Enable log analysis

Procedure

1. Log on to the Web Application Firewall console.
2. In the top navigation bar, select the resource group to which the instance belongs and the region, Mainland China or International, in which the instance is deployed.
3. In the left-side navigation pane, choose Log Management > Log Service .
4. On the Log Service page that appears, select a domain and ensure that Status next to the domain is turned on.
5. Click the Log Analysis tab.
   The dashboard page in the Log Service console is integrated into this tab. The system automatically specifies Filter, such as matched_host:<yourDomainName>, to display all the log data that is recorded from your domain.

   After you enable the log collection feature of WAF, the following default dashboards are automatically created on the Log Service page: Operation Center, Access Center, and Security Center.

   Dashboard	Description
   Operation Center	Displays operation details such as the valid request rate and the statistics of attacks and peaks of inbound and outbound traffic. It also displays the number of received requests, operations trends, and attack overview.
   Access Center	Displays basic access details such as the number of page views (PVs) and the number of unique visitors (UVs), the access trend, and the distribution of visitors by source.
   Security Center	Displays basic metric information of attacks, attack types, attack trend, and attacker distribution.

   For more information, see Description of default dashboards.

   Dashboards display various reports by using the predefined layout. The following table describes the supported chart types.

   Chart type	Description
   Individual value plot	Displays important metrics, such as the valid request rate and the peak of attacks.
   Line chart or area chart	Displays the trends of important metrics within a specified period of time, such as the trend of inbound bandwidth and attack blocking.
   Map	Displays the geographical distribution of visitors and attackers, such as the distribution of attacks by country and access heat map.
   Pie chart	Displays data proportions, such as the distribution proportions of attacked websites and client types.
   Table	Displays detailed information, such as the information of attackers.

   For more information about the chart types provided by Log Service, see Overview.

Time picker

All charts are based on statistics results for different time periods. If you want all charts on the current page to display data for the same time range, you must configure the time picker.

1. On the Log Analysis tab, click Please Select.
2. In the Time pane, specify the time range.
   You can select relative time or a time frame, or customize a time range. After you modify the time range, it takes effect in all charts.

   Note The time picker only provides a temporary view of charts on the current page, and the system does not save the setting. The next time you view the charts, the system displays the default time range.

   To change the time range for a specific chart, move the pointer over the icon in the upper-right corner of the chart and click Select Time Range.

Chart data drilldown

Data drilldown is configured for some charts. This allows you to quickly view underlying data details. Move the pointer over the icon in the upper-right corner of a specific chart. If the icon is displayed, data drilldown is configured for this chart.

Description of default dashboards

• Operation Center: displays operation details such as the valid request rate and the statistics of attacks and peaks of inbound and outbound traffic. It also displays the number of received requests, operations trends, and attack overview.

  Chart name	Chart type	Default time range	Description	Example value
  Valid Request Ratio	Individual value plot	Today (Time Frame)	Displays the percentage of all valid requests. A valid request is a request that is neither an attack nor a request for which the server returns the 400 error. Unit: %.	95
  Valid Request Traffic Ratio	Individual value plot	Today (Time Frame)	Displays the percentage of the traffic generated by valid requests. Unit: %.	95
  Peak Attack Size	Individual value plot	Today (Time Frame)	Displays the peak throughput of attacks. Unit: bit/s.	100
  Attack Traffic	Individual value plot	1 Hour (Relative)	Displays the total amount of traffic that is generated by attacks. Unit: bytes.	30
  Attack Count	Individual value plot	1 Hour (Relative)	The total number of attacks.	100
  Peak Network In	Individual value plot	Today (Time Frame)	Displays the peak inbound throughput. Unit: Kbit/s.	100
  Peak Network Out	Individual value plot	Today (Time Frame)	Displays the peak outbound throughput. Unit: Kbit/s.	100
  Received Requests	Individual value plot	1 Hour (Relative)	Displays the total number of valid requests.	7800
  Traffic Received	Individual value plot	1 Hour (Relative)	Displays the total inbound traffic that is generated by valid requests. Unit: MB.	1.4
  Traffic Out	Individual value plot	1 Hour (Relative)	Displays the total outbound traffic that is generated by valid requests. Unit: MB.	3.8
  Network Traffic In And Attack	Area chart	Today (Time Frame)	Displays the trends of throughput generated by valid requests and attacks. Unit: Kbit/s	-
  Request And Interception	Line chart	Today (Time Frame)	Displays the trends of valid requests and the total number of requests that are blocked. Unit: count/h.	-
  Access Status Distribution	Flow chart	Today (Time Frame)	Displays the trends of requests with different status codes (such as 404, 304, and 200) returned. Unit: count/h.	-
  Attack Source (World)	World map	1 Hour (Relative)	Displays the distribution of attacks by country.	-
  Attack Source (China)	Map of China	1 Hour (Relative)	Displays the distribution of attacks by province in China.	-
  Attack Type	Pie chart	1 Hour (Relative)	Displays the distribution of attacks by attack type.	-
  Attacked Hosts	Treemap chart	1 Hour (Relative)	Displays the websites that are attacked most.	-

• Access Center: displays basic access details such as the number of page views (PVs) and the number of unique visitors (UVs), the access trend, and the distribution of visitors by source.

