When WAF log storage reaches its capacity, new logs stop being recorded—leaving security events undetected and audit trails incomplete. This topic describes four methods for resolving a full log storage issue and when to use each one.
Potential impacts
A full log storage causes the following problems:
Log loss: New logs cannot be recorded, and security event data is permanently lost.
Missed threats: Security analysis services that depend on WAF logs may fail to detect and respond to attacks in time.
Compliance violations: Industries that require log retention for auditing may face regulatory issues if logs are incomplete.
Choose a method
Use the following table to pick the method that fits your situation:
| Method | What it does | Best for |
|---|---|---|
| Upgrade log storage space | Increases total capacity | Immediate fix; business requires full log coverage |
| Reduce log fields per protected object | Records fewer fields or log types for non-critical objects | Fine-grained control without losing critical coverage |
| Reduce log storage duration | Shortens how long logs are kept | Logs older than your retention requirement are safe to delete |
| Reduce log index fields | Removes unused search indexes to free index space | Index space contributes to storage usage alongside log data storage |
Upgrading storage is the only method that preserves full log coverage. The other three methods trade coverage or retention for space savings—review your compliance requirements before applying them.
Upgrade log storage space
Only subscription instances of Pro, Enterprise, and Ultimate editions support viewing and upgrading log storage capacity. Pay-as-you-go instances are billed based on actual usage and settled by Simple Log Service, so they have no capacity limit and require no separate log capacity configuration.
Log on to the Web Application Firewall 3.0 console. In the left navigation bar, select Detection and Response > Log Service, and click Upgrade Storage in the upper-right corner.
Select a larger Log Storage Capacity specification and complete the purchase.
Reduce log fields per protected object
LogShipper supports fine-grained field and log type configuration at the individual protected-object level. Settings applied to a specific protected object take precedence over the default field settings.
For non-critical protected objects, limit logs to attack-related fields and types only. For critical objects, keep full field coverage to support comprehensive auditing.
Log on to the Web Application Firewall 3.0 console. In the left navigation bar, select Detection and Response > Log Service, and click Log Configuration > Delivery Settings in the upper-right corner.
In the Delivery Settings tab, click Field Settings in the Field of Delivery to Simple Log Service column for the target protected object, and configure the following parameters:
To reduce storage usage, select only Block Logs and set a lower sampling ratio for Normal Request Logs or disable them entirely for non-critical objects. If your business requires comprehensive auditing, enable all log types with a 100% sampling ratio.
Parameter Description Required fields Always included in WAF logs. Cannot be edited. For a full list, see Required log fields. Optional fields Manually select which fields to include. Only enabled fields are recorded. Enabling more optional fields increases storage usage. For a full list, see Optional log fields. Log type Select one or more log types and set a sampling ratio (1%–100%) for each. The sampling ratio controls the percentage of generated log entries that are collected and stored. Available log types: Block Logs (requests that fail to reach the origin server because they trigger security policies, such as Block, JS validation, slider verification, or dynamic token protection), Detection Logs (requests that trigger observation rules only), and Normal Request Logs (requests that pass all checks, including JS validation, slider verification, and dynamic token verification). Click OK. When the The operation is successful message appears, the configuration is active for the selected protected object.
Reduce log storage duration
Log on to the Web Application Firewall 3.0 console. In the left navigation bar, select Detection and Response > Log Service, and click Storage Duration in the upper-right corner to open the Simple Log Service console.
In the Logstore Attributes panel, click Modify in the upper-right corner, reduce the Data Retention Period, and click Save.
Important- Before shortening the retention period, verify that the new setting complies with your regulatory and compliance requirements. Insufficient retention can cause compliance violations. - When the retention period reaches the number of days set, the logs that exceed the period are automatically deleted. For example, reducing the retention period from 30 days to 7 days can save a significant amount of storage space without losing critical data.
Reduce log index fields
Indexes enable fast log search and analysis in Simple Log Service, but they consume additional storage space. Removing unused indexes reduces index space usage without affecting the stored log content itself.
This method reduces index space only—it does not reduce the storage space used by the log data. To reduce log data storage, use Reduce log fields per protected object or Reduce log storage duration instead.
Log on to the Simple Log Service console. In the Project list, click the target project whose name starts with
wafng.
In the left navigation bar, click Log Storage
, and in the Logstore list, click the target Logstore.
On the query and analysis page, select Index Attributes > Attributes.
In the Search & Analysis panel, disable the Auto-update switch. When the current Logstore is a dedicated cloud-product Logstore or an internal Logstore, the Auto-update switch is enabled by default and the Field Search area is disabled.
WarningIf you have configured custom reports or alerts in Simple Log Service, deleting indexes from the WAF product Logstore may break those reports and alerts.
In the Field Search area, delete the unnecessary field indexes, then click OK.
