Use the log audit feature to trace attack sources and analyze traffic - Cloud Firewall

Cloud Firewall automatically records all traffic in logs and provides the Log Audit page to display event logs, traffic logs, and operation logs. This allows you to trace the sources of attacks and audit traffic in a convenient manner. By default, you can query the audit logs of the previous seven days. This enables you to monitor your assets in real time and handle security events in an efficient manner.

Note

By default, Cloud Firewall retains the logs of the previous seven days. If you want to store logs for more than seven days, meet specific classified protection requirements, or export raw log data, you can enable the log analysis feature. For more information, see Overview.

Audit log types

The log audit feature supports event logs, traffic logs, and operation logs.

Event logs: logs of traffic that is identified as potential threats or abnormal behavior by Cloud Firewall. Event logs display the key information about security events, including the time when an event is detected, threat type, source IP address, destination IP address, application type, severity, and policy action. This facilitates event tracing and analysis.
You can click Obtain Attack Sample in the event log list to generate attack samples within the previous seven days for the logs of events that are blocked by the virtual patching and basic protection features. Then, you can view the details of attack events based on the attack samples. The generated attack samples can be retained for one month.
Traffic logs: The logs of normal network traffic that passes through Cloud Firewall. You can view information such as the source IP address, destination IP address, port, protocol, and traffic volume. Traffic logs are valuable for network behavior analysis and understanding network usage patterns.
Operation logs: The logs of all operations performed in the Cloud Firewall console, such as changes to the configurations of rules or system settings and interventions performed by the administrator. Operation logs can help you audit user behavior and manage system changes.

Query audit logs

This section describes how to use the log audit feature to query traffic logs. The query conditions vary based on the type of log. The query conditions displayed on the Log Audit page shall prevail.

Log on to the Cloud Firewall console.
In the left-side navigation pane, choose Log Analysis > Log Audit.
Click the Traffic Logs tab, and then click a tab based on the firewall type.
Specify the query conditions and time range, and click Search.

Key fields of traffic logs

The following table describes the key fields of traffic logs to help you better understand the details of traffic characteristics and behavior.

Note

When you query traffic logs, you can click List Configurations to the right of the query conditions and select the fields that you want to display in the traffic log list. In addition to the required fields, you can select up to eight optional fields.

Field	Description
Rule Name	The name of the access control policy or protection policy that the traffic hits. If no policy name is displayed, the traffic does not hit an access control policy or a protection policy.
Pre-match Access Control Policy Status	When traffic passes through Cloud Firewall, Cloud Firewall matches the traffic against access control policies in sequence based on the priorities of the policies. If Cloud Firewall cannot identify the application or domain name of the traffic when Cloud Firewall matches the traffic against an access control policy, the value of the Pre-match Access Control Policy Status parameter is Application Unidentified or Domain Name Unidentified, and the value of the Pre-match Access Control Policy parameter is the name of the access control policy. Valid values for Pre-match Access Control Policy Status: Application Unidentified: Cloud Firewall cannot identify the application of the traffic. Domain Name Unidentified: Cloud Firewall cannot identify the domain name of the traffic. Normal: Cloud Firewall can identify the application and domain name of the traffic.
Pre-match Access Control Policy
Application Identification Status	The identification status of the application of the traffic when Cloud Firewall matches the traffic against access control policies. Valid values: Identified. Blocked by Policy. TCP Connection Failed. Payload Not Received. Analyzing. Not Identified in Strict Mode. Not Identified in Loose Mode. Stateless: The deep packet inspection (DPI) feature is disabled.

What to do next

By default, Cloud Firewall retains the logs of the previous seven days. If you want to store logs for more than seven days or meet specific classified protection requirements, you can enable the log analysis feature. For more information, see Overview.
Cloud Firewall provides the packet capture feature. You can use the feature to capture network data packets for specific IP addresses and ports, and analyze the packets. This helps you identify exceptions that occur on your network, analyze attack behavior, and identify the security risks of network communications. For more information, see Create a packet capture task.
Why are traffic logs of ICMP detection periodically sent by Cloud Firewall?
Why do traffic logs record traffic whose application type is Unknown?
Can I export log audit records?
Is log analysis data retained after I release Cloud Firewall?