This topic describes how to enable log analysis in the WAF console. The Log Analysis tab on the Log Service page in the WAF console displays the data of default dashboards in the Log Service console. If you want to query website and security data, you can modify the time range or add query conditions.

Procedure

  1. Log on to the Web Application Firewall console.
  2. In the top navigation bar, select the resource group to which the instance belongs and the region, Mainland China or International, in which the instance is deployed.
  3. In the left-side navigation pane, choose Log Management > Log Service .
  4. On the Log Service page that appears, select a domain and ensure that Status next to the domain is turned on.
  5. Click the Log Analysis tab.
    The dashboard page in the Log Service console is integrated into this tab. The system automatically specifies Filter, such as matched_host:<yourDomainName>, to display all the log data that is recorded from your domain.Dashboard
    After you enable the log collection feature of WAF, the following default dashboards are automatically created on the Log Service page: Operation Center, Access Center, and Security Center.
    Dashboard Description
    Operation Center Displays operation details such as the valid request rate and the statistics of attacks and peaks of inbound and outbound traffic. It also displays the number of received requests, operations trends, and attack overview.
    Access Center Displays basic access details such as the number of page views (PVs) and the number of unique visitors (UVs), the access trend, and the distribution of visitors by source.
    Security Center Displays basic metric information of attacks, attack types, attack trend, and attacker distribution.

    For more information, see Description of default dashboards.

    Dashboards display various reports by using the predefined layout. The following table describes the supported chart types.
    Chart type Description
    Individual value plot Displays important metrics, such as the valid request rate and the peak of attacks.
    Line chart or area chart Displays the trends of important metrics within a specified period of time, such as the trend of inbound bandwidth and attack blocking.
    Map Displays the geographical distribution of visitors and attackers, such as the distribution of attacks by country and access heat map.
    Pie chart Displays data proportions, such as the distribution proportions of attacked websites and client types.
    Table Displays detailed information, such as the information of attackers.

    For more information about the chart types provided by Log Service, see Overview.

Time picker

All charts are based on statistics results for different time periods. If you want all charts on the current page to display data for the same time range, you must configure the time picker.

  1. On the Log Analysis tab, click Please Select.
  2. In the Time pane, specify the time range.Time pane
    You can select relative time or a time frame, or customize a time range. After you modify the time range, it takes effect in all charts.
    Note The time picker only provides a temporary view of charts on the current page, and the system does not save the setting. The next time you view the charts, the system displays the default time range.
    To change the time range for a specific chart, move the pointer over the More icon icon in the upper-right corner of the chart and click Select Time Range.Click Select Time Range

Chart data drilldown

Data drilldown is configured for some charts. This allows you to quickly view underlying data details. Move the pointer over the More icon icon in the upper-right corner of a specific chart. If the Icon icon is displayed, data drilldown is configured for this chart.

You can click an underscored number in this chart to view underlying data details. For example, you can quickly identify the domains that are attacked and the number of attacks by clicking the number in the Attacked Hosts chart of the Security Center tab.
Note Alternatively, you can switch to the Raw Logs tab to view the original log data.

