before that time.
Note
If no users request your objects during the time period, you don't receive any log files for that period.
How requests are logged when the request URL or headers exceed the maximum size
If the total size of all request headers, including cookies, exceeds 20 KB, or if the URL exceeds 8192 bytes, CloudFront can't parse the request completely and can't log the request. Because the request isn't logged, you won't see in the log files the HTTP error status code returned.
If the request body exceeds the maximum size, the request is logged, including the HTTP error status code.
Log file fields
The log file for a distribution contains 33 fields. The following list contains each field name, in order, along with a description of the information in that field.
-
date
The date on which the event occurred in the format
YYYY-MM-DD
. For example,2019-06-30
. The date and time are in Coordinated Universal Time (UTC). For WebSocket connections, this is the date when the connection closed. -
time
The time when the CloudFront server finished responding to the request (in UTC), for example,
01:42:39
. For WebSocket connections, this is the time when the connection is closed. -
x-edge-location
The edge location that served the request. Each edge location is identified by a three-letter code and an arbitrarily assigned number (for example, DFW3). The three-letter code typically corresponds with the International Air Transport Association (IATA) airport code for an airport near the edge location's geographic location. (These abbreviations might change in the future.)
-
sc-bytes
The total number of bytes that the server sent to the viewer in response to the request, including headers. For WebSocket and gRPC connections, this is the total number of bytes sent from the server to the client through the connection.
-
c-ip
The IP address of the viewer that made the request, for example,
192.0.2.183
or2001:0db8:85a3::8a2e:0370:7334
. If the viewer used an HTTP proxy or a load balancer to send the request, the value of this field is the IP address of the proxy or load balancer. See also thex-forwarded-for
field. -
cs-method
The HTTP request method received from the viewer.
-
cs(Host)
The domain name of the CloudFront distribution (for example, d111111abcdef8.cloudfront.net).
-
cs-uri-stem
The portion of the request URL that identifies the path and object (for example,
/images/cat.jpg
). Question marks (?) in URLs and query strings are not included in the log. -
sc-status
Contains one of the following values:
-
The HTTP status code of the server's response (for example,
200
). -
000
, which indicates that the viewer closed the connection before the server could respond to the request. If the viewer closes the connection after the server starts to send the response, this field contains the HTTP status code of the response that the server started to send.
-
-
cs(Referer)
The value of the
Referer
header in the request. This is the name of the domain that originated the request. Common referrers include search engines, other websites that link directly to your objects, and your own website. -
cs(User-Agent)
The value of the
User-Agent
header in the request. TheUser-Agent
header identifies the source of the request, such as the type of device and browser that submitted the request or, if the request came from a search engine, which search engine. -
cs-uri-query
The query string portion of the request URL, if any.
When a URL doesn't contain a query string, this field's value is a hyphen (-). For more information, see Cache content based on query string parameters.
-
cs(Cookie)
The
Cookie
header in the request, including name—value pairs and the associated attributes.If you enable cookie logging, CloudFront logs the cookies in all requests regardless of which cookies you choose to forward to the origin. When a request doesn't include a cookie header, this field's value is a hyphen (-). For more information about cookies, see Cache content based on cookies.
-
x-edge-result-type
How the server classified the response after the last byte left the server. In some cases, the result type can change between the time that the server is ready to send the response and the time that it finishes sending the response. See also the
x-edge-response-result-type
field.For example, in HTTP streaming, suppose the server finds a segment of the stream in the cache. In that scenario, the value of this field would ordinarily be
Hit
. However, if the viewer closes the connection before the server has delivered the entire segment, the final result type (and the value of this field) isError
.WebSocket and gRPC connections will have a value of
Miss
for this field because the content is not cacheable and is proxied directly to the origin.Possible values include:
-
Hit
– The server served the object to the viewer from the cache. -
RefreshHit
– The server found the object in the cache but the object had expired, so the server contacted the origin to verify that the cache had the latest version of the object. -
Miss
– The request could not be satisfied by an object in the cache, so the server forwarded the request to the origin and returned the result to the viewer. -
LimitExceeded
– The request was denied because a CloudFront quota (formerly referred to as a limit) was exceeded. -
CapacityExceeded
– The server returned an HTTP 503 status code because it didn't have enough capacity at the time of the request to serve the object. -
Error
– Typically, this means the request resulted in a client error (the value of thesc-status
field is in the4xx
range) or a server error (the value of thesc-status
field is in the5xx
range). If the value of thesc-status
field is200
, or if the value of this field isError
and the value of thex-edge-response-result-type
field is notError
, it means the HTTP request was successful but the client disconnected before receiving all of the bytes. -
Redirect
– The server redirected the viewer from HTTP to HTTPS according to the distribution settings.
