Skip to main content
Logs uploader automatically exports CDN resource logs to configured storage destinations in near real time, providing continuous visibility into request activity and cache behavior. Exported logs contain information about user requests processed by cache servers, and by mid-tier cache servers when Origin shielding is enabled.
Logs uploader must first be enabled and set up in the Gcore Customer Portal on the Gcore CDN page, or by contacting the Gcore support.

Configuring Logs uploader

In the CDN menu, click Logs and select Logs uploader. Control which fields are exported, how frequently the logs are delivered, and which storage service they are sent to. Supported destinations include Gcore Object Storage, S3-compatible platforms, FTP and SFTP servers, and HTTP(S) endpoints. This flexibility helps you integrate CDN logs into existing observability, analytics, or compliance workflows while effectively managing data volume and processing requirements. The Logs uploader screen has three tabs:
  • Configurations — link policies and targets to deliver logs
  • Policies — set export rules and schedules
  • Targets — connect upload destinations
To add a configuration you must first have a policy and a target.
Select the Configurations tab to view a table of configurations:
  • Configuration ID
    Click the column header to sort the table by configuration IDs.
  • Configuration name
  • Click the column header to sort the table by configuration names.
  • Click a configuration name to edit the configuration.
Use the search box at the top of the table to filter configurations by name or ID.
  • Policy
    Click a policy name to edit the linked policy.
  • Target
    Click a target name to edit the linked target.
  • Status
    Linked target status is displayed in the Status column. To re-run the authentication check, click (refresh) at the end of the status message.
  • More options
    Click (more options) in the last column to Edit, Disable, or Delete the configuration in that row.
  • Add configuration
    Click Add configuration (top right) to create a new configuration.
  • Go to Logs uploader, select the Configurations tab, and click Add configuration.
Enable configuration switch appears at the top of the Add configuration window; to disable the configuration, toggle the switch to the left.
  • Select the resources for this configuration:
For all resources, including newly created:
  • Enter a Name for the configuration.
  • Select a Policy to link from the drop-down list.
  • Select a Target to link from the drop-down list.
  • Click Add configuration again to finish and return to the Logs uploader. The new target appears in the table on the Configurations tab.
Configurations with correctly configured targets show Authentication complete in the Status column; to re-run the authentication check, click (refresh) at the end of the status message.
  • Go to Logs uploader and select the Configurations tab.
  • Click the configuration name in the Configurations column, or click (more options) at the end of that row and select Edit.
Enable configuration switch appears at the top of the Edit configuration window; to disable the configuration, toggle the switch to the left.
  • Select the resources for this configuration:
For all resources, including newly created:
  • Edit configuration Name.
  • Select a Policy to link from the drop-down list.
  • Select a Target to link from the drop-down list.
  • Click Save changes (top right) to return to the Logs uploader.
Configurations with correctly configured targets show Authentication complete in the Status column; to re-run the authentication check, click (refresh) at the end of the status message.
  • Go to Logs uploader and select the Configurations tab.
  • In the row with the configuration name, click (more options) in the last column and select EnableDisable, or Delete
A configuration can also be enabled or disabled using the Enable configuration switch in Edit configuration or Add configuration windows.

Log schema and field definitions

It’s OK if you find a field that’s not listed in the example. We occasionally add new fields to the end of the line. If some fields are added to logs, you’ll receive an email about the update.
The following table contains a complete list of available log fields. Fields formatted in italics relate to our internal CDN system, so you can ignore them.You can check other fields — they can be helpful for traffic analysis or statistics.

WAAP log fields

If your CDN resource has WAAP enabled, the Logs uploader automatically appends WAAP security event fields to each request log line, alongside the CDN fields described above. You receive a single merged log entry per request, so the CDN access data and the matching WAAP security verdict arrive correlated and on the same delivery channel as your existing CDN logs - no separate file, no extra configuration on your side.
Eligibility. WAAP fields are added only for resources that have WAAP enabled and use the current edge protection architecture. For resources without WAAP, the existing CDN log line is unchanged.
DDoS protection logs are not exported through the Logs uploader. Only per-request WAAP security events are included. DDoS attack analytics remain available through the WAAP API and dashboard.
The following fields are appended to each request log line when WAAP is enabled on the resource.
All WAAP fields are best-effort: a field is empty ("") when WAAP did not compute a value for the request (for example, no rule matched, or the request was served before WAAP analysis completed). Treat empty values as “not applicable”, not “zero”.
The $waap_decision field gives the final security verdict that WAAP applied at the edge:The $waap_optional_action field describes any additional action applied alongside the decision:
Challenged requests are recorded as blocked. Logs are written at the edge as soon as the response is sent, before WAAP knows whether the client will solve the challenge. When the client passes the challenge, subsequent requests from the same session are exported with $waap_decision="passed" and $waap_passed_incident_id pointing back to the original incident, so you can trace the final outcome by joining the two log lines on the session identifier. The full per-incident result is also available through the WAAP Request Details API.
Each exported log line carries a schema version field that identifies the JSON payload version (for example, "v":"5"). The version is incremented whenever fields are added, renamed, or removed. We add new fields in a backwards-compatible way where possible (existing field names and positions are preserved), so most schema changes do not require parser updates on your side. Breaking changes are announced in advance through the standard CDN update notifications. Pin your downstream parsers (SIEM, ETL) to a known version and check the v value to detect schema changes safely.

How near real time log exporting works

The Time interval setting in a Policy defines the frequency with which the logs are archived and exported. This interval is 5 minutes by default and can be set to between 5 and 60 minutes. If CDN servers are not requested and the Do not send empty logs checkbox is not selected when configuring Logs uploader, an empty log file (± 20 bytes) will be sent to the storage target.