Enable log collection - Log Management| Alibaba Cloud Documentation Center

This topic describes how to enable the log collection feature of Web Application Firewall (WAF) for a specified domain in the WAF console. After this feature is enabled, all log data in this domain is automatically stored in the dedicated Logstore of WAF. In this way, you can analyze and query log data in real time.

Prerequisites

WAF is activated and domains are added to WAF for protection.
Log Service is activated.

Background information

Log Service is used to collect website access logs and attack protection logs on Alibaba Cloud WAF in real time. It retrieves and analyzes log data in real time and displays the results in dashboards. You can use the collected log data to analyze the number of visits to and attacks on your websites in real time. You can also use the log data to assist security engineers to develop protection policies.

Procedure

Log on to the Web Application Firewall console.
In the top navigation bar, select the resource group to which the instance belongs and the region, Mainland China or International, in which the instance is deployed.
In the left-side navigation pane, choose Log Management > Log Service .
Optional:If you configure the log collection feature for the first time, click Authorize and follow the instructions on the Log Service page to authorize WAF to write all log data to your dedicated Logstore.
Select the target domain and turn on Status next to the domain.
The log collection feature is enabled for the domain. A dedicated project and a dedicated Logstore are automatically created by Log Service under your Alibaba Cloud account. WAF automatically imports logs from the domains with the log collection feature enabled to this Logstore.

Dedicated project and Logstore

The following table describes default configurations of a dedicated project and a dedicated Logstore.


Item	Description
Project	A project is created by default. The project name is determined based on the region of your WAF instance. If your WAF instance is deployed in a region in mainland China, the project name is in the following format: `waf-project-Alibaba Cloud account ID-cn-hangzhou`. If your WAF instance is deployed in a region outside mainland China, the project name is in the following format: `waf-project-Alibaba Cloud account ID-ap-southeast-1`.
Logstore	The Logstore named `waf-logstore` is created by default. All log data collected by the WAF log collection feature is stored in this Logstore.
Region	If your WAF instance is deployed in a region in mainland China, the project is saved in the China (Hangzhou) region by default. If your WAF instance is deployed in a region outside mainland China, the project is saved in the Singapore region by default.
Shard	Two shards are created by default, with the automatic sharding feature enabled. For more information, see Manage shards.
Dashboard	Three dashboards are created by default: Access Center Operation Center Security Center For more information, see Enable log analysis.

Limits and instructions

Only log data of WAF can be written into this Logstore.
Log data of WAF is stored in this Logstore. Other data cannot be written into this Logstore, whether by calling API operations or using SDKs.

Note The Logstore has no limits on features such as queries, statistics, alerts, and streaming consumption.
The Logstore is not billed.
To use the Logstore, you must activate Log Service for your Alibaba Cloud account.

Note When your Log Service is overdue, the log collection feature of WAF is suspended until you pay the overdue bills.
Do not delete or modify configurations of the default project, Logstore, index, and dashboards created in Log Service. Log Service automatically updates data from the log query and analysis function of WAF, the index of the Logstore, and the default reports.
A RAM user can use the log query and analysis service of WAF only after the Log Service permissions are granted to the RAM user. For more information, see Grant log query and analysis permissions to a RAM user.