Note: To use the full log search function, you must upgrade WAF to Enterprise Edition or above (For the International region, you must upgrade to the Flagship Edition).
Overview
The full log search function records a log of all access requests for your website and allows you to quickly locate request records using the smart search function. This can satisfy your O&M and security requirements.
Using the full log search function, you can easily complete the following O&M tasks:
- Determine if WAF blocked or allowed a specific request.
- Determine if a specific request was blocked due to web attack protection, HTTP flood attack protection, or custom access control rules.
- Query the origin site response time for a certain request and see if it timed-out.
- Query specific requests using a combination of source IP address, URL keyword, cookie, referer, user-agent, X-forwarded-for, server response status code, and other conditions.
Note: When you enable the full log search function, this constitutes your permission for Alibaba Cloud to record all of the web requests that pass through WAF (POST data is not recorded).
Procedure
Enable log retrieval
Before using the log search function, you must go to the Website Configuration page and enable the log search function for the specified website domain name. WAF starts recording access logs for this website only after you enable the Log Search function.
Note: Access records are recorded only after you enable the log search function.
Log on to the Alibaba Cloud Security WAF console and go to the Management > Website Configuration page.
Select the region.
Select a website domain name that has already been added and click the Log Search switch to enable the log search function.
Query full logs
After enabling log retrieval for a website, you can query the access log for this website on the Log Search page.
Log on to the Alibaba Cloud Security WAF console and go to Reports > Log Search.
Select the domain name, set the query time period, and click Search.
Note: The full log search function allows you to query records from the past week.
You can also click Advanced Search to set more detailed search conditions.
Note: In addition to querying specific requests using a combination of source IP address, URL keyword, cookie, referer, user-agent, X-forwarded-for, server response status code, and other conditions, you can also select a protection rule to filter access request records that match the selected WAF protection rule.
View the search result.
- In the Service Traffic area, you can view access request volume trend charts for the search time range.
In the Visitors’ Request Log list, you can view the access request records that match the search conditions.
Descriptions of parameters in origin’s response info
Status: Indicates the response status returned by the origin site to WAF. If “-“ is returned, this indicates there was no response (for example, this request was blocked by WAF or the origin site response timed-out).
- Upstream_ip: Indicates the origin site IP address of this request. For example, when WAF redirects back to an ECS instance, this parameter returns the origin site ECS instance IP address.
- Upstream_time: Indicates the time the origin site took to respond to the WAF request. “-“ indicates the response timed-out.
Click Log download in the upper-right corner of the Log Search page to add a download task for the currently retrieved log. On the View the downloaded file tab, you can download the log file to your local client.
Note: If you disable the Log Search function for a website, access request logs are not recorded during the time this function is disabled. After enabling the function again, you cannot query the access request logs for the time during which the function was disabled.