This topic describes how to enable the log analysis feature in the WAF console. The Log Analysis tab on the Log Service page in the WAF console displays the data of default dashboards in the Log Service console. If you want to query website and security data, you can modify the time range or add query conditions.

Procedure

  1. Log on to the Web Application Firewall console.
  2. In the top navigation bar, select the resource group to which the instance belongs and the region, Mainland China or International, in which the instance is deployed.
  3. In the left-side navigation pane, choose Log Management > Log Service .
  4. On the Log Service page, select the required domain name. Make sure that Status next to the domain name is turned on.
  5. Click the Log Analysis tab.
    The dashboard page in the Log Service console is integrated into this tab. The WAF console automatically specifies Filter, such as to matched_host:<yourDomainName>, to display all the log data that is recorded from your domain name. Dashboard
    After you enable WAF log collection for your domain name, the following default dashboards are automatically created by Log Service: Operation Center, Access Center, and Security Center.
    Dashboard Description
    Operation Center Displays operational details such as the valid request rate, statistics of attacks, and peak inbound and outbound bandwidths. It also displays the number of received requests, operational trends, and attack overview.
    Access Center Displays access details such as the numbers of page views (PVs) and unique visitors (UVs), access trends, and distribution of visitors by source.
    Security Center Displays service information such as basic attack metrics, attack types, attack trends, and attacker distribution.

    For more information, see Descriptions of default dashboards.

    Dashboards display various reports based on the predefined charts. The following table describes the supported chart types.
    Chart type Description
    Single value chart Displays important metrics, such as the valid request rate and the peak attack traffic.
    Line chart or area chart Displays the trends of important metrics within a specific time range, such as the trends of inbound bandwidth and blocked attacks.
    Map Displays the geographical distribution of visitors and attackers, such as the distribution of attacks by country and the access heat map.
    Pie chart Displays data percentages, such as the distributed percentages of attacked websites and client types.
    Table Displays detailed information, such as the information of attackers.

    For more information about the chart types provided by Log Service, see Overview.

Time picker

All charts are based on the statistical results in different time ranges. If you want all charts on the current page to display data for the same time range, you must configure the time picker.

  1. On the Log Analysis tab, click Please Select.
  2. In the Time panel, specify the time range. Time panel
    You can select relative time or a time frame, or customize a time range. After you specify the time range, it takes effect on all charts.
    Note The time picker enables only a temporary view of charts on the current page, and the system does not save the setting. The next time you view the charts, the system uses the default time range.
    If you want to change the time range for a specific chart, move the pointer over the More icon icon in the upper-right corner of the chart and click Select Time Range. Click Select Time Range

Chart data drill-down

Data drill-down is configured for some charts. This allows you to view underlying data details. You can move the pointer over the More icon icon in the upper-right corner of a specific chart. If the Icon icon appears, data drill-down is configured for this chart.

You can click an underscored number in a chart to view underlying data details. For example, you can identify the domain names that are attacked and the number of attacks by clicking the number in the Attacked Hosts chart of the Security Center tab.
Note You can also switch to the Raw Logs tab to view the raw log data.

