You can enable the Web Application Firewall (WAF) log collection feature for a specified domain in the WAF console.

Prerequisites

Background information

Log Service collects log entries that record visits to and attacks on websites that are protected by Alibaba Cloud WAF, and supports real-time log query and analysis. The query results are displayed in dashboards. You can timely perform analytical investigation on visits to and attacks on your websites and help security engineers to develop protection strategies.

Procedure

  1. Log on to the Web Application Firewall console.
  2. Choose App Market > App Management, and click Real-time Log Query and Analysis Service.
    Note If you are configuring the WAF log collection feature for the first time, click Authorize and follow the instructions on the authorization page to authorize WAF to write all log entries to your exclusive logstore.
  3. Select the domain and turn on the Status switch on the right to enable the log collection feature.

    The WAF log collection feature has now been enabled for the domain. Log Service automatically creates an exclusive logstore for your account. WAF automatically writes log entries to the exclusive logstore. The following Default configuration table describes the default configuration of the exclusive logstore.

    Table 1. Default configuration
    Default configuration item Description
    Project A project is created by default. The project name format is determined by the region of your WAF instance.
    • If the WAF instance is created in Mainland China, the project name is waf-project-Your Alibaba Cloud account ID-cn-hangzhou.
    • If the WAF instance is created in other regions, the project name is waf-project-Your Alibaba Cloud account ID-ap-southeast-1.
    Logstore A logstore waf-logstore is created by default.

    All log entries collected by the WAF log collection feature are saved in this logstore.
    Region
    • If the WAF instance is created in Mainland China, the project is saved in the Hangzhou region by default.
    • If the WAF instance is created in other regions, the project is saved in the Singapore region by default.
    Shard Two shards are created by default with the Automatic shard splitting feature enabled.
    Dashboard Three dashboards are created:
    • Access Center
    • Operation Center
    • Security Center
    For more information about dashboards, see WAF Log Service—Log Reports.
    Limits and instructions
    • Other data cannot be written to the exclusive logstore.
      Log entries generated by WAF are stored in the exclusive logstore. You cannot write other data to this logstore by using API, SDK or other methods.
      Note The exclusive logstore has no special limits in query, statistics, alerts, streaming consumption and other functions.
    • Basic configurations, such as the storage period of log entries, cannot be modified.
    • The exclusive logstore is not billed.
      To use the exclusive logstore, you must enable Log Service for your account. The exclusive logstore is not billed.
      Note When your Log Service is overdue, the WAF log collection feature is suspended until you pay the bills in a timely manner.
    • Do not delete or modify the configurations of the project, logstore, index, and dashboards, which are created by Log Service by default. Log Service updates the WAF log query and analysis service on an irregular basis. The index of the exclusive logstore and the default reports are also updated automatically.
    • If you want to use the WAF log query and analysis service with a RAM user, you must grant the required Log Service permissions to the RAM user. For more information about how to grant permissions, seeGrant log query and analysis permissions to a RAM user.