All Products
Search
Document Center

Cloud Firewall:FAQ about logs

Last Updated:Feb 29, 2024

This topic provides answers to some frequently asked questions about logs in Cloud Firewall.

How do I reduce the storage occupied by logs?

You can reduce the storage occupied by logs by using one of the following methods: reduce the log storage period, reduce the types of logs for delivery, regularly deliver logs to an Object Storage Service (OSS) bucket, or delete logs.

  • Reduce the log storage period

    After you enable the log analysis feature, logs are stored for 180 days by default. If you do not want to retain historical logs for a long period of time, you can modify the log storage period. For more information, see Change the log storage duration.

  • Reduce the types of logs for delivery

    By default, the log delivery switches for all types of logs are turned on. If you want to deliver only specific types of logs, we recommend that you turn on the log delivery switches for only the specified types of logs. For more information, see Configure collected log types.

  • Regularly deliver logs to an OSS bucket

    If you want to retain a large number of logs, we recommend that you deliver logs to an OSS bucket for storage. For more information, see Create an OSS data shipping job (new version).

  • Delete logs

    If you do not need to retain a large number of logs that are generated in the test phase, we recommend that you delete the stored logs. For more information, see Manage log storage capacity.

Can I export traffic logs of Cloud Firewall to a third-party system?

Yes, you can use the log analysis feature of Cloud Firewall to export traffic logs and import the logs to a third-party system, such as your O&M center.

You can select a method to export logs based on your business requirements.

  • Export a small amount of log data

    You can use the log analysis feature of Cloud Firewall to download logs to your computer and upload the log file to a third-party system. For more information about how to download logs, see Export logs.

  • Export a large amount of log data

    You can use a programming method or the Simple Log Service console to export log data to a third-party system. For more information, see Use consumer groups to consume data.

How do I view the remaining log storage of Cloud Firewall?

If you did not enable the log analysis feature of Cloud Firewall, you cannot view the log storage capacity. If you enabled the log analysis feature of Cloud Firewall, you can view the log storage usage and the remaining log storage in the Cloud Firewall console. For more information, see Manage log storage capacity.

image

Why are traffic logs of ICMP detection periodically sent by Cloud Firewall?

To ensure the quality of service, Cloud Firewall periodically sends Internet Control Message Protocol (ICMP) packets for network error detection. The detection is not a scanning attack and does not affect services.

You can log on to the Cloud Firewall console and click Source address for SLA monitoring on the Cloud Service Address Book tab to view the source IP addresses of ICMP packets. For more information, see Manage address books.

Why do traffic logs record traffic whose application type is Unknown?

If Cloud Firewall cannot identify the application type of traffic, the application type of the traffic is recorded as Unknown. The following list describes the possible causes:

  • The total number of inbound and outbound packets recorded in the traffic logs is less than 3, and no sessions are established. In this case, the traffic may be scan traffic.

  • Traffic is blocked by a Layer 4 access control policy. In this case, no sessions are established.

  • TCP reset traffic is interrupted by the intrusion prevention feature or due to other reasons. In this case, traffic characteristics are not matched.

  • Traffic is encrypted, or the application is a non-standard application, an internal application, or an application that is not supported by deep packet inspection (DPI).

If Cloud Firewall cannot identify the application or domain name of the traffic, Cloud Firewall allows the traffic by default to avoid impacts on your workloads. If you do not want to allow the traffic, you can enable the strict mode for the corresponding firewall. For more information, see Configure the strict mode of the Internet firewall or Configure the access control engine mode.

Is log analysis data retained after I release Cloud Firewall?

No, log analysis data is not retained after you release Cloud Firewall.

After you release Cloud Firewall, your configuration data is retained for 15 days, but log analysis data is not retained. The configuration data includes access control policies, attack prevention policies, and traffic analysis policies. If you want to retain log analysis data, export the logs to your computer or deliver the logs to a third-party system before you release Cloud Firewall. For more information, see Export logs.

Can I directly export log audit records?

No, you cannot directly export log audit records. You can specify a query statement on the Log Analysis page to query and export raw logs.

For example, if you want to export the logs of the inbound traffic of the Internet firewall in the previous 24 hours and the application type of the traffic is HTTPS, you can perform the following steps:

  1. Log on to the Cloud Firewall console.

  2. In the left-side navigation pane, choose Log Analysis > Log Analysis.

  3. Enter a query statement in the search box and select 1 Day for Time Range. For more information, see Query and analyze logs.

    Query statement:

    log_type:internet_log and direction:"in" and app_name:"HTTPS"
  4. Export the query result. For more information, see Export logs.

How do I view the total number of attacks intercepted by Cloud Firewall in logs?

You can enter the rule_result:drop query statement and select a value for Time Range. Log Quantity in the query result indicates the total number of attacks intercepted by Cloud Firewall. For more information, see Query and analyze logs.

image

Note

The total number of intercepted attacks in the query result may be different from the value of the Total Attacks Blocked parameter on the Overview page due to reasons such as the query time. The value of the Total Attacks Blocked parameter on the Overview page shall prevail.