Web Application Firewall (WAF) is integrated with Log Service to provide the Log Service for WAF feature. The feature collects full logs of your website that is protected by WAF in a near-real-time manner. You can query and analyze the collected log data, and the results are displayed on dashboards. The feature also helps meet the classified protection requirements for your website as well as your requirements for better website operations and protection. This topic describes how to enable the Log Service for WAF feature.

Prerequisites

  • A subscription WAF instance that runs the Pro edition or higher is purchased.

    For more information, see Purchase a WAF instance.

  • The domain names of your website are added to WAF.

    Before you enable the Log Service for WAF feature, we recommend that you add the domain names of your website to WAF. If the domain names are not added to WAF, the feature does not record logs for the domain names. For more information about how to add domain names to WAF, see Tutorial.

  • Log Service is activated.

    If you log on to the Log Service console for the first time, you must activate Log Service as prompted.

Procedure

  1. Log on to the Web Application Firewall console.
  2. In the top navigation bar, select the resource group and region to which the WAF instance belongs. The region can be Mainland China or International.
  3. In the left-side navigation pane, choose Log Management > Log Service.
  4. On the Log Service page, click Upgrade and complete the upgrade as prompted.
    Note If the Log Service for WAF feature is enabled when you purchase your WAF instance, skip this step.

    Upgrade procedure:

    1. On the Upgrade/Downgrade page, set Log Service to YES. Then, specify Log Storage Size based on your business requirements.
      For more information about the parameters that are related to the Log Service for WAF feature, see Purchase a WAF instance.
    2. Click Buy Now and complete the payment.
  5. Authorize WAF to access the required cloud services.
    WAF needs to access Log Service to store WAF logs and provide the query and analysis feature. To use the Log Service for WAF feature, you must authorize WAF to access the required cloud services.
    Notice You need only to authorize WAF once. After you authorize WAF, Alibaba Cloud automatically creates the AliyunServiceRoleForWAF service-linked role. This role allows WAF to access the required cloud services. If the role is created, you do not need to authorize WAF again. You can view the service-linked role on the Roles page in the RAM console. For more information, see Authorize WAF to access cloud services.

    Authorization procedure:

    1. On the Log Service page, click Authorize Now.
    2. In the Tips message, click OK.

After the Log Service for WAF feature is enabled, Log Service automatically creates a dedicated project and a dedicated Logstore for your WAF instance within the same Alibaba Cloud account. This facilitates log data collection. For more information about the default configurations of the dedicated project and Logstore for WAF, see Dedicated project and Logstore for WAF.

What to do next

After you enable the Log Service for WAF feature, you must enable log collection for the domain names that you added to WAF. This way, WAF can store the logs of the domain names and provide the query and analysis feature. For more information about how to enable log collection, see Enable log collection.

Dedicated project and Logstore for WAF

The following table describes the default configurations of the dedicated project and Logstore for WAF.

Notice Do not delete or modify the configurations of the default project, Logstore, indexes, or dashboards created by Log Service. Log Service automatically updates and upgrades the query and analysis feature of WAF on an irregular basis. Log Service also updates the indexes of the dedicated Logstore and the default dashboards.
Resource type Description
Project Log Service automatically creates a dedicated project for WAF. For more information about the project, see Project. Log Service creates the project based on the region of your WAF instance.
  • For WAF instances in mainland China: The project name is waf-project-Alibaba Cloud account ID-cn-hangzhou. This project resides in the China (Hangzhou) region.
  • For WAF instances outside mainland China: The project name is waf-project-Alibaba Cloud account ID-ap-southeast-1. This project resides in the Singapore (Singapore) region.
You can view the dedicated project on the homepage of the Log Service console. If you want to access the project, click the name of the project. Dedicated project

For more information about the project, see Manage a project.

Logstore A Logstore is automatically created for the dedicated project. For more information about the Logstore, see Logstore. The Logstore name is waf-logstore. All logs that are collected by WAF are stored in the Logstore. You can view the Logstore in the dedicated project. Logstore

Only WAF logs can be written to the Logstore, and different write methods are supported, such as calling the API or using an SDK. The dedicated Logstore has no limits on features such as queries, statistics, alerting, or streaming consumption.

You are not charged for the dedicated Logstore. However, you can use the dedicated Logstore only when Log Service within your Alibaba Cloud account is running as expected.
Note If Log Service has an overdue payment, the log collection feature of WAF is suspended until you pay the bill.

For more information about the Logstore, see Manage a Logstore.

Shard By default, the dedicated Logstore contains two shards, and the automatic sharding feature is enabled. You can view the attributes of the shards on the Logstore Attributes page. Shard

For more information about the shards, see Manage shards.

Dashboard By default, the dedicated project contains the following three dashboards: Operation Center, Access Center, and Security Center. For more information, see Dashboards. You can view the dashboards in the dedicated project.
For more information about the dashboards, see View dashboards. Dashboard