After enabling the log service for Web Application Firewall (WAF), you can use default configurations for log fields or customize the configurations for specific protected objects. This topic describes how to use default and object-level field configurations to flexibly and centrally manage mitigation logs for your protected objects.
Default field settings
Default field settings allow you to predefine the log fields for delivery. After you complete the configuration, the settings are automatically applied to all protected objects and log delivery tasks. To configure the default fields, in the navigation pane on the left, choose . On the page that appears, click Log Configuration and go to the Default Field Settings tab.
Parameter | Description |
Required Fields | Required fields are always included in WAF logs. You cannot edit the required fields. For more information about the fields, see Required log fields. |
Optional Fields | You can manually select whether to include these fields in WAF logs. WAF logs record only the optional fields that you enable. For more information about the fields, see Optional log fields. Note Enabling more optional fields increases the log storage capacity that you use. If you have sufficient log storage capacity, enable more optional fields for more comprehensive log analysis. |
Log Type | The Log Type configuration lets you select multiple log types and sampling ratios. The sampling ratio is the percentage of generated log entries that are selected and collected for storage and analysis. After selecting a Log Type, you can select a sampling ratio from 1% to 100%. The three Log Type options are described as follows:
Note If your business requires comprehensive auditing and in-depth analysis, select all log storage options to record full logs. |
After you configure the default fields, click Save. If the Operation Successful message appears, the configuration is applied globally. To change the default field configuration, return to the Default Field Settings tab, modify the configuration, and then save it.
Delivery settings
Delivery settings allow you to perform fine-grained configuration of log fields and storage types for a single protected object. If you configure specific fields and log storage types for a protected object, these settings take priority over the default field settings.
If you subscribe to WAF 3.0 Enterprise or Ultimate and add a protected object in hybrid cloud mode, you can also deliver logs for that object to an external destination using Kafka or SYSLOG.
Set SLS delivery status
You can enable or disable log delivery for a protected object in the delivery settings. Follow these steps:
Log on to the WAF 3.0 console. In the top menu bar, select the resource group and region of your WAF instance ( Chinese Mainland or Outside Chinese Mainland )
In the navigation pane on the left, choose .
On the Log Service page, click Log Configuration in the upper-right corner. On the Delivery Settings tab, click the switch in the Status of Delivery to Simple Log Service column to enable or disable log delivery. A switch that is on (
) indicates that delivery is enabled.
You can perform batch operations. To do this, select the protected objects that you want to manage and then click Enable Delivery to Simple Log Service or Disable Delivery to Simple Log Service.
Set SLS delivery fields
To set the SLS delivery fields, in the navigation pane on the left, choose . On the page that appears, click Log Configuration. On the Delivery Settings tab, click Field Settings in the Field of Delivery to Simple Log Service column for the target protected object. Configure the items as described in the field settings table. After you complete the configuration, click OK. If the The operation is successful. message appears, the configuration is applied to the protected object.
Set external delivery status
Only protected objects in hybrid cloud mode support external log delivery.
Before delivering logs to an external destination, you must add an external delivery configuration. To do this, in the navigation pane on the left, choose . Click Log Configuration. On the Delivery Settings tab, click Delivery Configurations to view the existing configurations in the panel that appears on the right. If the current configurations do not meet your needs, click Configure External Delivery. Then, select a configuration type and complete the configuration as described in the following tables.
SYSLOG configuration
Parameter | Description |
Configuration type | Select SYSLOG. |
Configuration name | Enter a name for this configuration. |
Server IP/Port | Enter the public IP address in IPv4 format and the port information to receive WAF logs. |
RFC | WAF supports two RFC definitions: RFC 3164 and RFC 5424. Enter the RFC that is consistent with your log management system. |
Protocol | TCP and UDP are supported. The choice between TCP and UDP depends on your requirements for reliability, performance, and management of log data transmission. For most centralized log systems, especially those that support retransmission and marking lost data, TCP is a common choice. UDP is typically used when you need to quickly process large volumes of less critical log data. |
KAFKA configuration
Parameter | Description |
Configuration type | Select KAFKA. |
Configuration name | Enter a name for this configuration. |
TOPIC ID/Name | Enter the name of the destination TOPIC. |
Domain | Enter the cluster endpoint of your KAFKA instance. Note The cluster endpoint can be a domain name and port or an IP address and port. Separate multiple IP addresses or domain names with commas (,). Example: kafka.aliyuncs.com:9093,127.0.0.1:9093,kafka2.aliyuncs.com:9093. |
Access protocol | Three security options are supported: PLAINTEXT, SASL_PLAINTEXT, and SASL_SSL. Select an option based on the security configuration of your KAFKA cluster. |
SASL username | If the access protocol is SASL_PLAINTEXT or SASL_SSL, identity verification is required. Enter the username for your KAFKA cluster. |
SASL password | If the access protocol is SASL_PLAINTEXT or SASL_SSL, identity verification is required. Enter the password for your KAFKA cluster. |
Compression type | Four compression types are supported: gzip, zstd, lz4, and snappy. If you do not need to compress data, select none. |
Custom CA | If the access protocol is SASL_SSL, you must enter a certificate. Enter your certificate content. Note The certificate must start with -----BEGIN CERTIFICATE----- and end with -----END CERTIFICATE-----. |
If an external delivery configuration that meets your needs already exists, find the protected object on the Delivery Settings tab. Click the switch in the Status of External Delivery column. A switch that is on () indicates that delivery is enabled. In the dialog box that appears, select a delivery configuration.
To perform a batch operation, select multiple protected objects. Then, in the Batch Manage bar at the bottom of the list, click Enable External Delivery or Disable External Delivery.
Set external delivery fields
Only protected objects in hybrid cloud mode support external log delivery.
The external delivery field settings allow you to define the Optional Fields and Storage Type for logs that are delivered externally. To configure these settings, in the navigation pane on the left, choose . Click Log Configuration. On the Delivery Settings tab, click Field Settings in the Field of External Delivery column for the target protected object. Configure the items as described in the field settings table. After you complete the configuration, click OK. If the The operation is successful. message appears, the configuration is applied to the protected object.