Log collection - Logs| Alibaba Cloud Documentation Center

Log collection

Edit in GitHub

Last Updated: Apr 14, 2020 Edit in GitHub

You can enable the log collection function in the Cloud Firewall console.

Prerequisites

Cloud Firewall is activated.
Alibaba Cloud Log Service is activated.

Background information

This function collects logs of inbound and outbound traffic on the Internet firewall in real time. It retrieves and analyzes log data and displays the results in dashboards. You can analyze visits to and attacks on your websites based on the log data and help security engineers develop protection policies.

After you enable the Log Analysis feature, a dedicated Logstore named cloudfirewall-logstore is created under your Alibaba Cloud account. Cloud Firewall automatically imports logs to this Logstore. For more configurations, see Default log analysis configurations.

Procedure

Log on to the Cloud Firewall console.
In the left-side navigation pane, choose Logs > Log Analysis.

In the upper-right corner of the Log Analysis page, turn on the switch next to Status to enable log collection.

Table 1. Default log analysis configurations
Item	Description
Project	The log analysis project created by Cloud Firewall. The project name is determined based on the region of your Cloud Firewall instance. If the Cloud Firewall instance is deployed in a mainland China region, the project name is in the following format: `cloudfirewall-project-Alibaba Cloud account ID-cn-hangzhou`. If the instance is deployed in the Hangzhou region of Alibaba Finance Cloud, the project name is in the following format: `cloudfirewall-project-Alibaba Cloud account ID-cn-hangzhou-finance`. If the instance is deployed in other regions, the project name is in the following format: `cloudfirewall-project-Alibaba Cloud account ID-ap-southeast-1`.
Logstore	The default Logstore is `cloudfirewall-logstore`. All log data collected by Cloud Firewall is stored in this Logstore.
Region	If the Cloud Firewall instance is deployed in a mainland China region, the project is saved in the China (Hangzhou) region. If the instance is deployed in other regions, the project is saved in the Singapore region.
Shard	Two shards are created, with the automatic sharding function enabled.
Dashboard	A dashboard is created.

Note The default log analysis configurations cannot be modified.

Limits and notes

After you enable the Log Analysis feature, a dedicated Logstore named cloudfirewall-logstore is created in the Log Service console. The Logstore is used to store logs collected by Cloud Firewall. Do not delete it.
Other data cannot be written into this Logstore, whether by calling APIs or using SDKs.

Note The Logstore has no restrictions on functions such as queries, statistics, alerts, and streaming consumption.
You cannot change basic configurations of the Logstore, such as the storage duration.
The Logstore is not billed.
To use the Logstore, you must activate Log Service for your Alibaba Cloud account.

Note When your Log Service is overdue, the log collection function in Cloud Firewall is suspended until you pay the overdue bills.
Do not delete or modify configurations of the default project, Logstore, index, and dashboard created in Log Service. Log Service automatically updates data from the Log Analysis feature, the index of the Logstore, and the default reports.
If you want to use the Log Analysis feature in a RAM user account, you must grant the Log Service permissions to the RAM user. For more information, see Authorize RAM user accounts with Log Analysis function.