  Chart name	Chart type	Default time range	Description	Example value
  PV	Individual value plot	1 Hour (Relative)	Displays the total number of PVs.	100000
  UV	Individual value plot	1 Hour (Relative)	Displays the total number of UVs.	100
  Traffic In	Individual value plot	1 Hour (Relative)	Displays the total inbound traffic. Unit: MB.	300
  Peak Network In Traffic	Individual value plot	Today (Time Frame)	Displays the peak inbound throughput. Unit: Kbit/s.	0.5
  Peak Network Out Traffic	Individual value plot	Today (Time Frame)	Displays the peak outbound throughput. Unit: Kbit/s.	1.3
  Traffic Network Trend	Area chart	Today (Time Frame)	Displays the trends of inbound and outbound throughput. Unit: Kbit/s.	-
  PV/UV Trends	Line chart	Today (Time Frame)	Displays the trends of PVs and UVs. Unit: count/h.	-
  Access Status Distribution	Flow chart	Today (Time Frame)	Displays the trends of requests with different status codes (such as 404, 304, and 200) returned. Unit: count/h.	-
  Access Source	World map	1 Hour (Relative)	Displays the distribution of requests by country.	-
  Traffic In Source (World)	World map	1 Hour (Relative)	Displays the distribution (by country) of inbound traffic from requests.	-
  Traffic In Source (China)	Map of China	1 Hour (Relative)	Displays the distribution (by province in China) of inbound traffic from requests.	-
  Access Heatmap	AMAP	1 Hour (Relative)	Displays the heat map that indicates the source distribution of requests by geographical location.	-
  Network Provider Source	Pie chart	1 Hour (Relative)	Displays the source distribution of requests by Internet service provider, such as China Telecom, China Unicom, China Mobile, and China Education and Research Network.	-
  Referer	Table	1 Hour (Relative)	Displays the information of hosts and redirection frequency and the first 100 Referer URLs from which the hosts are most frequently redirected.	-
  Mobile Client Distribution	Pie chart	1 Hour (Relative)	Displays the distribution of requests from mobile clients by client type.	-
  PC Client Distribution	Pie chart	1 Hour (Relative)	Displays the distribution of requests from PC clients by client type.	-
  Request Content Type Distribution	Pie chart	1 Hour (Relative)	Displays the distribution of requested resources by content type, such as HTML, form, JSON, and streaming data.	-
  Accessed Sites	Treemap chart	1 Hour (Relative)	Displays the 30 domains that are accessed most.	-
  Top Clients	Table	1 Hour (Relative)	Displays the information of the top 100 clients that visit your domains on a regular basis. The information includes the client IP address, the region and city, network information, the request method, inbound traffic, the number of incorrect accesses, and the number of attacks.	-
  URL With Slowest Response	Table	1 Hour (Relative)	Displays the information of the top 100 URLs with long response time. The information includes the domain, the URL, the average response time, and the number of accesses.	-

• Security Center: displays basic metric information of attacks, attack types, attack trend, and attacker distribution.

  Chart name	Chart type	Default time range	Description	Example value
  Peak Attack Size	Individual value plot	1 Hour (Relative)	Displays the peak throughput of attacks. Unit: bit/s.	100
  Attacked Hosts	Individual value plot	Today (Time Frame)	Displays the number of websites that are attacked.	3
  Source Country Of Attack	Individual value plot	Today (Time Frame)	Displays the number of countries from which attacks are launched.	2
  Attack Traffic	Individual value plot	1 Hour (Relative)	Displays the total amount of traffic that is generated by attacks. Unit: bytes.	1
  Attacker UV	Individual value plot	1 Hour (Relative)	Displays the number of UVs.	40
  Attack type distribution	Flow chart	Today (Time Frame)	Displays the distribution of attacks by attack type.	-
  Intercepted Attack	Individual value plot	1 Hour (Relative)	Displays the total number of attacks that are blocked by WAF.	100
  CC Attack Interception	Individual value plot	1 Hour (Relative)	Displays the number of HTTP flood attacks that are blocked by WAF.	10
  Web Attack Interception	Individual value plot	1 Hour (Relative)	Displays the number of web application attacks that are blocked by WAF.	80
  Access Control Event	Individual value plot	1 Hour (Relative)	Displays the number of requests that are blocked by the HTTP ACL policies of WAF.	10
  CC Attack (World)	World map	1 Hour (Relative)	Displays the distribution of HTTP flood attacks by country.	-
  CC Attack (China)	Map of China	1 Hour (Relative)	Displays the distribution of HTTP flood attacks by province in China.	-
  Web Attack (World)	World map	1 Hour (Relative)	Displays the distribution of web application attacks by country.	-
  Web Attack (China)	Map of China	1 Hour (Relative)	Displays the distribution of web application attacks by province in China.	-
  Access Control Attack (World)	World map	1 Hour (Relative)	Displays the distribution (by country) of requests that are blocked by the HTTP ACL policies of WAF.	-
  Access Control Attack (China)	Map of China	1 Hour (Relative)	Displays the distribution (by province in China) of requests that are blocked by the HTTP ACL policies of WAF.	-
  Attacked Hosts	Treemap chart	1 Hour (Relative)	Displays the websites that are attacked most.	-
  CC Attack Strategy Distribution	Pie chart	1 Hour (Relative)	Displays the distribution of HTTP flood protection policies.	-
  Web Attack Type Distribution	Pie chart	1 Hour (Relative)	Displays the distribution of web attacks by attack type.	-
  Top Attackers	Table	1 Hour (Relative)	Displays IP addresses, province information, and network providers of the first 100 clients that launch the recent attacks. It also displays the number of attacks and the amount of traffic generated by these attacks.	-
  Attacker Referer	Table	1 Hour (Relative)	Displays the Referer information of attack requests, including Referer URLs, Referer hosts, and the number of attacks.	-