Web Application Firewall (WAF) provides the Simple Log Service for WAF feature. By default, the feature is disabled. You can enable the feature to store, query, and analyze the logs of protected objects. If you no longer use the feature in a subscription WAF instance, you cannot disable the feature before the instance expires, but you can reduce the log storage capacity to reduce costs. If you use a pay-as-you-go WAF instance in this case, you can disable the feature at any time.
Enable the Simple Log Service for WAF feature
Prerequisites
A subscription WAF 3.0 instance of the Pro, Enterprise or Ultimate edition is purchased, or a pay-as-you-go WAF 3.0 instance is purchased. For more information, see Purchase a subscription WAF 3.0 instance and Purchase a pay-as-you-go WAF 3.0 instance.
You cannot enable the Simple Log Service for WAF feature for a subscription WAF 3.0 instance of the Basic edition. If you use a subscription WAF 3.0 instance of the Basic edition and want to use the Simple Log Service for WAF feature, we recommend that you upgrade the edition of your instance. For more information, see Upgrade or downgrade a WAF instance.
Subscription WAF instances
Enable the feature on the WAF buy page
On the Web Application Firewall 3.0 (Subscription) buy page, set the Log Service parameter to Enable and specify a log storage capacity based on your business requirements.
Enable the feature in the WAF console
Log on to the WAF 3.0 console. In the top navigation bar, select the resource group and region of the WAF instance. You can select Chinese Mainland or Outside Chinese Mainland.
In the left-side navigation pane, choose .
In the Simple Log Service Storage Region drop-down list below Enable the Log Service for WAF feature for the protected object, select the region where you want to store logs.
You can select one of the following regions:
Chinese Mainland: China (Hangzhou) and China (Beijing)
Outside Chinese Mainland: Australia (Sydney) Closing Down, Malaysia (Kuala Lumpur), Indonesia (Jakarta), Philippines (Manila), Thailand (Bangkok), UAE (Dubai), Germany (Frankfurt), US (Virginia), US (Silicon Valley), Japan (Tokyo), South Korea (Seoul), UK (London), and China (Hong Kong)
WarningAfter you enable the Simple Log Service for WAF feature, logs are stored in the selected region. You cannot change the region. If you want to store logs in another region, release the WAF instance and purchase a new WAF instance. Proceed with caution.
Click Enable Log Service for WAF.
Pay-as-you-go WAF instances
Log on to the WAF 3.0 console. In the top navigation bar, select the resource group and region of the WAF instance. You can select Chinese Mainland or Outside Chinese Mainland.
In the left-side navigation pane, choose .
In the Simple Log Service Storage Region drop-down list below Enable the Log Service for WAF feature for the protected object, select the region where you want to store logs.
You can select one of the following regions:
Chinese Mainland: China (Hangzhou) and China (Beijing)
Outside Chinese Mainland: Australia (Sydney) Closing Down, Malaysia (Kuala Lumpur), Indonesia (Jakarta), Philippines (Manila), Thailand (Bangkok), UAE (Dubai), Germany (Frankfurt), US (Virginia), US (Silicon Valley), Japan (Tokyo), South Korea (Seoul), UK (London), and China (Hong Kong)
WarningAfter you enable the Simple Log Service for WAF feature, logs are stored in the selected region. You cannot change the region. If you want to store logs in another region, release the WAF instance and purchase a new WAF instance. Proceed with caution.
Click Enable Log Service for WAF.
NoteIf you use a pay-as-you-go WAF instance, the fees for the Simple Log Service for WAF feature are not included in the bills of WAF. The fees are included in the bills of Simple Log Service.
After you enable the Simple Log Service for WAF feature, the AliyunServiceRoleForWAF service-linked role, a dedicated Simple Log Service project, and a Logstore are automatically created.
AliyunServiceRoleForWAF service-linked role
The service-linked role can be used to access other cloud resources. To view the service-linked role, log on to the Resource Access Management (RAM) console and choose in the left-side navigation pane. For more information about RAM roles, see RAM role overview.
NoteThe service-linked role can be created only once.
Dedicated project and Logstore
The following table describes the default settings of the dedicated project and Logstore that are automatically created by Simple Log Service.
WarningIf you delete or modify the dedicated project or Logstore, user data may be cleared. Proceed with caution.
Resource type
Description
Simple Log Service automatically creates a dedicated project for WAF based on the region where your WAF instance resides.
WAF instances in the Chinese mainland:
Project for a pay-as-you-go WAF instance: The project name is
wafnew-project-Alibaba Cloud account ID-cn-hangzhou
. The project resides in the China (Hangzhou) region.Project for a subscription WAF instance: The project name is
wafng-project-Alibaba Cloud account ID-cn-hangzhou
. The project resides in the China (Hangzhou) region.
WAF instances outside the Chinese mainland:
Project for a pay-as-you-go WAF instance: The project name is
wafnew-project-Alibaba Cloud account ID-ap-southeast-1
. The project resides in the Singapore region.Project for a subscription WAF instance: The project name is
wafng-project-Alibaba Cloud account ID-ap-southeast-1
. The project resides in the Singapore region.
To view information about the dedicated project for WAF, log on to the Simple Log Service console and click the name of the project.
For more information about Simple Log Service projects, see Manage a project.
By default, a Logstore is created in the dedicated project. The name of the Logstore is
wafnew-logstore
. All logs that are delivered from WAF to Simple Log Service are stored in the Logstore. You can view the Logstore in the dedicated project for WAF.You can write only WAF logs to the Logstore. Simple Log Service API and Simple Log Service SDK are supported. The Logstore does not impose limits on features such as query, statistics, alerting, or streaming data consumption.
ImportantYou can use the Logstore only if Simple Log Service runs as expected within your Alibaba Cloud account. If your Alibaba Cloud account has overdue payments for Simple Log Service, the log delivery feature of WAF is suspended until you settle the overdue payments.
For more information about Logstores, see Manage a Logstore.
What to do next
Enable the log delivery feature
After you enable the Simple Log Service for WAF feature, you must enable the log delivery feature for the protected objects whose logs you want to deliver. Then, WAF delivers the logs of the protected objects to Simple Log Service. You can query and analyze the delivered logs.
On the Log Service page, you can select the protected objects for which you want to enable the log delivery feature and turn on Status.
You can also click Log Configuration in the upper-right corner of the Log Service page and complete the required settings to enable the log delivery feature for multiple protected objects. For more information, see Manage log delivery status.
Query logs
You can query and analyze the logs of protected objects on the Log Query tab of the Log Service page. You can also generate charts and configure alerts based on the query and analysis results. For more information, see Query logs.
Disable the Simple Log Service for WAF feature
Subscription WAF instances
You cannot manually disable the Simple Log Service for WAF feature for a subscription WAF instance. When the subscription WAF instance expires and is no longer renewed, the feature is automatically disabled. You can reduce the log storage capacity to reduce costs. For more information, see Upgrade or downgrade a WAF instance.
If your log storage usage reaches the upper limit after you reduce the log storage capacity, WAF logs cannot be written. As a result, logs are incomplete.
Pay-as-you-go WAF instances
If you disable the Simple Log Service for WAF feature for a pay-as-you-go WAF instance, the dedicated Logstore and the logs that are stored in the Logstore are deleted. Make sure that you no longer use the feature before you disable the feature.
Log on to the WAF 3.0 console. In the top navigation bar, select the resource group and region of the WAF instance. You can select Chinese Mainland or Outside Chinese Mainland.
In the left-side navigation pane, choose .
In the upper-right corner of the Log Service page, click Disable. In the OK message, click OK.