Web Application Firewall (WAF) provides dashboards that display log query and analysis results in charts. Log Service for WAF provides Operation Center, Access Center, and Security Center dashboards based on common service and query scenarios. You can view the service and security data of your website on the dashboards by simply specifying a time range. You do not need to enter a query statement.

Prerequisites

  • The Log Service for WAF feature is enabled. For more information, see Enable Log Service for WAF.
  • The log collection feature is enabled for the domain names of your website that is protected by WAF. For more information, see Enable log collection.

Background information

Log Service for WAF provides dashboards for real-time data analysis. You can view multiple charts that are generated based on query and analysis results on a dashboard. After the Log Service for WAF feature and the log collection feature are enabled, you can view the service and security data of your website on the following dashboards, which are predefined by WAF.
Dashboard Description
Operation Center Displays the overall situation of the website, such as traffic protection data and overview of attacks.
Access Center Displays the access information of the website, such as access metrics, access trends, and request distribution.
Security Center Displays the attack information of the website, such as attack targets, attack trends, and distribution of attack sources.

A dashboard consists of multiple charts. For more information about the charts that are supported by WAF, see Charts supported by dashboards.

You can also manually create dashboards based on service-related query and analysis scenarios. You can add custom charts to the dashboards based on your commonly used query statements. For more information, see Visualization overview.

Procedure

  1. Log on to the Web Application Firewall console.
  2. In the top navigation bar, select the resource group and region to which the WAF instance belongs. The region can be Mainland China or International.
  3. In the left-side navigation pane, choose Log Management > Log Service.
  4. In the upper section of the Log Service page, select the domain name that you want to manage.
    Notice Make sure that log collection is enabled for the domain name. Otherwise, WAF does not collect the logs of the domain name, and you cannot query or analyze the logs of the domain name. To enable log collection, turn on Status.
    Domain name
  5. Click the Log Analysis tab.
  6. Click the dashboard that you want to view and specify a time range in which you want to query the data. You can click the Operation Center, Access Center, or Security Center tab. Log Analysis tab
    For more information about chart types that are supported by different dashboards, see Charts supported by dashboards.

    For more information about common operations that are supported by dashboards, see What to do next.

What to do next

Operation Object Description
Specify a time range by using a time selector Dashboard and chart Each dashboard contains multiple charts. The charts are generated based on raw log data within a specific time range. You can configure a time selector to specify the time range. Time selectors are classified into the following types:
  • Dashboard time selector: applies to all charts on a dashboard. If you select a time range by using a dashboard time selector, all charts on the dashboard display results based on the selected time range.
    A dashboard time selector is located in the upper right corner of the dashboard. By default, no time ranges are specified each time you open the Log Analysis tab. The time selector displays Please Select. You can click Please Select. Then, you can select a time range for all charts in the Time panel. You can select a relative time or a time frame. You can also specify a custom time range.
    Note The time range setting applies only to the current dashboard. If you switch to another dashboard, you must specify a time range for the dashboard again.
  • Chart time selector: applies only to a chart on a dashboard.

    Find a chart, move the pointer over the More icon icon in the upper-right corner of the chart, and then select Select Time Range. In the Time panel, you can select a time range for the chart.

Subscribe to a dashboard Dashboard You can subscribe to a dashboard. After you subscribe to the dashboard, the chart data on the dashboard is automatically sent to specified recipients by using emails or DingTalk group messages on a regular basis.

In the upper-right corner of a dashboard, click Subscribe and complete the Create Subscription wizard to subscribe to the current dashboard. For more information, see Subscribe to a dashboard.

Drill down into data across charts Chart By default, drill-down is configured for some charts. This allows you to view underlying data details.

Find a chart, move the pointer over the More icon icon in the upper right corner of the chart, and then check whether the Hand icon icon is displayed. If the icon is displayed, drill-down is configured for the chart.

You can click an underscored number in a chart for which drill-down is configured to view underlying data details. For example, you can identify the domain names that are attacked and the number of attacks after you click the underscored number in the Attacked Hosts chart of the Security Center dashboard.
Note You can also switch to the Raw Logs tab to view the raw log data.
For more information, see Configure a drill-down event.
Download logs Chart Find a chart, move the pointer over the More icon icon in the upper right corner of the chart, and then select Download Log to download the data of the chart to your computer as a CSV file.
Preview the query statement of a chart Chart Find a chart, move the pointer over the More icon icon in the upper right corner of the chart, and then select the Preview icon to preview the query statement that is used for the chart.

