After you enable the Log Service for WAF feature, you can adjust how WAF collects and stores logs — including the retention period, which fields to include, and whether to store all traffic or only blocked requests. Configuring these settings lets you balance storage consumption against the depth of visibility you need for security analysis and compliance audits.
Log settings apply to all domain names for which log collection is enabled.
Prerequisites
Before you begin, ensure that you have:
The Log Service for WAF feature enabled. For setup instructions, see Get started with the Simple Log Service for WAF feature
Modify log settings
Log on to the WAF console. In the top navigation bar, select the resource group and the region where your WAF instance is deployed (Chinese Mainland or Outside Chinese Mainland).
In the left-side navigation pane, choose Log Management > Log Service.
In the upper-right corner of the Log Service page, click Log Settings.
Configure the parameters in the following table, then click Save.
| Parameter | Description |
|---|---|
| Storage Period | The number of days to retain logs. Default value: 180. Valid values: 15–360. The default value is 180. The valid range is 15 to 360. |
| Custom Field Configuration | The log fields included in WAF logs. Fields are divided into two categories: Required Fields (always included, cannot be modified) and Optional Fields (added based on your analysis needs). To add an optional field, select it in the Available Fields section and click the right arrow to move it to the Selected Fields section. For the full list of supported fields, see Log fields supported by WAF. |
| Log Type | The type of requests to log. See Choose a log type below. |
Choose a log type
| Log type | What gets logged | When to use |
|---|---|---|
| Full Logs | All requests — both allowed and blocked | Use when you need complete traffic visibility for security analysis, rule tuning, or compliance audits |
| Block Logs | Only blocked requests | Use when storage is a concern and your primary goal is reviewing WAF enforcement actions |
Full Logs give you the complete picture of traffic reaching your WAF, which is useful for tuning protection rules and investigating false positives. Block Logs reduce storage consumption while keeping the records most relevant to active threats.
What happens after you save
After you save the settings, the Log Service for WAF feature stores logs according to the configuration. To query and analyze the stored logs, go to Log Management > Log Service in the WAF console and use the log query interface.