Log Service for WAF integrates Web Application Firewall (WAF) with Alibaba Cloud Log Service to collect, store, and analyze access logs and protection logs for all domain names protected by WAF. Use it to query and visualize traffic patterns, set up real-time alerts, and forward logs to external systems for compliance and downstream processing.
Who should use this feature
Log Service for WAF is designed for:
Large enterprises with compliance requirements — financial institutions, public service agencies, and other organizations that must retain host, network, and security logs across cloud assets for regulatory purposes.
Security operations center (SOC) teams — organizations in real estate, e-commerce, finance, and public services that centralize security and alert log management.
Teams requiring advanced log analysis — IT, gaming, and finance companies that need in-depth analysis and automated alert handling.
Anyone tracking security events or meeting protection standards — teams generating weekly, monthly, or yearly reports, or those subject to classified protection requirements under Multi-Level Protection Scheme (MLPS) level 3 or higher.
Use cases
| Goal | How Log Service for WAF helps |
|---|---|
| Investigate security incidents | Trace web attack logs back to the source of security threats. |
| Monitor traffic health | Query request volumes and track status and trend changes over time. |
| Evaluate security effectiveness | Measure how well your protection rules are performing and respond to anomalies quickly. |
| Centralize log management | Forward security network logs to your own data and computing centers for further processing or long-term retention. |
Benefits
Compliance audits Store website access logs for more than six months to satisfy classified protection requirements.
Flexible configuration Enable log collection for specific domain names in a few steps. Set a custom retention period and storage capacity, and choose between Full Logs and Block Logs storage types. Modify or create report templates to match your business or security requirements.
Real-time log analysis Query and analyze logs as they arrive using an out-of-the-box (OOTB) report center with interactive data mining. Identify attacks and access patterns without delay.
Real-time alerting Create alert rules based on specific metrics. Log Service evaluates query results on a schedule and sends an alert notification when a trigger condition is met, so you can act on critical service issues immediately.
Collaboration Connect log data to real-time computing, cloud storage, and visualization solutions to drive further analysis and automation.
Feature overview
| Feature | What it does |
|---|---|
| Log collection | Enable log collection per domain name to start collecting and storing access and protection logs. Supports two storage types: Full Logs and Block Logs. Adjust the retention period, log fields, and storage type on the Log Settings page. For details on available log fields, see Log fields supported by WAF. To change settings after enablement, see Modify log settings. |
| Log query and analysis | Run query statements against collected logs using a search statement combined with an analytic statement in standard SQL-92 syntax, separated by a vertical bar (|). View results as tables, line charts, column charts, or pie charts. Create alert rules on query results to trigger notifications when conditions are met. For search syntax details, see Search syntax. For analytic statement reference, see Log analysis overview. |
| Dashboards | View pre-built dashboards without writing a query — just set a time range. Three dashboards are available: Operation Center, Access Center, and Security Center. Subscribe to dashboards to receive scheduled data snapshots by email. |
| Management of log storage space | Monitor log storage usage from the WAF console. Increase storage capacity or delete stored logs to manage space based on your needs. |
| Integrate WAF logs into a Syslog server | Use Python programs to forward WAF logs to a Syslog server, consolidating all related logs in your security operations center (SOC) to meet regulatory and audit requirements. |