diff --git a/entry/src/kni_entry.cpp b/entry/src/kni_entry.cpp
index 1c067bc..bd7a061 100644
--- a/entry/src/kni_entry.cpp
+++ b/entry/src/kni_entry.cpp
@@ -103,6 +103,7 @@ struct pme_info{
 	int tfe_release;
 	int sapp_release;
 	//kafka log
+	struct TLD_handle_t *tld_handle;
 	const struct streaminfo *stream;
 	int maat_result_num;
 	Maat_rule_t maat_result;
@@ -296,7 +297,7 @@ ssl: ssl_sni, ssl_pinningst, ssl_intercept_state, ssl_server_side_latency, ssl_c
 */
 static int log_generate(struct pme_info *pmeinfo){		
 	void *local_logger = g_kni_handle->local_logger;
-	TLD_handle_t tld_handle = TLD_create(-1);
+	struct TLD_handle_t *tld_handle = pmeinfo->tld_handle;
 	//common
 	//schema_type
 	TLD_append(tld_handle, (char*)"common_schema_type", (void*)(pmeinfo->protocol == PROTO_SSL ? "SSL" : "HTTP"),  TLD_TYPE_STRING);
@@ -336,7 +337,7 @@ static int log_generate(struct pme_info *pmeinfo){
 	memset(&log_msg, 0, sizeof(log_msg));
 	log_msg.result_num = pmeinfo->maat_result_num;
 	log_msg.result = &(pmeinfo->maat_result);
-	log_msg.a_stream = (struct streaminfo*)pmeinfo->stream;
+	log_msg.a_stream = NULL;
 	int ret = tsg_send_log(g_tsg_log_instance, tld_handle, &log_msg, -1);
 	if(ret < 0){
 		FS_operate(g_kni_fs_handle->handle, g_kni_fs_handle->fields[KNI_FIELD_SENDLOG_FAIL], 0, FS_OP_ADD, 1);
@@ -354,12 +355,14 @@ error_out:
 static void stream_destroy(struct pme_info *pmeinfo){
 	//sendlog
 	void *logger = g_kni_handle->local_logger;
-	int ret = log_generate(pmeinfo);
-	if(ret < 0){
-		KNI_LOG_ERROR(logger, "Failed at log_generate, stream traceid = %s, stream addr = %s", pmeinfo->stream_traceid, pmeinfo->stream_addr);
-	}
-	else{
-		KNI_LOG_DEBUG(logger, "Succeed at log_generate, stream traceid = %s, stream addr = %s", pmeinfo->stream_traceid, pmeinfo->stream_addr);
+	if(pmeinfo->action == KNI_ACTION_INTERCEPT){
+		int ret = log_generate(pmeinfo);
+		if(ret < 0){
+			KNI_LOG_ERROR(logger, "Failed at log_generate, stream traceid = %s, stream addr = %s", pmeinfo->stream_traceid, pmeinfo->stream_addr);
+		}
+		else{
+			KNI_LOG_DEBUG(logger, "Succeed at log_generate, stream traceid = %s, stream addr = %s", pmeinfo->stream_traceid, pmeinfo->stream_addr);
+		}
 	}
 	//free pme
 	pme_info_destroy(pmeinfo);
@@ -1002,13 +1005,13 @@ static int first_data_intercept(struct streaminfo *stream, struct pme_info *pmei
 		KNI_LOG_DEBUG(logger, "stream has dup traffic, traceid = %s", pmeinfo->stream_traceid);
 	}
 	FREE(&buff);
-	return APP_STATE_KILL_OTHER | APP_STATE_GIVEME;
+	return APP_STATE_DROPPKT | APP_STATE_KILL_OTHER | APP_STATE_GIVEME;
 
 error_out:
 	if(buff != NULL){
 		FREE(&buff);
 	}
-	return APP_STATE_KILL_OTHER | APP_STATE_DROPME;
+	return APP_STATE_DROPPKT | APP_STATE_KILL_OTHER | APP_STATE_DROPME;
 }
 
 static int dabloom_search(struct pkt_info *pktinfo, int thread_seq){
@@ -1146,6 +1149,8 @@ char first_data_process(struct streaminfo *stream, struct pme_info *pmeinfo, str
 	switch(pmeinfo->action){
 		case KNI_ACTION_INTERCEPT:
 			pmeinfo->ssl_intercept_state = 1;
+			//only action = intercept, need sendlog
+			pmeinfo->tld_handle = TLD_create(-1);
 			return first_data_intercept(stream, pmeinfo, pktinfo, thread_seq);
 		default:
 			//action != intercept，bypass and dropme
@@ -1161,7 +1166,7 @@ static char data_opstate(struct streaminfo *stream, struct pme_info *pmeinfo, co
 	//pmeinfo->action has only 2 value: KNI_ACTION_NONE, KNI_ACTION_INTERCEPT
 	if(pmeinfo->action == KNI_ACTION_INTERCEPT){
 		next_data_intercept(pmeinfo, a_packet, &pktinfo, thread_seq);
-		return APP_STATE_KILL_OTHER | APP_STATE_GIVEME;
+		return APP_STATE_DROPPKT | APP_STATE_KILL_OTHER | APP_STATE_GIVEME;
 	}
 	//first data
 	if(stream->ptcpdetail->datalen > 0){
@@ -1200,11 +1205,12 @@ static char close_opstate(const struct streaminfo *stream, struct pme_info *pmei
 	//close: a_packet = null, do not sendto tfe
 	switch(pmeinfo->action){
 		case KNI_ACTION_INTERCEPT:
+			TLD_append_streaminfo(g_tsg_log_instance, pmeinfo->tld_handle, (struct streaminfo*)pmeinfo->stream);
 			//reset clock: when sapp end, start clock
 			MESA_htable_search(g_kni_handle->traceid2pme_htable, (const unsigned char*)pmeinfo->stream_traceid, 
 						strnlen(pmeinfo->stream_traceid, sizeof(pmeinfo->stream_traceid)));
 			tuple2stream_htable_del(stream, thread_seq);
-			return APP_STATE_KILL_OTHER | APP_STATE_DROPME;
+			return APP_STATE_DROPPKT | APP_STATE_KILL_OTHER | APP_STATE_DROPME;
 		//stream has no data.
 		default:
 			return APP_STATE_FAWPKT | APP_STATE_DROPME;
@@ -1299,6 +1305,7 @@ extern "C" char kni_tcpall_entry(struct streaminfo *stream, void** pme, int thre
 				FS_operate(g_kni_fs_handle->handle, g_kni_fs_handle->fields[KNI_FIELD_BYP_INTCPERR], 0, FS_OP_ADD, 1);
 				if(pmeinfo != NULL){
 					//pmeinfo->policy_id = -1;
+					TLD_append_streaminfo(g_tsg_log_instance, pmeinfo->tld_handle, (struct streaminfo*)pmeinfo->stream);
 					stream_destroy(pmeinfo);
 				}
 			}