All Products
Search

This Product

    Web Application Firewall:Enable or disable the log service

    Document Center

    Web Application Firewall:Enable or disable the log service

    Last Updated:Nov 17, 2025

    By default, the Web Application Firewall (WAF) log service is disabled. To store, query, and analyze logs for your protected objects, you must first enable the WAF log service. If you no longer use the feature in a subscription WAF instance, you cannot disable the feature before the instance expires, but you can reduce the log storage capacity to reduce costs. If you use a pay-as-you-go WAF instance in this case, you can disable this feature at any time.

    Enable log service

    Prerequisites

    A subscription WAF 3.0 instance of the Pro, Enterprise or Ultimate edition is purchased, or a pay-as-you-go WAF 3.0 instance is purchased. For more information, see Purchase a WAF 3.0 subscription instance and Activate a pay-as-you-go WAF 3.0 instance.

    Note

    You cannot enable log service for a subscription WAF 3.0 instance of the Basic edition. If you use a subscription WAF 3.0 instance of the Basic edition and want to use Log Service, we recommend upgrading the edition of your instance. For more information, see Upgrade or downgrade a WAF instance.

    Subscription WAF instances

    • Enable log service on the WAF buy page

      On the Web Application Firewall 3.0 (Subscription) buy page, set the Log Service parameter to Enable and specify a log storage capacity based on your business requirements.

    • Enable log service in the WAF console

      1. Log on to the WAF 3.0 console. In the top navigation bar, select the resource group and region of the WAF instance. You can select Chinese Mainland or Outside Chinese Mainland.

      2. In the left-side navigation pane, choose Detection and Response > Log Service.

      3. In the Storage Region drop-down list below Enable Logging for Protected Objects, select the region where you want to store logs.

        You can select one of the following regions:

        • Chinese Mainland: China (Hangzhou) and China (Beijing)

        • Outside Chinese Mainland:Malaysia (Kuala Lumpur), Indonesia (Jakarta), Philippines (Manila), Thailand (Bangkok), UAE (Dubai), Germany (Frankfurt), US (Virginia), US (Silicon Valley), Japan (Tokyo), South Korea (Seoul), UK (London), China (Hong Kong) and SAU (Riyadh), Singapore.

        Warning

        • After you enable the Simple Log Service for WAF feature, logs are stored in the selected region. You cannot change the region. If you want to store logs in another region, release the WAF instance and purchase a new WAF instance. Proceed with caution.

        • If you select SAU (Riyadh) as your region, the Simple Log Service works only for the WAF instance that is ordered through the virtual network operators located in SAU.

      4. Click Enable Log Service.

    Pay-as-you-go WAF instances

    1. Log on to the WAF 3.0 console. In the top navigation bar, select the resource group and region of the WAF instance. You can select Chinese Mainland or Outside Chinese Mainland.

    2. In the left-side navigation pane, choose Detection and Response > Log Service.

    3. In the Storage Region drop-down list below Enable Logging for Protected Objects, select the region where you want to store logs.

      You can select one of the following regions:

      • Chinese Mainland: China (Hangzhou) and China (Beijing)

      • Outside Chinese Mainland:Malaysia (Kuala Lumpur), Indonesia (Jakarta), Philippines (Manila), Thailand (Bangkok), UAE (Dubai), Germany (Frankfurt), US (Virginia), US (Silicon Valley), Japan (Tokyo), South Korea (Seoul), UK (London), and China (Hong Kong)

      Warning

      After you enable the Simple Log Service for WAF feature, logs are stored in the selected region. You cannot change the region. If you want to store logs in another region, release the WAF instance and purchase a new WAF instance. Proceed with caution.

    4. Click Enable Log Service.

      Note

      • If you use a pay-as-you-go WAF instance, the fees for the Simple Log Service for WAF feature are not included in the bills of WAF. The fees are included in the bills of Simple Log Service.

    After you enable the Simple Log Service for WAF feature, the AliyunServiceRoleForWAF service-linked role, a dedicated Simple Log Service project, and a Logstore are automatically created.

