You can enable the log collector function for Cloud Firewall in the Cloud Firewall console.

Prerequisites

  • You have activated Cloud Firewall.
  • You have activated Alibaba Cloud Log Service.

Background information

The log collector function retrieves log data of inbound and outbound Internet traffic for Alibaba Cloud Firewall in real time. The retrieved log data can be searched and analyzed in real time, and the returned results are displayed in dashboards. Based on the log data, you can analyze visits to and attacks on your websites and help the security engineers develop protection strategies.

After you enable the Cloud Firewall log analysis function, the log analysis function automatically creates a dedicated Logstore named cloudfirewall-logstore under your account. Cloud Firewall automatically imports log entries to this dedicated Logstore in real time. For more information about the default configuration of the dedicated Logstore, see Default configuration.

Procedure

  1. In the left-side navigation pane, locate Log Analysis.
  2. Click the Status switch on the right side to enable the log collector function.
    Table 1. Default log analysis configuration
    Default configuration item Description
    Project The log analysis project created by Cloud Firewall. The project name is determined according to the region of your Cloud Firewall instance.
    • If the Cloud Firewall instance is deployed in a Mainland China region, the project name is: cloudfirewall-project-Alibaba Cloud account ID-cn-hangzhou.
    • If the Cloud Firewall instance is deployed in the Finance Cloud (Hangzhou) region, the project name is: cloudfirewall-project-Alibaba Cloud account ID-cn-hangzhou-finance.
    • If the Cloud Firewall instance is deployed in other regions, the project name is: cloudfirewall-project-Alibaba Cloud account ID-ap-southeast-1.
    Logstore The default Logstore is cloudfirewall-logstore.

    All log data retrieved by Cloud Firewall is stored in this Logstore.
    Region
    • If the Cloud Firewall instance is deployed in a Mainland China region, the project is saved in the China (Hangzhou) region by default.
    • If the Cloud Firewall instance is deployed in other regions, the project is saved in the Singapore region by default.
    Shard By default, two shards are created and the Automatic shard splitting function is enabled.
    Dashboards A dashboard is created by default.
    Note The default log analysis configuration items cannot be modified.
    Restrictions and guidelines
    • After you enable the Log Analysis function, the system automatically creates a Logstore named cloudfirewall-logstore in the Log Service console. The Logstore is dedicated to Cloud Firewall and stores all log entries of Cloud Firewall. Do not delete this Logstore.
    • Other data cannot be written into the dedicated Logstore.
      Log entries generated by Cloud Firewall are stored in the dedicated Logstore. You cannot write other data into this Logstore by using the API, SDK, or other methods.
      Note The dedicated Logstore has no restrictions in search, statistics, alerts, streaming consumption, and other functions.
    • Basic configurations, such as the log storage period, cannot be modified.
    • The dedicated Logstore is not billed.
      To use the dedicated Logstore, you must activate Log Service for your account.
      Note When your Log Service is overdue, the Cloud Firewall log collector function is suspended until you pay the bills.
    • Do not delete or modify the configurations of the default project, Logstore, index, and dashboards created by Log Service. Log Service will update the Cloud Firewall log analysis function. The index of the dedicated Logstore and the default report are also updated.
    • If you want to use the Cloud Firewall log analysis function with a RAM user account, you must grant the required Log Service permissions to the RAM user account. For more information, seeRam user log analysis authorization.