-
-
x-edge-request-id
An opaque string that uniquely identifies a request. CloudFront also sends this string in the
x-amz-cf-id
response header. -
x-host-header
The value that the viewer included in the
Host
header of the request. If you're using the CloudFront domain name in your object URLs (such as d111111abcdef8.cloudfront.net), this field contains that domain name. If you're using alternate domain names (CNAMEs) in your object URLs (such as www.example.com), this field contains the alternate domain name.If you're using alternate domain names, see
cs(Host)
in field 7 for the domain name that is associated with your distribution. -
cs-protocol
The protocol of the viewer request (
http
,https
,grpcs
,ws
, orwss
). -
cs-bytes
The total number of bytes of data that the viewer included in the request, including headers. For WebSocket and gRPC connections, this is the total number of bytes sent from the client to the server on the connection.
-
time-taken
The number of seconds (to the thousandth of a second, for example, 0.082) from when the server receives the viewer's request to when the server writes the last byte of the response to the output queue, as measured on the server. From the perspective of the viewer, the total time to get the full response will be longer than this value because of network latency and TCP buffering.
-
x-forwarded-for
If the viewer used an HTTP proxy or a load balancer to send the request, the value of the
c-ip
field is the IP address of the proxy or load balancer. In that case, this field is the IP address of the viewer that originated the request. This field can contain multiple comma-separated IP addresses. Each IP address can be an IPv4 address (for example,192.0.2.183
) or an IPv6 address (for example,2001:0db8:85a3::8a2e:0370:7334
).If the viewer did not use an HTTP proxy or a load balancer, the value of this field is a hyphen (-).
-
ssl-protocol
When the request used HTTPS, this field contains the SSL/TLS protocol that the viewer and server negotiated for transmitting the request and response. For a list of possible values, see the supported SSL/TLS protocols in Supported protocols and ciphers between viewers and CloudFront.
When
cs-protocol
in field 17 ishttp
, the value for this field is a hyphen (-). -
ssl-cipher
When the request used HTTPS, this field contains the SSL/TLS cipher that the viewer and server negotiated for encrypting the request and response. For a list of possible values, see the supported SSL/TLS ciphers in Supported protocols and ciphers between viewers and CloudFront.
When
cs-protocol
in field 17 ishttp
, the value for this field is a hyphen (-). -
x-edge-response-result-type
How the server classified the response just before returning the response to the viewer. See also the
x-edge-result-type
field. Possible values include:-
Hit
– The server served the object to the viewer from the cache. -
RefreshHit
– The server found the object in the cache but the object had expired, so the server contacted the origin to verify that the cache had the latest version of the object. -
Miss
– The request could not be satisfied by an object in the cache, so the server forwarded the request to the origin server and returned the result to the viewer. -
LimitExceeded
– The request was denied because a CloudFront quota (formerly referred to as a limit) was exceeded. -
CapacityExceeded
– The server returned a 503 error because it didn't have enough capacity at the time of the request to serve the object. -
Error
– Typically, this means the request resulted in a client error (the value of thesc-status
field is in the4xx
range) or a server error (the value of thesc-status
field is in the5xx
range).If the value of the
x-edge-result-type
field isError
and the value of this field is notError
, the client disconnected before finishing the download. -
Redirect
– The server redirected the viewer from HTTP to HTTPS according to the distribution settings.
-
-
cs-protocol-version
The HTTP version that the viewer specified in the request. Possible values include
HTTP/0.9
,HTTP/1.0
,HTTP/1.1
,HTTP/2.0
, andHTTP/3.0
. -
fle-status
When field-level encryption is configured for a distribution, this field contains a code that indicates whether the request body was successfully processed. When the server successfully processes the request body, encrypts values in the specified fields, and forwards the request to the origin, the value of this field is
Processed
. The value ofx-edge-result-type
can still indicate a client-side or server-side error in this case.Possible values for this field include:
-
ForwardedByContentType
– The server forwarded the request to the origin without parsing or encryption because no content type was configured. -
ForwardedByQueryArgs
– The server forwarded the request to the origin without parsing or encryption because the request contains a query argument that wasn't in the configuration for field-level encryption. -
ForwardedDueToNoProfile
– The server forwarded the request to the origin without parsing or encryption because no profile was specified in the configuration for field-level encryption. -
MalformedContentTypeClientError
– The server rejected the request and returned an HTTP 400 status code to the viewer because the value of theContent-Type
header was in an invalid format. -
MalformedInputClientError
– The server rejected the request and returned an HTTP 400 status code to the viewer because the request body was in an invalid format. -
MalformedQueryArgsClientError
– The server rejected the request and returned an HTTP 400 status code to the viewer because a query argument was empty or in an invalid format. -
RejectedByContentType
– The server rejected the request and returned an HTTP 400 status code to the viewer because no content type was specified in the configuration for field-level encryption. -
RejectedByQueryArgs
– The server rejected the request and returned an HTTP 400 status code to the viewer because no query argument was specified in the configuration for field-level encryption. -
ServerError
– The origin server returned an error.
