In this practice, the alert feature of Alibaba Cloud Log Service is used to configure custom monitoring charts and alerts for domain names that are added to WAF and have Log Service enabled. Enterprise users and individual users can refer to this practice to monitor the traffic and security status of their workloads and configure alerts.

Procedure

This practice contains the following steps.

Step Description
Step 1: create a WAF log analysis dashboard After you use Log Service in WAF to initiate log query and analysis, you can create a dashboard based on the SQL statement. By default, the dashboard contains the charts generated based on the SQL statements.
Step 2: configure log charts After you create a log analysis dashboard, you can edit or delete log charts on the dashboard or create a new log chart by copying an existing chart.
Step 3: Configure a log alert After you create a log analysis dashboard, you can configure log alert on the dashboard. You must associate an alert with an existing log chart and set the alert trigger conditions based on the parameters in the associated chart. You can customize the alert message template.

Configuration examples

This practice provides 13 examples of log charts and alert configurations, including alerts on an abnormal percentage of 4xx status codes (blocked requests excluded), alerts on an abnormal percentage of 5xx status codes, alerts on an abnormal query rate, alerts on an abrupt increase in query rate, alerts on an abrupt decrease in query rate, alerts on requests blocked by HTTP ACL policy in the last five minutes, alerts on requests blocked by web application protection in the last five minutes, alerts on requests blocked by HTTP flood protection in the last five minutes, alerts on requests blocked by anti-scan rules in the last five minutes, alerts on the number of attacks from a single source IP address in the last five minutes, alerts on the number of domains attacked by a single IP address in the last five minutes, alerts on average delay in the last five minutes, and alerts on an abrupt decrease in query rate from a user.

We recommend that you learn how to configure a log chart (step 2), configure an alert rule (step 3), and then create chart and configure an alert rule. For more information, see WAF log charts and alert configuration examples.

For more information about the metrics used in alert configuration and the recommended thresholds for the metrics, see Common monitoring metrics.

For more information about the SQL statements used to query and analyze logs, see Common SQL statements.