Trace attack sources and analyze traffic with log audit - Cloud Firewall

Cloud Firewall automatically records all traffic and provides a visual log audit page where you can query attack events, traffic details, and operation logs. This simplifies and accelerates attack source tracing and traffic analysis. By default, you can query audit logs for the last 7 days to support real-time security monitoring and effective incident response.

Note

Cloud Firewall stores audit logs for 7 days by default. To retain logs for a longer period, meet classified protection requirements, or export raw log data, you can enable the log analysis feature. For more information, see Log analysis overview.

Log types

Cloud Firewall generates three types of logs: event logs, traffic logs, and operation logs.

Event logs record all traffic that Cloud Firewall identifies as potential security threats or abnormal behavior. Each log entry captures key information such as the event time, threat type, source IP address, destination IP address, application type, severity, and policy action. This information helps you track and analyze security events.
For events blocked by virtual patching and basic protection, you can click Obtain Attack Sample in the event logs list to generate an attack sample from the last 7 days. The attack sample contains detailed data about the attack event. Generated attack samples are retained for one month.
Traffic logs record all normal network traffic that passes through Cloud Firewall. Each entry includes the source IP address, destination IP address, port number, protocol, and traffic volume. Use traffic logs to understand network usage patterns and perform network behavior analysis.
Operation logs record all user actions in the Cloud Firewall console, such as changes to rule configurations, system setting adjustments, or any administrative interventions. Operation logs help you audit user behavior and ensure accountability for system changes.

Query audit logs

The following procedure uses querying traffic logs as an example to demonstrate the log audit feature. The query fields differ for each log type. For the specific fields available, refer to the page in the console.

Log on to the Cloud Firewall console.
In the left-side navigation pane, choose Detection & Response > Log Audit.
Click the Traffic Logs tab and select the firewall type for which you want to query logs.
Set the query conditions and time range, and then click Search.

Key traffic log fields

The following table describes key fields in traffic logs to help you understand traffic characteristics and behavior.

Note

When you query traffic logs, you can click List Configurations to the right of the search bar to select the fields to display in the traffic log list. In addition to the required fields, you can select up to eight optional fields.

Field	Description
Rule Name/Rule ID	The name or ID of the access control policy or attack protection rule that the traffic matched. If this field is empty, the traffic did not match any access control policy or attack protection rule.
Pre-match Access Control Policy Status	When traffic passes through Cloud Firewall, it is matched against access control policies based on priority. If Cloud Firewall cannot identify the application or domain of the traffic when matching a specific access control policy, the Pre-match Access Control Policy Status field displays the corresponding unidentified status, and the Pre-match Access Control Policy field displays the name of that access control policy. Valid values for Pre-match Access Control Policy Status: Application Unidentified: Cloud Firewall cannot identify the application of the traffic. Domain Name Unidentified: Cloud Firewall cannot identify the domain name of the traffic. Normal: Cloud Firewall can identify both the application and domain name of the traffic.
Pre-match Access Control Policy
Application Identification Status	The application identification status during access control policy matching. Valid values: Identified Blocked by Policy TCP Connection Failed Payload Not Received Analyzing Not Identified in Strict Mode Not Identified in Loose Mode Stateless: The status when no deep packet inspection (DPI) is performed.

References

Cloud Firewall stores audit logs for 7 days by default. To retain logs for a longer period or meet classified protection requirements, you can enable the log analysis feature. For more information, see Log analysis overview.
Cloud Firewall provides a packet capture tool for capturing network packets from specified IP addresses and ports. You can then analyze the packet content to troubleshoot network issues, analyze attack behavior, and identify security risks. For detailed instructions, see Packet capture.
Why do I see traffic logs for periodic ICMP probes from Alibaba Cloud?
Why do some traffic logs show the application as Unknown?
Can I export log audit records?
Is log analysis data retained after I release a Cloud Firewall instance?