After you enable Log Service for Web Application Firewall (WAF), you can set default log fields that apply to all protected objects or customize fields for specific objects. This topic describes how to use both default and object-level field configurations to manage your WAF logs.
Default field settings
Default field settings allow you to define a baseline for log fields. These settings are automatically applied to all protected objects and log delivery tasks. In the left-side navigation pane, choose . Click Log Configuration and go to the Default Field Settings tab to configure the following parameters.
Parameter | Description |
Required Fields | Required fields are always included in WAF logs. You cannot edit them. For more information, see Required log fields. |
Optional Fields | You can select which optional fields to include in your WAF logs. WAF records only the optional fields that you enable. For more information, see Optional log fields. Note Enabling more optional fields increases your log storage usage. If you have sufficient storage capacity, we recommend enabling more fields for comprehensive analysis. |
Log Type | The log type configuration allows you to select multiple log types and a sampling ratio. The sampling ratio determines the percentage of log entries that are collected for storage and analysis. You can set the sampling ratio from 1% to 100% after selecting a log type. The available log type options are:
Note For comprehensive auditing and analysis, we recommend selecting all log types. |
After you configure the parameters, click Save. When the The operation is successful. message appears, the configuration is applied globally. To modify the settings, return to the Default Field Settings tab, make your changes, and click Save.
Delivery settings
Delivery settings allow you to configure log fields and log types for individual protected objects. These object-specific settings override the default field settings.
If you subscribe to WAF 3.0 Enterprise or Ultimate and add a protected object in a hybrid cloud deployment, you can also deliver the object's logs to an external destination, such as Kafka or SYSLOG.
SLS delivery status
You can enable or disable log delivery to Simple Log Service (SLS) for a protected object. To do this, follow these steps:
Log on to the Web Application Firewall 3.0 console. In the top menu bar, select the resource group and the region (Chinese Mainland or Outside Chinese Mainland) of your WAF instance.
In the left-side navigation pane, choose .
To enable or disable log delivery, go to the Log Service page, click Log Configuration in the upper-right corner, and select the Delivery Settings tab. The switch in the Status of Delivery to Simple Log Service column indicates the current status. An enabled switch
means delivery is active.
You can also perform this operation in bulk. Select multiple protected objects and click Enable Delivery to Simple Log Service or Disable Delivery to Simple Log Service.
SLS delivery fields
In the left-side navigation pane, choose . Click Log Configuration and go to the Delivery Settings tab. In the row of the target protected object, click Field Settings in the Field of Delivery to Simple Log Service column. Configure the parameters as described in the field settings table. After you finish, click OK. When the The operation is successful. message appears, the settings are applied to the selected protected object.
External delivery status for hybrid cloud
For protected objects in a hybrid cloud deployment, you can configure external delivery to send logs from multiple sources to a unified platform for centralized management, monitoring, and analysis. WAF supports external delivery of hybrid cloud logs to SYSLOG and Kafka. For detailed instructions, see Manage external delivery configurations.
External delivery fields for hybrid cloud
For protected objects in a hybrid cloud deployment, you can configure the Optional Fields and log type for external delivery. For detailed instructions, see Configure external delivery fields.