This topic describes how to enable the log collection feature of Web Application Firewall (WAF) for a specified domain in the WAF console. After this feature is enabled, all log data in this domain is automatically stored in the dedicated Logstore of WAF. In this way, you can analyze and query log data in real time.

Prerequisites

  • WAF is activated and domains are added to WAF for protection.
  • Log Service is activated.

Background information

Log Service is used to collect website access logs and attack protection logs on Alibaba Cloud WAF in real time. It retrieves and analyzes log data in real time and displays the results in dashboards. You can use the collected log data to analyze the number of visits to and attacks on your websites in real time. You can also use the log data to assist security engineers to develop protection policies.

Procedure

  1. Log on to the Web Application Firewall console.
  2. In the top navigation bar, select the resource group to which the instance belongs and the region, Mainland China or International, in which the instance is deployed.
  3. In the left-side navigation pane, choose Log Management > Log Service .
  4. Optional:If you configure the log collection feature for the first time, click Authorize and follow the instructions on the Log Service page to authorize WAF to write all log data to your dedicated Logstore.
  5. Select the target domain and turn on Status next to the domain.Turn on Status
    The log collection feature is enabled for the domain. A dedicated project and a dedicated Logstore are automatically created by Log Service under your Alibaba Cloud account. WAF automatically imports logs from the domains with the log collection feature enabled to this Logstore.

Dedicated project and Logstore

The following table describes default configurations of a dedicated project and a dedicated Logstore.

Item Description
Project A project is created by default. The project name is determined based on the region of your WAF instance.
  • If your WAF instance is deployed in a region in mainland China, the project name is in the following format: waf-project-Alibaba Cloud account ID-cn-hangzhou.
  • If your WAF instance is deployed in a region outside mainland China, the project name is in the following format: waf-project-Alibaba Cloud account ID-ap-southeast-1.
Logstore The Logstore named waf-logstore is created by default.

All log data collected by the WAF log collection feature is stored in this Logstore.
Region
  • If your WAF instance is deployed in a region in mainland China, the project is saved in the China (Hangzhou) region by default.
  • If your WAF instance is deployed in a region outside mainland China, the project is saved in the Singapore region by default.
Shard Two shards are created by default, with the automatic sharding feature enabled. For more information, see Manage shards.
Dashboard Three dashboards are created by default:
  • Access Center
  • Operation Center
  • Security Center

For more information, see Enable log analysis.

Limits and instructions
  • Only log data of WAF can be written into this Logstore.
    Log data of WAF is stored in this Logstore. Other data cannot be written into this Logstore, whether by calling API operations or using SDKs.
    Note The Logstore has no limits on features such as queries, statistics, alerts, and streaming consumption.
  • The Logstore is not billed.
    To use the Logstore, you must activate Log Service for your Alibaba Cloud account.
    Note When your Log Service is overdue, the log collection feature of WAF is suspended until you pay the overdue bills.
  • Do not delete or modify configurations of the default project, Logstore, index, and dashboards created in Log Service. Log Service automatically updates data from the log query and analysis function of WAF, the index of the Logstore, and the default reports.
  • A RAM user can use the log query and analysis service of WAF only after the Log Service permissions are granted to the RAM user. For more information, see Grant log query and analysis permissions to a RAM user.