After you enable the log analysis feature for Cloud Firewall, you can modify the default log storage configurations if they do not meet your business requirements. You can change the collected log types, log storage region, and storage duration to ensure that your log management solution aligns with your business strategy.
Prerequisites
The log analysis feature for Cloud Firewall is enabled. For more information, see Log analysis overview.
Set log collection types
The log analysis feature collects traffic logs of assets in real time, allowing you to instantly retrieve and analyze the data. The results are displayed on intuitive dashboards, which helps you quickly analyze asset access patterns and potential attack behaviors to develop effective protection measures.
Collected log types
Cloud Firewall supports the collection of the following types of traffic logs:
Internet traffic logs
Attack event logs: Traffic logs from the Internet firewall that trigger intrusion prevention rules.
Access control logs: Traffic logs that match the access control policies of the Internet firewall.
Other traffic logs: Other traffic that passes through the Internet firewall.
VPC traffic logs
Attack event logs: Traffic logs that match the intrusion prevention rules of the VPC firewall.
Access control logs: Traffic logs that match the access control policies of the VPC firewall.
Other traffic logs: Other traffic that passes through the VPC firewall.
DNS traffic logs: All traffic logs that pass through the DNS Border.
IPv6 traffic logs: Traffic logs that match the IPv6 access control policies of the Internet firewall.
NAT traffic logs: All traffic logs that pass through NAT firewalls.
Modify the log delivery switch
Cloud Firewall provides a default state for the delivery switch of each log type. The state of each switch is displayed in the console. You can modify the states of these switches as needed.
Disabling log delivery does not automatically delete the project or delivered logs. However, Cloud Firewall stops collecting the corresponding log type.
Log on to the Cloud Firewall console.
In the navigation pane on the left, choose . In the upper-right corner of the page, click Log Delivery to modify the delivery status for different log types.
Modify the log storage region
By default, logs collected by the log analysis feature are stored in the or Singapore region. If your business is deployed in other regions, you may encounter issues such as cross-region log synchronization fees and data integration problems. To resolve these issues, you can change the log storage region to the region where your business is located or to a nearby region.
Before you change the log storage region for the log analysis feature, note the following:
After you switch the region, a new Logstore is created and the previous Logstore is deleted.
The switch takes 5 to 10 minutes to complete. Do not perform other log-related operations during this period.
Logs are not delivered or stored during the switch. Perform this operation during off-peak hours.
If the switch times out, wait 5 to 10 minutes and then refresh the page to check whether the switch is complete. If the issue persists, submit a ticket for assistance.
Log on to the Cloud Firewall console.
In the navigation pane on the left, choose .
In the upper-right corner of the page, click Region for Log Delivery and change the log storage region.
Modify the log storage duration
The default storage duration for logs is 180 days. Logs that exceed this duration are automatically deleted and cannot be recovered. You can modify the storage duration based on your log storage capacity and business requirements. The storage duration can be set to a value from 7 to 730 days. If you use a pay-as-you-go Cloud Firewall instance and have higher storage requirements, you can modify the storage duration in the Simple Log Service console.
If the log storage is full, new logs are no longer collected. Set an appropriate storage duration and periodically monitor your log storage usage.
After the modified storage duration takes effect, the log analysis feature of Cloud Firewall stores logs only for the specified duration and automatically deletes logs that exceed this duration. The automatic deletion takes 1 to 2 hours to take effect.
For example, if you change the storage duration from 180 days to 30 days, logs older than 30 days are automatically deleted after the change takes effect.
Log on to the Cloud Firewall console.
In the navigation pane on the left, choose .
In the upper-right corner of the page, click Log Storage Period, modify the storage duration, and then click Save.
Manage log storage space
To prevent data loss that can occur when new logs cannot be written because the storage space is full, you must periodically monitor your log storage usage.
Log on to the Cloud Firewall console.
In the navigation pane on the left, choose .
On the Logs page, view the log usage in the upper-right corner.
The log storage usage displayed on the page is not updated in real time and may have a delay of up to two hours. Therefore, you should upgrade the capacity or clear logs in advance before the log storage space is full.
(Optional) If the log storage space is almost full, you can upgrade the log storage capacity or clear existing logs.
WarningLogs cannot be recovered after they are cleared. Use this feature with caution.
Upgrade storage capacity: On the Logs page, click Upgrade Storage in the upper-right corner, select a larger storage capacity, and then complete the payment.
NoteThe fee for upgrading the storage capacity for the log analysis feature is or USD 80/1,000 GB/month. The duration of the purchased capacity must match the remaining service duration of your Cloud Firewall instance and cannot be modified.
Clear existing logs: On the Logs page, click Delete All Logs in the upper-right corner, and then click OK in the displayed dialog box. It takes 1 to 2 hours to clear the logs.
NoteYou can clear your log storage space up to four times. This quota resets to four each time you renew your Cloud Firewall service.
References
You can query and analyze the collected logs in real time to promptly identify traffic exceptions and protect your assets. For more information, see Query and analyze logs.
To prevent new logs from being dropped because the storage space is full, you must monitor your log storage usage. We recommend that you enable alert notifications for Log Storage Capacity. For more information, see Alert notifications.
How do I reduce the storage capacity for the log analysis feature?
Can I export traffic logs of Cloud Firewall to a third-party system?