WAF log service supports two levels of field configuration: default field settings that apply globally to all protected objects, and per-object delivery settings that override the defaults for a specific protected object. Use default field settings when you want a consistent baseline across all objects. Use per-object delivery settings when you need different fields or delivery targets for individual objects.
Prerequisites
Before you begin, ensure that you have:
Enabled the log service for your Web Application Firewall (WAF) instance
(For external delivery) A WAF 3.0 Enterprise or Ultimate subscription with at least one protected object in hybrid cloud mode
Default field settings
Default field settings define which log fields and log types are collected for all protected objects. Any protected object without a per-object delivery configuration inherits these settings.
To open the default field settings, go to Detection and Response > Log Service, click Log Configuration in the upper-right corner, and select the Default Field Settings tab.
| Parameter | Description |
|---|---|
| Required fields | Always included in WAF logs. Cannot be edited. See Required log fields. |
| Optional fields | Included only when enabled. Enabling more optional fields increases log storage usage. See Optional log fields. |
| Log type | Select one or more log types to collect. For each selected log type, set a sampling ratio between 1% and 100%. The sampling ratio controls what percentage of matching requests are recorded. |
The three log types are:
Block Log: Records requests blocked before reaching the origin server due to security policies, including Block, JS validation, slider verification, and dynamic token protection.
Detection Logs: Records requests that trigger observation rules only.
Normal Request Logs: Records only logs of normal requests. Logs for requests that pass JS validation, slider verification, and dynamic token verification are also recorded as normal request logs.
For comprehensive auditing and in-depth analysis, select all log storage options to record full logs.
After you complete the configuration, click Save. The Operation Successful message confirms that the settings are applied globally to all protected objects.
Delivery settings
Delivery settings let you configure log fields and delivery targets for a specific protected object. When configured, these settings take priority over the default field settings for that object.
WAF supports two delivery destinations:
Simple Log Service (SLS): Available for all protected objects
External delivery (Kafka or SYSLOG): Available only for protected objects in hybrid cloud mode on WAF 3.0 Enterprise or Ultimate
Enable or disable SLS delivery
Log on to the WAF 3.0 console. In the top menu bar, select the resource group and region of your WAF instance (Chinese Mainland or Outside Chinese Mainland).
Go to Detection and Response > Log Service.
Click Log Configuration in the upper-right corner, then select the Delivery Settings tab.
In the Status of Delivery to Simple Log Service column, click the switch for the target protected object. A switch that is on (
) indicates that delivery is enabled.
To enable or disable delivery for multiple objects at once, select the protected objects and click Enable Delivery to Simple Log Service or Disable Delivery to Simple Log Service.
Configure SLS delivery fields
On the Delivery Settings tab, click Field Settings in the Field of Delivery to Simple Log Service column for the target protected object. Configure the optional fields, then click OK. The The operation is successful. message confirms that the settings are applied to that protected object.
Configure external delivery
Only protected objects in hybrid cloud mode support external delivery.
Before enabling external delivery for a protected object, add an external delivery configuration:
On the Delivery Settings tab, click Delivery Configurations to open the configuration panel.
If no existing configuration meets your needs, click Configure External Delivery and select a configuration type: SYSLOG or KAFKA.
Complete the configuration using the parameters in the following tables.
SYSLOG configuration
| Parameter | Description |
|---|---|
| Configuration type | Select SYSLOG. |
| Configuration name | Enter a name for this configuration. |
| Server IP/Port | Enter the public IPv4 address and port of the server that receives WAF logs. |
| RFC | Select the RFC definition used by your log management system: RFC 3164 or RFC 5424. |
| Protocol | Select TCP or UDP. TCP is suitable for centralized log systems that require reliable delivery with retransmission support. UDP is suitable for high-volume, lower-priority log data where speed takes precedence over delivery guarantees. |
Kafka configuration
| Parameter | Description |
|---|---|
| Configuration type | Select KAFKA. |
| Configuration name | Enter a name for this configuration. |
| TOPIC ID/Name | Enter the name of the destination Kafka topic. |
| Domain | Enter the cluster endpoint of your Kafka instance. The endpoint can be a domain name and port, or an IP address and port. Separate multiple endpoints with commas. Example: kafka.aliyuncs.com:9093,127.0.0.1:9093,kafka2.aliyuncs.com:9093 |
| Access protocol | Select the security protocol for your Kafka cluster: PLAINTEXT, SASL_PLAINTEXT, or SASL_SSL. |
| SASL username | Required for SASL_PLAINTEXT and SASL_SSL. Enter the username for your Kafka cluster. |
| SASL password | Required for SASL_PLAINTEXT and SASL_SSL. Enter the password for your Kafka cluster. |
| Compression type | Select a compression type: gzip, zstd, lz4, snappy, or none. |
| Custom CA | Required for SASL_SSL. Enter the CA certificate content. The certificate must start with -----BEGIN CERTIFICATE----- and end with -----END CERTIFICATE-----. |
Enable or disable external delivery
After adding an external delivery configuration, find the protected object on the Delivery Settings tab. Click the switch in the Status of External Delivery column. In the dialog box that appears, select a delivery configuration. A switch that is on () indicates that external delivery is enabled.
To enable or disable external delivery for multiple objects at once, select the protected objects and use the Batch Manage bar at the bottom of the list to click Enable External Delivery or Disable External Delivery.
Configure external delivery fields
Only protected objects in hybrid cloud mode support external delivery.
On the Delivery Settings tab, click Field Settings in the Field of External Delivery column for the target protected object. Configure the optional fields and storage type, then click OK. The The operation is successful. message confirms that the settings are applied to that protected object.
What's next
Fields in logs: View the full list of required and optional log fields with descriptions.