Description of default dashboards

  • Operation Center: displays operation details such as the valid request rate and the statistics of attacks and peaks of inbound and outbound traffic. It also displays the number of received requests, operations trends, and attack overview.
    Chart name Chart type Default time range Description Example value
    Valid Request Ratio Individual value plot Today (Time Frame) Displays the percentage of all valid requests. A valid request is a request that is neither an attack nor a request for which the server returns the 400 error. Unit: %. 95
    Valid Request Traffic Ratio Individual value plot Today (Time Frame) Displays the percentage of the traffic generated by valid requests. Unit: %. 95
    Peak Attack Size Individual value plot Today (Time Frame) Displays the peak throughput of attacks. Unit: bit/s. 100
    Attack Traffic Individual value plot 1 Hour (Relative) Displays the total amount of traffic that is generated by attacks. Unit: bytes. 30
    Attack Count Individual value plot 1 Hour (Relative) The total number of attacks. 100
    Peak Network In Individual value plot Today (Time Frame) Displays the peak inbound throughput. Unit: Kbit/s. 100
    Peak Network Out Individual value plot Today (Time Frame) Displays the peak outbound throughput. Unit: Kbit/s. 100
    Received Requests Individual value plot 1 Hour (Relative) Displays the total number of valid requests. 7800
    Traffic Received Individual value plot 1 Hour (Relative) Displays the total inbound traffic that is generated by valid requests. Unit: MB. 1.4
    Traffic Out Individual value plot 1 Hour (Relative) Displays the total outbound traffic that is generated by valid requests. Unit: MB. 3.8
    Network Traffic In And Attack Area chart Today (Time Frame) Displays the trends of throughput generated by valid requests and attacks. Unit: Kbit/s -
    Request And Interception Line chart Today (Time Frame) Displays the trends of valid requests and the total number of requests that are blocked. Unit: count/h. -
    Access Status Distribution Flow chart Today (Time Frame) Displays the trends of requests with different status codes (such as 404, 304, and 200) returned. Unit: count/h. -
    Attack Source (World) World map 1 Hour (Relative) Displays the distribution of attacks by country. -
    Attack Source (China) Map of China 1 Hour (Relative) Displays the distribution of attacks by province in China. -
    Attack Type Pie chart 1 Hour (Relative) Displays the distribution of attacks by attack type. -
    Attacked Hosts Treemap chart 1 Hour (Relative) Displays the websites that are attacked most. -
  • Access Center: displays basic access details such as the number of page views (PVs) and the number of unique visitors (UVs), the access trend, and the distribution of visitors by source.
    Chart name Chart type Default time range Description Example value
    PV Individual value plot 1 Hour (Relative) Displays the total number of PVs. 100000
    UV Individual value plot 1 Hour (Relative) Displays the total number of UVs. 100
    Traffic In Individual value plot 1 Hour (Relative) Displays the total inbound traffic. Unit: MB. 300
    Peak Network In Traffic Individual value plot Today (Time Frame) Displays the peak inbound throughput. Unit: Kbit/s. 0.5
    Peak Network Out Traffic Individual value plot Today (Time Frame) Displays the peak outbound throughput. Unit: Kbit/s. 1.3
    Traffic Network Trend Area chart Today (Time Frame) Displays the trends of inbound and outbound throughput. Unit: Kbit/s. -
    PV/UV Trends Line chart Today (Time Frame) Displays the trends of PVs and UVs. Unit: count/h. -
    Access Status Distribution Flow chart Today (Time Frame) Displays the trends of requests with different status codes (such as 404, 304, and 200) returned. Unit: count/h. -
    Access Source World map 1 Hour (Relative) Displays the distribution of requests by country. -
    Traffic In Source (World) World map 1 Hour (Relative) Displays the distribution (by country) of inbound traffic from requests. -
    Traffic In Source (China) Map of China 1 Hour (Relative) Displays the distribution (by province in China) of inbound traffic from requests. -
    Access Heatmap AMAP 1 Hour (Relative) Displays the heat map that indicates the source distribution of requests by geographical location. -
    Network Provider Source Pie chart 1 Hour (Relative) Displays the source distribution of requests by Internet service provider, such as China Telecom, China Unicom, China Mobile, and China Education and Research Network. -
    Referer Table 1 Hour (Relative) Displays the information of hosts and redirection frequency and the first 100 Referer URLs from which the hosts are most frequently redirected. -
    Mobile Client Distribution Pie chart 1 Hour (Relative) Displays the distribution of requests from mobile clients by client type. -
    PC Client Distribution Pie chart 1 Hour (Relative) Displays the distribution of requests from PC clients by client type. -
    Request Content Type Distribution Pie chart 1 Hour (Relative) Displays the distribution of requested resources by content type, such as HTML, form, JSON, and streaming data. -
    Accessed Sites Treemap chart 1 Hour (Relative) Displays the 30 domains that are accessed most. -
    Top Clients Table 1 Hour (Relative) Displays the information of the top 100 clients that visit your domains on a regular basis. The information includes the client IP address, the region and city, network information, the request method, inbound traffic, the number of incorrect accesses, and the number of attacks. -
    URL With Slowest Response Table 1 Hour (Relative) Displays the information of the top 100 URLs with long response time. The information includes the domain, the URL, the average response time, and the number of accesses. -
  • Security Center: displays basic metric information of attacks, attack types, attack trend, and attacker distribution.
    Chart name Chart type Default time range Description Example value
    Peak Attack Size Individual value plot 1 Hour (Relative) Displays the peak throughput of attacks. Unit: bit/s. 100
    Attacked Hosts Individual value plot Today (Time Frame) Displays the number of websites that are attacked. 3
    Source Country Of Attack Individual value plot Today (Time Frame) Displays the number of countries from which attacks are launched. 2
    Attack Traffic Individual value plot 1 Hour (Relative) Displays the total amount of traffic that is generated by attacks. Unit: bytes. 1
    Attacker UV Individual value plot 1 Hour (Relative) Displays the number of UVs. 40
    Attack type distribution Flow chart Today (Time Frame) Displays the distribution of attacks by attack type. -
    Intercepted Attack Individual value plot 1 Hour (Relative) Displays the total number of attacks that are blocked by WAF. 100
    CC Attack Interception Individual value plot 1 Hour (Relative) Displays the number of HTTP flood attacks that are blocked by WAF. 10
    Web Attack Interception Individual value plot 1 Hour (Relative) Displays the number of web application attacks that are blocked by WAF. 80
    Access Control Event Individual value plot 1 Hour (Relative) Displays the number of requests that are blocked by the HTTP ACL policies of WAF. 10
    CC Attack (World) World map 1 Hour (Relative) Displays the distribution of HTTP flood attacks by country. -
    CC Attack (China) Map of China 1 Hour (Relative) Displays the distribution of HTTP flood attacks by province in China. -
    Web Attack (World) World map 1 Hour (Relative) Displays the distribution of web application attacks by country. -
    Web Attack (China) Map of China 1 Hour (Relative) Displays the distribution of web application attacks by province in China. -
    Access Control Attack (World) World map 1 Hour (Relative) Displays the distribution (by country) of requests that are blocked by the HTTP ACL policies of WAF. -
    Access Control Attack (China) Map of China 1 Hour (Relative) Displays the distribution (by province in China) of requests that are blocked by the HTTP ACL policies of WAF. -
    Attacked Hosts Treemap chart 1 Hour (Relative) Displays the websites that are attacked most. -
    CC Attack Strategy Distribution Pie chart 1 Hour (Relative) Displays the distribution of HTTP flood protection policies. -
    Web Attack Type Distribution Pie chart 1 Hour (Relative) Displays the distribution of web attacks by attack type. -
    Top Attackers Table 1 Hour (Relative) Displays IP addresses, province information, and network providers of the first 100 clients that launch the recent attacks. It also displays the number of attacks and the amount of traffic generated by these attacks. -
    Attacker Referer Table 1 Hour (Relative) Displays the Referer information of attack requests, including Referer URLs, Referer hosts, and the number of attacks. -