Descriptions of default dashboards

  • Operation Center: displays operational details such as the valid request rate, statistics of attacks, and peak inbound and outbound bandwidths. It also displays the number of received requests, operational trends, and attack overview.
    Chart name Chart type Default time range Description Example value
    Valid Request Ratio Single value chart Today (Time Frame) Displays the percentage of all valid requests. A valid request is neither an attack nor a request for which the server returns an HTTP 400 error. 95%
    Valid Request Traffic Ratio Single value chart Today (Time Frame) Displays the percentage of the traffic generated by valid requests. 95%
    Peak Attack Size Single value chart Today (Time Frame) Displays the peak attack traffic. Unit: bit/s. 100
    Attack Traffic Single value chart 1 Hour (Relative) Displays the total amount of traffic that is generated by attacks. Unit: bytes. 30
    Attack Count Single value chart 1 Hour (Relative) Displays the total number of attacks. 100
    Peak Network In Single value chart Today (Time Frame) Displays the peak inbound traffic. Unit: Kbit/s. 100
    Peak Network Out Single value chart Today (Time Frame) Displays the peak outbound traffic. Unit: Kbit/s. 100
    Received Requests Single value chart 1 Hour (Relative) Displays the total number of valid requests. 7800
    Traffic Received Single value chart 1 Hour (Relative) Displays the total inbound traffic that is generated by valid requests. Unit: MB. 1.4
    Traffic Out Single value chart 1 Hour (Relative) Displays the total outbound traffic that is generated by valid requests. Unit: MB. 3.8
    Network Traffic In And Attack Area chart Today (Time Frame) Displays the trends of traffic generated by valid requests and attacks. Unit: Kbit/s None
    Request And Interception Line chart Today (Time Frame) Displays the trends of valid requests and the requests that are blocked. Unit: count/h. None
    Access Status Distribution Flow chart Today (Time Frame) Displays the trends of requests with different status codes (such as 400, 304, and 200) returned. Unit: count/h. None
    Attack Source (World) World map 1 Hour (Relative) Displays the distribution of attacks by country. None
    Attack Source (China) China map 1 Hour (Relative) Displays the distribution of attacks by province in China. None
    Attack Type Pie chart 1 Hour (Relative) Displays the distribution of attacks by attack type. None
    Attacked Hosts Treemap chart 1 Hour (Relative) Displays the websites that are attacked most. None
  • Access Center: displays access details such as the numbers of PVs and UVs, access trends, and distribution of visitors by source.
    Chart name Chart type Default time range Description Example value
    PV Single value chart 1 Hour (Relative) Displays the total number of PVs. 100000
    UV Single value chart 1 Hour (Relative) Displays the total number of UVs. 100
    Traffic In Single value chart 1 Hour (Relative) Displays the total inbound traffic. Unit: MB. 300
    Peak Network In Traffic Single value chart Today (Time Frame) Displays the peak inbound traffic. Unit: Kbit/s. 0.5
    Peak Network Out Traffic Single value chart Today (Time Frame) Displays the peak outbound traffic. Unit: Kbit/s. 1.3
    Traffic Network Trend Area chart Today (Time Frame) Displays the trends of inbound and outbound traffic. Unit: Kbit/s. None
    PV/UV Trends Line chart Today (Time Frame) Displays the trends of PVs and UVs. Unit: count/h. None
    Access Status Distribution Flow chart Today (Time Frame) Displays the trends of requests with different status codes (such as 400, 304, and 200) returned. Unit: count/h. None
    Access Source World map 1 Hour (Relative) Displays the distribution of requests by country. None
    Traffic In Source (World) World map 1 Hour (Relative) Displays the distribution of inbound traffic by country. None
    Traffic In Source (China) China map 1 Hour (Relative) Displays the distribution of inbound traffic by province in China. None
    Access Heatmap AMAP 1 Hour (Relative) Displays the heat map that indicates the source distribution of requests by geographical location. None
    Network Provider Source Pie chart 1 Hour (Relative) Displays the source distribution of requests by Internet service provider, such as China Telecom, China Unicom, China Mobile, and China Education and Research Network. None
    Referer Table 1 Hour (Relative) Displays the information of hosts and redirection frequency and the first 100 Referer URLs from which the hosts are most frequently redirected. None
    Mobile Client Distribution Pie chart 1 Hour (Relative) Displays the distribution of requests from mobile clients by client type. None
    PC Client Distribution Pie chart 1 Hour (Relative) Displays the distribution of requests from PC clients by client type. None
    Request Content Type Distribution Pie chart 1 Hour (Relative) Displays the distribution of requested resources by content type, such as HTML, form, JSON, and streaming data. None
    Accessed Sites Treemap chart 1 Hour (Relative) Displays the 30 domain names that are accessed most. None
    Top Clients Table 1 Hour (Relative) Displays the information of the top 100 clients that visit your domain names most. The information includes the client IP address, region and city, network information, request method, inbound traffic, number of access errors, and number of attacks. None
    URL With Slowest Response Table 1 Hour (Relative) Displays the information of the top 100 URLs with long response time. The information includes the domain name, URL, average response time, and number of access requests. None
  • Security Center: displays service information such as basic attack metrics, attack types, attack trends, and attacker distribution.
    Chart name Chart type Default time range Description Example value
    Peak Attack Size Single value chart 1 Hour (Relative) Displays the peak attack traffic. Unit: bit/s. 100
    Attacked Hosts Single value chart Today (Time Frame) Displays the number of websites that are attacked. 3
    Source Country Of Attack Single value chart Today (Time Frame) Displays the number of countries from which attacks are launched. 2
    Attack Traffic Single value chart 1 Hour (Relative) Displays the total amount of traffic that is generated by attacks. Unit: bytes. 1 B
    Attacker UV Single value chart 1 Hour (Relative) Displays the number of UVs. 40
    Attack type distribution Flow chart Today (Time Frame) Displays the distribution of attacks by attack type. None
    Intercepted Attack Single value chart 1 Hour (Relative) Displays the total number of attacks that are blocked by WAF. 100
    CC Attack Interception Single value chart 1 Hour (Relative) Displays the number of HTTP flood attacks that are blocked by WAF. 10
    Web Attack Interception Single value chart 1 Hour (Relative) Displays the number of web application attacks that are blocked by WAF. 80
    Access Control Event Single value chart 1 Hour (Relative) Displays the number of requests that are blocked based on the custom protection policies of WAF. 10
    CC Attack (World) World map 1 Hour (Relative) Displays the distribution of HTTP flood attacks by country. None
    CC Attack (China) China map 1 Hour (Relative) Displays the distribution of HTTP flood attacks by province in China. None
    Web Attack (World) World map 1 Hour (Relative) Displays the distribution of web application attacks by country. None
    Web Attack (China) China map 1 Hour (Relative) Displays the distribution of web application attacks by province in China. None
    Access Control Attack (World) World map 1 Hour (Relative) Displays the distribution of requests that are blocked based on the custom protection policies of WAF by country. None
    Access Control Attack (China) China map 1 Hour (Relative) Displays the distribution of requests that are blocked based on the custom protection policies of WAF by province in China. None
    Attacked Hosts Treemap chart 1 Hour (Relative) Displays the websites that are attacked most. None
    CC Attack Strategy Distribution Pie chart 1 Hour (Relative) Displays the distribution of HTTP flood protection policies. None
    Web Attack Type Distribution Pie chart 1 Hour (Relative) Displays the distribution of web attacks by attack type. None
    Top Attackers Table 1 Hour (Relative) Displays the IP addresses, province information, and carriers of the first 100 clients that launch the recent attacks. It also displays the numbers of attacks for different attack types and the amount of traffic generated by these attacks. None
    Attacker Referer Table 1 Hour (Relative) Displays the Referer information of attacks, including Referer URLs, Referer hosts, and the number of times that the Referer is detected. None