Log audit - Log Analysis| Alibaba Cloud Documentation Center

All the traffic that passes through Cloud Firewall is recorded in logs, and the logs are displayed on the Log Audit page. The logs are classified into traffic logs, event logs, and operation logs. You can use the logs to audit all traffic in real time and detect suspicious traffic.

Cloud Firewall provides the log analysis feature. This feature allows you to specify a log storage duration that ranges from 7 days to 365 days. If your business needs to meet the requirements for classified protection and compliance, we recommend that you enable the log analysis feature. For more information about the billing of the log analysis feature, see Billing.

Event logs

The Event Logs tab displays the logs of events on traffic that passes through the Internet firewall and virtual private cloud (VPC) firewalls. On the Event Logs tab, you can click the Internet Firewall or VPC Firewall tab to view the information about event logs. The information includes the time when an event was detected, threat type, source IP address, destination IP address, application type, severity, and policy action.

In the upper part of the Event Logs tab, you can specify the source IP address, destination IP address, threat type, policy action, or custom time range to search for event logs.

Note The custom time range must be within the last seven days.

Traffic logs

The Traffic Logs tab displays the logs of traffic that passes through the Internet firewall and VPC firewalls. On the Traffic Logs tab, you can click the Internet Firewall or VPC Firewall tab to view the information about traffic logs. The information includes the start time and end time of access, source IP address, destination port, protocol, policy action, number of bytes, and number of packets.

On the Internet Firewall or VPC Firewall tab, you can click List Configuration to the right of search conditions. In the List Configuration dialog box, you can select the columns that you want to display in the log list and click OK. You can select up to eight columns.

On the Traffic Logs tab, you can specify the source IP address, destination IP address, policy ID, application type, or custom time range to search for traffic logs.

Note The custom time range must be within the last seven days.

On the Internet Firewall or VPC Firewall tab, you can click Show Advanced Search to the right of the search conditions. You can specify the search conditions such as the direction, policy source, port, and region to search for logs more precisely.

Note If traffic hits an access control policy or protection policy, the name of the policy is displayed in the Policy Name column of the traffic log. If traffic does not hit a policy, a hyphen (-) is displayed in the Policy Name column.

Operation log

The Operation Logs tab displays the time, type, severity, and other details about each operation performed on Cloud Firewall.

On the Operation Logs tab, you can specify a value for Severity, a value for Log Content, or a custom time range to search for operation logs.

Note The custom time range must be within the last six months.