If the request exceeds a field-level encryption quota (formerly referred to as a limit), this field contains one of the following error codes, and the server returns HTTP status code 400 to the viewer. For a list of the current quotas on field-level encryption, see Quotas on field-level encryption.
-
FieldLengthLimitClientError
– A field that is configured to be encrypted exceeded the maximum length allowed. -
FieldNumberLimitClientError
– A request that the distribution is configured to encrypt contains more than the number of fields allowed. -
RequestLengthLimitClientError
– The length of the request body exceeded the maximum length allowed when field-level encryption is configured.
If field-level encryption is not configured for the distribution, the value of this field is a hyphen (-).
-
-
fle-encrypted-fields
The number of field-level encryption fields that the server encrypted and forwarded to the origin. CloudFront servers stream the processed request to the origin as they encrypt data, so this field can have a value even if the value of
fle-status
is an error.If field-level encryption is not configured for the distribution, the value of this field is a hyphen (-).
-
c-port
The port number of the request from the viewer.
-
time-to-first-byte
The number of seconds between receiving the request and writing the first byte of the response, as measured on the server.
-
x-edge-detailed-result-type
This field contains the same value as the
x-edge-result-type
field, except in the following cases:-
When the object was served to the viewer from the Origin Shield layer, this field contains
OriginShieldHit
. -
When the object was not in the CloudFront cache and the response was generated by an origin request Lambda@Edge function, this field contains
MissGeneratedResponse
. -
When the value of the
x-edge-result-type
field isError
, this field contains one of the following values with more information about the error:-
AbortedOrigin
– The server encountered an issue with the origin. -
ClientCommError
– The response to the viewer was interrupted due to a communication problem between the server and the viewer. -
ClientGeoBlocked
– The distribution is configured to refuse requests from the viewer's geographic location. -
ClientHungUpRequest
– The viewer stopped prematurely while sending the request. -
Error
– An error occurred for which the error type doesn't fit any of the other categories. This error type can occur when the server serves an error response from the cache. -
InvalidRequest
– The server received an invalid request from the viewer. -
InvalidRequestBlocked
– Access to the requested resource is blocked. -
InvalidRequestCertificate
– The distribution doesn't match the SSL/TLS certificate for which the HTTPS connection was established. -
InvalidRequestHeader
– The request contained an invalid header. -
InvalidRequestMethod
– The distribution is not configured to handle the HTTP request method that was used. This can happen when the distribution supports only cacheable requests. -
OriginCommError
– The request timed out while connecting to the origin, or reading data from the origin. -
OriginConnectError
– The server couldn't connect to the origin. -
OriginContentRangeLengthError
– TheContent-Length
header in the origin's response doesn't match the length in theContent-Range
header. -
OriginDnsError
– The server couldn't resolve the origin's domain name. -
OriginError
– The origin returned an incorrect response. -
OriginHeaderTooBigError
– A header returned by the origin is too big for the edge server to process. -
OriginInvalidResponseError
– The origin returned an invalid response. -
OriginReadError
– The server couldn't read from the origin. -
OriginWriteError
– The server couldn't write to the origin. -
OriginZeroSizeObjectError
– A zero size object sent from the origin resulted in an error. -
SlowReaderOriginError
– The viewer was slow to read the message that caused the origin error.
-
-
-
sc-content-type
The value of the HTTP
Content-Type
header of the response. -
sc-content-len
The value of the HTTP
Content-Length
header of the response. -
sc-range-start
When the response contains the HTTP
Content-Range
header, this field contains the range start value. -
sc-range-end
When the response contains the HTTP
Content-Range
header, this field contains the range end value.
The following is an example log file for a distribution.
