The Web Application Firewall (WAF) log service uses Log Service to collect full logs from WAF-protected websites in real time. You can query, analyze, and visualize log data in dashboards for compliance and security operations.
Overview
WAF stores logs only for websites with log collection enabled.
After you enable log collection for a domain, WAF stores logs with the following default configurations.
|
Log storage configuration |
Default configuration |
Customizable |
|
Log retention period |
Logs are stored for 180 days. |
Yes. Valid range: 15 to 360 days. |
|
Custom field configuration |
Includes all required fields and some optional fields by default. |
Yes. You can modify the optional fields in WAF logs. |
|
Storage type |
Stores full logs for the website domain by default. |
Yes. You can change this to store only blocked logs. |
You can customize these configurations. Modify log settings.
Prerequisites
-
You have a subscription WAF instance of the Advanced Edition, Enterprise, Ultimate Edition, or Exclusive edition.
-
You have added your website domain to WAF for protection.
Domains not added to WAF generate no logs. Add your domain by following the Tutorials.
-
You have enabled Log Service.
Enable Log Service when you first log on to the Log Service console.
WAF log collection requires an active Log Service subscription.
NoteOverdue Log Service payments suspend WAF log collection. Collection resumes automatically after payment.
Step 1: Enable the WAF log service
-
Log on to the Web Application Firewall (WAF) console. In the top menu bar, select the resource group and region for your WAF instance: Chinese Mainland or Outside Chinese Mainland.
-
In the left navigation pane, choose .
-
On the Log Service page, click Upgrade Now and follow the on-screen instructions to upgrade.
NoteIf you enabled the Log Service when you purchased the WAF instance, you can skip this step.
Procedure:
-
On the Upgrade/Downgrade page, enable Log Service and select a Log Storage Capacity.
-
Click Proceed to Payment and complete the payment.
-
-
Authorize WAF to access cloud resources. Create a service-linked role.
After you enable WAF log service, Log Service creates a dedicated Project and Logstore for your account. Default configurations are listed in Dedicated WAF Project and Logstore.
Step 2: Use the WAF log service
-
Log on to the Web Application Firewall (WAF) console. In the top menu bar, select the resource group and region for your WAF instance: Chinese Mainland or Outside Chinese Mainland.
-
In the left navigation pane, choose .
-
Select a domain from the drop-down list and turn on the Status switch.
The drop-down list shows only domains added to WAF. To add a domain, follow the Tutorials.
-
On the Log Search tab, analyze WAF logs with query statements. Log query.
Additional examples: Query and analysis examples.
-
On the Log Analysis tab, view the dashboards that WAF generates from your log data.
Log analysis dashboards are predefined reports that visualize log data for monitoring web services and security.
-
Operation Center: Displays business operation metrics, including request trends and attack overviews.
-
Access Center: Displays access metrics, client distribution, traffic, and performance data.
-
Security Center: Displays attack metrics, trends, and source distribution.
Set a time range to query dashboards. You can also subscribe to receive reports by email. View a log analysis dashboard.
-
Dedicated WAF Project and Logstore
Log Service automatically creates the following resources for WAF.
Do not delete or modify the default Project, Logstore, indexes, or dashboards. Log Service periodically updates WAF log analysis features, indexes, and reports.
|
Resource type |
Description |
|
Project |
Log Service automatically creates a Project for WAF.
Find the WAF Project on the Log Service console homepage and click the Project name to open it. Manage Projects. |
|
Logstore |
A Logstore named Non-WAF logs cannot be written to this Logstore via API or SDK. Querying, statistics, alerting, and stream consumption are supported. |
|
Shard |
The WAF Logstore has two Shards with automatic splitting enabled. View Shard properties in Logstore Details. |
|
Dashboard |
The WAF Project includes three predefined dashboards: Operation Center, Access Center, and Security Center. |
Next steps
-
To let a RAM user query and analyze WAF logs, grant the required permissions. Grant a RAM user permissions to query and analyze logs.
-
WAF log query and analysis tutorials: Log application tutorials.
-
To modify WAF log storage rules or capacity: Manage log storage.