Charts supported by dashboards

Log Service of WAF provides Operation Center, Access Center, and Security Center dashboards, which display the operations situation, access information, and attack details of a website. Different dashboards provide different charts.
  • Operation Center: displays the overall situation of a website, such as traffic protection data and overview of attacks.
    Chart name Chart type Default time range Description Example value
    User Request Single value chart Compared with last day Displays the numbers of page views (PVs) and unique visitors (UVs). 48,300
    Peak Traffic Single value chart Compared with last day Displays the peak inbound and outbound traffic over the Internet and the peak attack traffic. Unit: Kbit/s. 4.6
    Valid Request Ratio Single value chart Compared with last hour Displays the percentage of valid requests that are routed over the Internet and forwarded by WAF. 98.41%
    Valid Traffic Single value chart Compared with last hour Displays the amount of network traffic that is forwarded by WAF to the origin server. Unit: MB. 10.7
    Request Trend Line chart 1 week (relative) Displays the trends in the number of requests, the ratio of valid requests, and the inbound and outbound network bandwidths in Kbit/s. None
    Attack Statistics Single-value chart, world map, and China map Compared with last hour Displays the number of attacks, traffic amount in KB, and attack distribution on the world map and China map. None
    Attacker List Table 1 hour (relative) Displays the list of IP addresses from which attacks are launched. None
    Top 100 Attacked Websites Table 1 hour (relative) Displays the top 100 domain names that suffered the most attacks. None
  • Access Center: displays access information of a website, such as access metrics, access trends, and request distribution.
    Chart name Chart type Default time range Description Example value
    PV Single value chart 1 hour (relative) Displays the total number of PVs. 100,000
    UV Single value chart 1 hour (relative) Displays the total number of UVs. 100
    Traffic In Single value chart 1 hour (relative) Displays the total amount of inbound traffic. Unit: MB. 300 MB
    Peak Network In Traffic Single value chart Today (time frame) Displays the peak rate of inbound traffic. Unit: Kbit/s. 0.5 KB/s
    Peak Network Out Traffic Single value chart Today (time frame) Displays the peak rate of outbound traffic. Unit: Kbit/s. 1.3 KB/s
    Traffic Network Trend Area chart Today (time frame) Displays the trends of inbound and outbound traffic. Unit: Kbit/s. None
    PV/UV Trends Line chart Today (time frame) Displays the trends of PVs and UVs. None
    Access Status Distribution Flow chart Today (time frame) Displays the trends of requests with different status codes such as 400, 304, and 200. Unit: count/h. None
    Access Source World map 1 hour (relative) Displays the distribution of requests by country. None
    Traffic In Source (World) World map 1 hour (relative) Displays the distribution of inbound traffic by country. None
    Traffic In Source (China) China map 1 hour (relative) Displays the distribution of inbound traffic by province in China. None
    Access Heatmap AMAP 1 hour (relative) Displays the heat map that indicates the source distribution of requests by geographical location. None
    Network Provider Source Pie chart 1 hour (relative) Displays the source distribution of requests by Internet service provider, such as China Telecom, China Unicom, China Mobile, and China Education and Research Network. None
    Referer Table 1 hour (relative) Displays the information about the top 100 Referers that are most frequently forwarded. The information includes Referer URLs, Referer hosts, and the number of times that the Referer is detected. None
    Mobile Client Distribution Pie chart 1 hour (relative) Displays the distribution of requests from mobile clients by client type. None
    PC Client Distribution Pie chart 1 hour (relative) Displays the distribution of requests from PC clients by client type. None
    Request Content Type Distribution Pie chart 1 hour (relative) Displays the distribution of requested resources by content type, such as HTML, form, JSON, and streaming data. None
    Accessed Sites Treemap chart 1 hour (relative) Displays the top 30 domain names that are most frequently accessed. None
    Top Clients Table 1 hour (relative) Displays the information about the top 100 clients that visit your domain names most. The information includes the client IP address, region and city, network information, request method, inbound traffic, number of access errors, and number of attacks. None
    URL With Slowest Response Table 1 hour (relative) Displays the information about the top 100 URLs with long response time. The information includes the domain name, URL, average response time, and number of access requests. None
  • Security Center: displays attack information of a website, such as attack targets, attack trends, and distribution of attack sources
    Chart name Chart type Default time range Description Example value
    Peak Attack Size Single value chart 1 hour (relative) Displays the peak attack traffic. Unit: bit/s. 100 Bps
    Attacked Hosts Single value chart Today (time frame) Displays the number of websites that are attacked. 3
    Source Country Of Attack Single value chart Today (time frame) Displays the number of countries from which attacks are launched. 2
    Attack Traffic Single value chart 1 hour (relative) Displays the total amount of traffic that is generated by attacks. Unit: bytes. 1 B
    Attacker UV Single value chart 1 hour (relative) Displays the number of UVs. 40
    Attack type distribution Flow chart Today (time frame) Displays the distribution of attacks by attack type. None
    Intercepted Attack Single value chart 1 hour (relative) Displays the total number of attacks that are blocked by WAF. 100
    CC Attack Interception Single value chart 1 hour (relative) Displays the number of HTTP flood attacks that are blocked by WAF. 10
    Web Attack Interception Single value chart 1 hour (relative) Displays the number of web application attacks that are blocked by WAF. 80
    Access Control Event Single value chart 1 hour (relative) Displays the number of requests that are blocked by custom protection policies (ACL policies) of WAF. 10
    CC Attack (World) World map 1 hour (relative) Displays the distribution of HTTP flood attacks by country. None
    CC Attack (China) China map 1 hour (relative) Displays the distribution of HTTP flood attacks by province in China. None
    Web Attack (World) World map 1 hour (relative) Displays the distribution of web application attacks by country. None
    Web Attack (China) China map 1 hour (relative) Displays the distribution of web application attacks by province in China. None
    Access Control Attack (World) World map 1 hour (relative) Displays the distribution of requests that are blocked by custom protection policies (ACL policies) by country. None
    Access Control Attack (China) China map 1 hour (relative) Displays the distribution of requests that are blocked by custom protection policies (ACL policies) by province in China. None
    Attacked Hosts Treemap chart 1 hour (relative) Displays the websites that are most frequently attacked. None
    CC Attack Strategy Distribution Pie chart 1 hour (relative) Displays the distribution of attacks that trigger HTTP flood protection policies. None
    Web Attack Type Distribution Pie chart 1 hour (relative) Displays the distribution of web attacks by attack type. None
    Top Attackers Table 1 hour (relative) Displays the IP addresses, province information, and carriers of the first 100 clients that launch the most recent attacks. It also displays the number of attacks for each attack type and the amount of traffic generated by these attacks. None
    Attacker Referer Table 1 hour (relative) Displays the Referer information of attacks, including Referer URLs, Referer hosts, and the number of times that the Referer is detected. None

For more information, see Chart overview.