All Products
Search
Document Center

Simple Log Service:Get started with WAF log service

Last Updated:Jun 03, 2026

The Web Application Firewall (WAF) log service uses Log Service to collect full logs from WAF-protected websites in real time. You can query, analyze, and visualize log data in dashboards for compliance and security operations.

Overview

WAF stores logs only for websites with log collection enabled.

After you enable log collection for a domain, WAF stores logs with the following default configurations.

Log storage configuration

Default configuration

Customizable

Log retention period

Logs are stored for 180 days.

Yes. Valid range: 15 to 360 days.

Custom field configuration

Includes all required fields and some optional fields by default.

Yes. You can modify the optional fields in WAF logs.

Storage type

Stores full logs for the website domain by default.

Yes. You can change this to store only blocked logs.

You can customize these configurations. Modify log settings.

Prerequisites

  • You have a subscription WAF instance of the Advanced Edition, Enterprise, Ultimate Edition, or Exclusive edition.

  • You have added your website domain to WAF for protection.

    Domains not added to WAF generate no logs. Add your domain by following the Tutorials.

  • You have enabled Log Service.

    Enable Log Service when you first log on to the Log Service console.

    WAF log collection requires an active Log Service subscription.

    Note

    Overdue Log Service payments suspend WAF log collection. Collection resumes automatically after payment.

Step 1: Enable the WAF log service

  1. Log on to the Web Application Firewall (WAF) console. In the top menu bar, select the resource group and region for your WAF instance: Chinese Mainland or Outside Chinese Mainland.

  2. In the left navigation pane, choose Security Operations > Log Service.

  3. On the Log Service page, click Upgrade Now and follow the on-screen instructions to upgrade.

    Note

    If you enabled the Log Service when you purchased the WAF instance, you can skip this step.

    Procedure:

    1. On the Upgrade/Downgrade page, enable Log Service and select a Log Storage Capacity.

    2. Click Proceed to Payment and complete the payment.

  4. Authorize WAF to access cloud resources. Create a service-linked role.

After you enable WAF log service, Log Service creates a dedicated Project and Logstore for your account. Default configurations are listed in Dedicated WAF Project and Logstore.

Step 2: Use the WAF log service

  1. Log on to the Web Application Firewall (WAF) console. In the top menu bar, select the resource group and region for your WAF instance: Chinese Mainland or Outside Chinese Mainland.

  2. In the left navigation pane, choose Security Operations > Log Service.

  3. Select a domain from the drop-down list and turn on the Status switch.

    The drop-down list shows only domains added to WAF. To add a domain, follow the Tutorials.

  4. On the Log Search tab, analyze WAF logs with query statements. Log query.

    Additional examples: Query and analysis examples.

  5. On the Log Analysis tab, view the dashboards that WAF generates from your log data.

    Log analysis dashboards are predefined reports that visualize log data for monitoring web services and security.

    • Operation Center: Displays business operation metrics, including request trends and attack overviews.

    • Access Center: Displays access metrics, client distribution, traffic, and performance data.

    • Security Center: Displays attack metrics, trends, and source distribution.

    Set a time range to query dashboards. You can also subscribe to receive reports by email. View a log analysis dashboard.

Dedicated WAF Project and Logstore

Log Service automatically creates the following resources for WAF.

Important

Do not delete or modify the default Project, Logstore, indexes, or dashboards. Log Service periodically updates WAF log analysis features, indexes, and reports.

Resource type

Description

Project

Log Service automatically creates a Project for WAF.

  • For WAF instances in the Chinese mainland: The Project name is waf-project-<YourAlibabaCloudAccountID>-cn-hangzhou, and the region is China (Hangzhou).

  • For WAF instances in regions outside the Chinese mainland: The Project name is waf-project-<YourAlibabaCloudAccountID>-ap-southeast-1, and the region is Asia Pacific SE 1 (Singapore).

Find the WAF Project on the Log Service console homepage and click the Project name to open it. Manage Projects.

Logstore

A Logstore named waf-logstore is created in the WAF Project to store all WAF logs. Manage Logstores.

Non-WAF logs cannot be written to this Logstore via API or SDK. Querying, statistics, alerting, and stream consumption are supported.

Shard

The WAF Logstore has two Shards with automatic splitting enabled. View Shard properties in Logstore Details.

Manage Shards.

Dashboard

The WAF Project includes three predefined dashboards: Operation Center, Access Center, and Security Center.

View a log analysis dashboard.

Next steps