Simple Log Service for WAF collects and stores access logs and protection logs from your WAF-protected objects—domain names and cloud service instances—so your security team can investigate threats, monitor trends, and meet compliance requirements without managing a separate logging infrastructure.
With this feature enabled, you can:
Query and analyze log data with query statements
Configure charts and alert rules to monitor service health in real time
Deliver log data to downstream systems for further analysis or long-term storage
Intended users
Large-scale enterprises and organizations that have log storage requirements, such as financial entities and public service sectors. The logs include host, network, and security logs of various cloud assets.
Organizations that have security operations centers (SOCs) and want to collect and manage security and alert logs in a centralized manner, such as public service sectors and large-scale companies in the real estate, e-commerce, and finance industries.
Enterprises that have advanced technologies and require in-depth log analysis and automated alert handling, such as companies in the IT, gaming, and finance industries.
Users who need to trace business security events and generate weekly, monthly, and yearly reports, or users who need to meet Multi-Level Protection Scheme (MLPS) requirements (level 3 or higher).
Use cases
Threat investigation: Trace web attack logs back to the source of security threats.
Request monitoring: View requests and track their status and trends over time.
Security operations: Get visibility into the effect of your security rules and act on exceptions quickly.
Log delivery: Send security network logs to user-managed data and computing centers.
Benefits
Compliance audits: Store website access logs for more than six months to meet Multi-Level Protection Scheme (MLPS) requirements.
Flexible configuration: Enable log collection for individual protected objects, choose which log fields and log types to store, and customize report templates to match your business or security needs.
Real-time log analysis: Use the built-in report center and interactive data mining to identify and analyze attacks and access patterns—no additional setup required.
Real-time alerting: Define monitoring and alert rules based on specific metrics so you can respond to exceptions in critical services quickly.
Collaboration: Feed log data into real-time computing, cloud storage, or visualization tools to unlock further value from your data.
Billing
Simple Log Service for WAF is disabled by default. Enable it before use. For more information, see Enable or disable log service.
| Billing method | How charges work |
|---|---|
| Subscription | Charged based on the log storage capacity you specify upfront. |
| Pay-as-you-go | Fees appear in your Simple Log Service bill only. For rate details, see Pay-by-feature billing. |
Features
| Feature | Description |
|---|---|
| Log configuration | Enable log collection per protected object. WAF only collects and stores logs for objects where log collection is enabled. Configure which log fields to include and which log type to store: Normal Request Logs, Detection Logs, or Block Log. For field details, see Fields in logs. For configuration steps, see Configure log settings and manage log storage capacity. |
| Log query | Write query statements to search and analyze collected logs. Create alert rules on top of query results—Simple Log Service evaluates them on a schedule and sends alert notifications when a trigger condition is met. For query steps, see Query logs. For alert setup, see Quickly set up log-based alerting. |
| Log storage capacity upgrade | Upgrade storage capacity before it reaches the limit. If the Logstore is full and you have not upgraded, new WAF logs will fail to write. For upgrade steps, see Upgrade log storage capacity. For recovery steps when capacity is exhausted, see What do I do if log storage capacity is exhausted? |
| Log retention period configuration | Set a log retention period based on your business, compliance, cost, and performance requirements. A shorter retention period reduces storage costs. |