    • AliyunServiceRoleForWaf service-linked role

      The service-linked role can be used to access other cloud resources. To view the service-linked role, log on to the Resource Access Management (RAM) console and choose Identities > Roles in the left-side navigation pane. For more information about RAM roles, see RAM role overview.

      Note

      The service-linked role can be created only once.

    • Dedicated project and Logstore

      The following table describes the default settings of the dedicated project and Logstore that are automatically created by Simple Log Service.

      Warning

      If you delete or modify the dedicated project or Logstore, user data may be cleared. Proceed with caution.

      Resource type

      Description

      Project

      Simple Log Service automatically creates a dedicated project for WAF based on the region where your WAF instance resides.

      • WAF instances in the Chinese mainland:

        • Project for a pay-as-you-go WAF instance: The project name is wafnew-project-Alibaba Cloud account ID-cn-hangzhou. The project resides in the China (Hangzhou) region.

        • Project for a subscription WAF instance: The project name is wafng-project-Alibaba Cloud account ID-cn-hangzhou. The project resides in the China (Hangzhou) region.

      • WAF instances outside the Chinese mainland:

        • Project for a pay-as-you-go WAF instance: The project name is wafnew-project-Alibaba Cloud account ID-ap-southeast-1. The project resides in the Singapore region.

        • Project for a subscription WAF instance: The project name is wafng-project-Alibaba Cloud account ID-ap-southeast-1. The project resides in the Singapore region.

      To view information about the dedicated project for WAF, log on to the Simple Log Service console and click the name of the project.

      For more information about Simple Log Service projects, see Manage projects.

      Logstore

      By default, a Logstore is created in the dedicated project. The name of the Logstore is wafnew-logstore. All logs that are delivered from WAF to Simple Log Service are stored in the Logstore. You can view the Logstore in the dedicated project for WAF.

      You can write only WAF logs to the Logstore. Simple Log Service API and Simple Log Service SDK are supported. The Logstore does not impose limits on features such as query, statistics, alerting, or streaming data consumption.

      Important

      You can use the Logstore only if Simple Log Service runs as expected within your Alibaba Cloud account. If your Alibaba Cloud account has overdue payments for Simple Log Service, the log delivery feature of WAF is suspended until you settle the overdue payments.

      For more information about Logstores, see Manage a logstore.

    What to do next

    1. Enable the log delivery feature

      After you enable log service, you must enable the log delivery feature for the protected objects whose logs you want to deliver. Then, WAF delivers the logs of the protected objects to Alibaba Cloud Simple Log Service (SLS). You can query and analyze the delivered logs.

      • On the Log Service page, you can select the protected objects for which you want to enable the log delivery feature and turn on Status.开启日志采集

      • You can also click Log Configuration in the upper-right corner of the Log Service page and complete the required settings to enable the log delivery feature for multiple protected objects. For more information, see Manage log delivery status.

    2. Query logs

      You can query and analyze the logs of protected objects on the log query tab of the log service page. You can also generate charts and configure alerts based on the query and analysis results. For more information, see Query logs.

    Disable log service

    Subscription WAF instances

    You cannot manually disable log service for a subscription WAF instance. When the subscription WAF instance expires and is no longer renewed, the service is automatically disabled. You can reduce the log storage capacity to reduce costs. For more information, see Upgrade or downgrade a WAF instance.

    Warning

    If your log storage usage reaches the upper limit after you reduce the log storage capacity, WAF logs cannot be written. As a result, logs are incomplete.

    Pay-as-you-go WAF instances

    Warning

    If you disable log service for a pay-as-you-go WAF instance, the dedicated logstore and the logs that are stored in the logstore are deleted. Make sure that you no longer use the feature before you disable it.

    1. Log on to the WAF 3.0 console. In the top navigation bar, select the resource group and region of the WAF instance. You can select Chinese Mainland or Outside Chinese Mainland.

    2. In the left-side navigation pane, choose Detection and Response > Log Service.

    3. In the upper-right corner of the Log Service page, click Disable. In the OK message, click OK.