#Version: 1.0 #Fields: date time x-edge-location sc-bytes c-ip cs-method cs(Host) cs-uri-stem sc-status cs(Referer) cs(User-Agent) cs-uri-query cs(Cookie) x-edge-result-type x-edge-request-id x-host-header cs-protocol cs-bytes time-taken x-forwarded-for ssl-protocol ssl-cipher x-edge-response-result-type cs-protocol-version fle-status fle-encrypted-fields c-port time-to-first-byte x-edge-detailed-result-type sc-content-type sc-content-len sc-range-start sc-range-end 2019-12-04 21:02:31 LAX1 392 192.0.2.100 GET d111111abcdef8.cloudfront.net /index.html 200 - Mozilla/5.0%20(Windows%20NT%2010.0;%20Win64;%20x64)%20AppleWebKit/537.36%20(KHTML,%20like%20Gecko)%20Chrome/78.0.3904.108%20Safari/537.36 - - Hit SOX4xwn4XV6Q4rgb7XiVGOHms_BGlTAC4KyHmureZmBNrjGdRLiNIQ== d111111abcdef8.cloudfront.net https 23 0.001 - TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 Hit HTTP/2.0 - - 11040 0.001 Hit text/html 78 - - 2019-12-04 21:02:31 LAX1 392 192.0.2.100 GET d111111abcdef8.cloudfront.net /index.html 200 - Mozilla/5.0%20(Windows%20NT%2010.0;%20Win64;%20x64)%20AppleWebKit/537.36%20(KHTML,%20like%20Gecko)%20Chrome/78.0.3904.108%20Safari/537.36 - - Hit k6WGMNkEzR5BEM_SaF47gjtX9zBDO2m349OY2an0QPEaUum1ZOLrow== d111111abcdef8.cloudfront.net https 23 0.000 - TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 Hit HTTP/2.0 - - 11040 0.000 Hit text/html 78 - - 2019-12-04 21:02:31 LAX1 392 192.0.2.100 GET d111111abcdef8.cloudfront.net /index.html 200 - Mozilla/5.0%20(Windows%20NT%2010.0;%20Win64;%20x64)%20AppleWebKit/537.36%20(KHTML,%20like%20Gecko)%20Chrome/78.0.3904.108%20Safari/537.36 - - Hit f37nTMVvnKvV2ZSvEsivup_c2kZ7VXzYdjC-GUQZ5qNs-89BlWazbw== d111111abcdef8.cloudfront.net https 23 0.001 - TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 Hit HTTP/2.0 - - 11040 0.001 Hit text/html 78 - - 2019-12-13 22:36:27 SEA19-C1 900 192.0.2.200 GET d111111abcdef8.cloudfront.net /favicon.ico 502 http://www.example.com/ Mozilla/5.0%20(Windows%20NT%2010.0;%20Win64;%20x64)%20AppleWebKit/537.36%20(KHTML,%20like%20Gecko)%20Chrome/78.0.3904.108%20Safari/537.36 - - Error 1pkpNfBQ39sYMnjjUQjmH2w1wdJnbHYTbag21o_3OfcQgPzdL2RSSQ== www.example.com http 675 0.102 - - - Error HTTP/1.1 - - 25260 0.102 OriginDnsError text/html 507 - - 2019-12-13 22:36:26 SEA19-C1 900 192.0.2.200 GET d111111abcdef8.cloudfront.net / 502 - Mozilla/5.0%20(Windows%20NT%2010.0;%20Win64;%20x64)%20AppleWebKit/537.36%20(KHTML,%20like%20Gecko)%20Chrome/78.0.3904.108%20Safari/537.36 - - Error 3AqrZGCnF_g0-5KOvfA7c9XLcf4YGvMFSeFdIetR1N_2y8jSis8Zxg== www.example.com http 735 0.107 - - - Error HTTP/1.1 - - 3802 0.107 OriginDnsError text/html 507 - - 2019-12-13 22:37:02 SEA19-C2 900 192.0.2.200 GET d111111abcdef8.cloudfront.net / 502 - curl/7.55.1 - - Error kBkDzGnceVtWHqSCqBUqtA_cEs2T3tFUBbnBNkB9El_uVRhHgcZfcw== www.example.com http 387 0.103 - - - Error HTTP/1.1 - - 12644 0.103 OriginDnsError text/html 507 - -
Analyze logs
Because you can receive multiple access logs per hour, we recommend that you combine all the log files you receive for a given time period into one file. You can then analyze the data for that period more accurately and completely.
One way to analyze your access logs is to use Amazon Athena
In addition, the following AWS blog posts discuss some ways to analyze access logs.
-
Amazon CloudFront Request Logging
(for content delivered via HTTP)