Web Application Firewall (WAF) is integrated with Log Service to provide the Log Service for WAF feature. The feature collects, stores, and analyzes access logs and protection logs of domain names that are added to WAF. You can use this feature to query and analyze log data, configure charts and alert rules based on query results, and deliver log data to downstream services for consumption.

Intended users

  • Large-scale enterprises and organizations that have log storage requirements, such as financial entities and public service sectors. The logs include host, network, and security logs of various cloud assets.
  • Organizations that have security operations centers (SOCs) and want to collect and manage security and alert logs in a centralized manner, such as public service sectors and large-scale companies in the real estate, e-commerce, and finance industries.
  • Enterprises that have advanced technologies and require in-depth log analysis and automated alert handling, such as companies in the IT, gaming, and finance industries.
  • All users who need to trace business security events and generate weekly, monthly, and yearly reports, or users who need to meet classified protection requirements (MLPS level 3 or higher).


  • Trace web attack logs back to the source of security threats.
  • View requests and query their status and trends.
  • Obtain information about the effect of security operations and handle exceptions in a timely manner.
  • Generate and deliver security network logs to user-managed data and computing centers.


  • Compliance audits: You can store website access logs for more than six months to meet classified protection requirements.
  • Flexible configuration:
    • You can collect and store web access and protection logs with a few steps.
    • You can configure the custom log storage duration and capacity and specify the websites whose logs you want to collect.
    • You can modify existing report templates or create custom report templates based on your business or security requirements.
  • Real-time log analysis: WAF provides the real-time log analysis feature and an out-of-the-box (OOTB) report center and supports interactive data mining. This allows you to identify and analyze various attacks on your website and access details in real time.
  • Real-time alerting: You can customize monitoring and alert rules based on specific metrics. This way, you can respond to exceptions in critical services in a timely manner.
  • Collaboration: You can use this feature together with other data solutions such as real-time computing, cloud storage, and visualization to further explore the value of data.

Feature overview

Feature Description
Log collection After you enable the Log Service for WAF feature, you can enable log collection for domain names that are added to WAF. WAF can collect and store logs for the domain names only after log collection is enabled for the domain names. You can query and analyze the collected log data. For more information about the log fields supported by WAF, see Log fields supported by WAF.

You can modify log settings such as the storage period, optional log fields, and storage type. The storage types are Logs and Block Logs. For more information, see Modify log settings.

Log query and analysis You can use query statements to query and analyze collected logs.

Each query statement consists of a search statement and an analytic statement that uses the standard SQL-92 syntax. The search statement and analytic statement are separated with a vertical bar (|). For more information about search statements, see Search syntax. For more information about analytic statements, see Log analysis overview. By default, analysis results are displayed in tables. You can also choose to view analysis results in charts such as line charts, column charts, or pie charts.

You can create alert rules based on query statements. After you create an alert rule, Log Service checks query and analysis results on a regular basis. If the query and analysis results meet a trigger condition that you specified in the alert rule, Log Service sends an alert notification. This allows you to monitor your service status in real time. For more information, see Log alerts.

Dashboards A dashboard provides real-time data analysis results. You can view multiple charts generated based on query and analysis results on a dashboard.

The Log Service for WAF feature provides the following three dashboards based on common business and security scenarios: Operation Center, Access Center, and Security Center dashboards. If you want to view the business and security data of your website, you need only to specify a time range on the dashboards. You do not need to enter a query or analytic statement.

You can subscribe to dashboards to send dashboard data to specific recipients by email.

Management of log storage space You can query the amount of storage that is occupied by logs on a regular basis. You can also increase the storage capacity or delete the stored logs based on your business requirements.
Integrate WAF logs into a Syslog server To meet regulatory and audit requirements, you can use Python programs to deliver logs from WAF to a Syslog server. This allows you to manage all the related logs in your security operations center.