This topic describes how to enable log collection for a specific domain name in the Web Application Firewall (WAF) console. You must enable log collection before you can use the Log Service for WAF feature. After you enable log collection, all the log data of the specified domain name is automatically stored in the dedicated Logstore for WAF. Then, you can analyze and query the log data in real time.

Prerequisites

Background information

Log Service is used to collect website access logs and attack prevention logs on WAF in real time. Log Service allows you to retrieve and analyze log data in real time, and displays the query results in dashboards. You can use the log data to analyze the access to and attacks on your website in real time. The analysis results can be used by security engineers to develop protection policies.

Procedure

  1. Log on to the Web Application Firewall console.
  2. In the top navigation bar, select the resource group to which the instance belongs and the region, Mainland China or International, in which the instance is deployed.
  3. In the left-side navigation pane, choose Log Management > Log Service .
  4. Optional:If this is your first time to enable log collection, click Authorize. Then, follow the instructions on the page and authorize WAF to write all log data to the dedicated Logstore for WAF.
  5. Select the domain name for which you want to enable log collection and turn on Status next to the domain name. Turn on Status
    Log collection is enabled for the domain name. Log Service automatically creates a dedicated project and a dedicated Logstore for your Alibaba Cloud account. WAF automatically writes all the log data of the domain name to this Logstore.

Dedicated project and Logstore for WAF

The following table describes the default items that Log Service creates for your WAF instance after you enable the Log Service for WAF feature.

Item Description
Project Log Service automatically creates a dedicated project for your WAF instance. The project name is determined based on the region of your WAF instance.
  • If your WAF instance is deployed in mainland China, the project name is in the following format: waf-project-Alibaba Cloud account ID-cn-hangzhou.
  • If your WAF instance is deployed outside mainland China, the project name is in the following format: waf-project-Alibaba Cloud account ID-ap-southeast-1.
Logstore Log Service automatically creates a dedicated Logstore for your WAF instance. The Logstore is named waf-logstore.

All the log data collected by WAF is stored in this Logstore.

Region
  • If your WAF instance is deployed in mainland China, the project is stored in the China (Hangzhou) region by default.
  • If your WAF instance is deployed outside mainland China, the project is stored in the Singapore (Singapore) region by default.
Shard Log Service automatically creates two shards for your WAF instance and enables the automatic sharding feature. For more information, see Manage shards.
Dashboard Log Service automatically creates the following three dashboards for your WAF instance:
  • Access Center
  • Operation Center
  • Security Center

For more information about dashboards, see Enable log analysis.

Limits and instructions
  • Only the log data of WAF can be written into the dedicated Logstore.
    The log data of WAF is stored in the dedicated Logstore. Other data cannot be written into this dedicated Logstore, regardless of whether API operations are called or SDKs are used.
    Note The dedicated Logstore has no limits on features such as queries, statistics, alerting, or streaming consumption.
  • The dedicated Logstore is not billed.
    To use the dedicated Logstore, you must activate Log Service for your Alibaba Cloud account.
    Note If your Log Service bill is overdue, log collection of WAF is suspended until you pay the bill.
  • Do not delete or modify the configurations of the default project, Logstore, index, and dashboards created by Log Service. The log query and analysis service of WAF is automatically updated and upgraded with Log Service on an irregular basis. Log Service also updates the index of the dedicated Logstore and the default dashboards.
  • A RAM user can use the log query and analysis service of WAF only after the permissions on Log Service are granted to the RAM user. For more information, see Grant log query and analysis permissions to a RAM user.