Use Log Service to search and analyze the full request logs for your WAF-protected objects. From the query results, you can generate charts, set up alert rules, and save queries for reuse.
Log Service shows all collected request logs for a protected object. To view a summary of security events matched by WAF protection rules, go to Detection and Response > Security Reports instead.
Prerequisites
Before you begin, make sure that:
The Simple Log Service (SLS) for WAF feature is enabled. For details, see Enable or disable the Simple Log Service for WAF feature.
Web services are added to WAF 3.0 as protected objects. For details, see Configure protected objects and protected object groups.
Log delivery is enabled for the protected objects you want to query. For details, see Manage log delivery status.
Query and analyze logs
Log on to the WAF 3.0 console. In the top navigation bar, select the resource group and region of the WAF instance. Supported regions: Chinese Mainland and Outside Chinese Mainland.
In the left-side navigation pane, choose Detection and Response > Log Service.
At the top of the Log Service page, select the protected object whose logs you want to query.
ImportantMake sure the Status switch is turned on for the selected protected object. If log delivery is disabled, WAF stops collecting logs for that object and no logs are available for query or analysis. To enable log delivery, search for the protected object on this page, click its name, and turn on the Status switch. Alternatively, go to Log Configuration > Delivery Settings and manage log delivery in the Status of Delivery to Simple Log Service column. For details, see Manage log delivery status.
Enter a query statement and run it to search and analyze logs.
In the search box (labeled 1 in the figure), enter a search statement. Write the search statement using Simple Log Service search syntax. Use WAF log fields as search fields where needed. For a list of supported log fields, see Log fields. If you're not familiar with the search syntax, click Advanced Search above the search box. Specify search conditions and click Search — the corresponding search statement is generated automatically.
The following search conditions are available:Search condition
Description
IP
The IP address of the client that sent the request.
Request ID
The unique identifier WAF assigns to each client request. WAF includes the request ID on block pages and CAPTCHA challenge pages. Use the request ID to investigate and troubleshoot specific requests.
Rule ID
The ID of the WAF protection rule matched by the request. Find rule IDs on the Rule Configuration page, or retrieve them from rule match records on the Security Reports page. For details, see Security reports.
Status Code Returned From Origin Server
The HTTP status code the origin server returned in response to the request forwarded by WAF.
Status Code Returned From WAF
The HTTP status code WAF returned to the client.
Protection Module
The WAF protection module that matched the request. For details on protection modules and configuration, see Protection configuration overview.
(Optional) To run calculations or statistical operations on the search results, append an analytic statement to the search statement using a vertical bar (
|) as the separator. Write the analytic statement in standard SQL-92 syntax. For details, see Log analysis overview.Use the time picker (labeled 2 in the figure) to set the time range for the query.
Click Search & Analyze (labeled 3 in the figure). The query results appear in the lower part of the page: a log distribution histogram at the top, followed by the Raw Logs, Graph, and LogReduce tabs.
Explore query results
After running a query, use the results page to investigate logs, build charts, and set up alerts. The sections below describe the available tools.
Page overview
Histogram
The histogram shows log distribution over the queried time range. Each green rectangle represents a time interval.
Hover over a rectangle to see the time interval and the number of returned logs within it.
Double-click a rectangle to zoom into that time interval for a finer-grained view. The Raw Logs tab updates to show only logs within the selected interval.
Raw Logs
Log details
| Action | Description |
|---|---|
| Table / Raw Data | Switch between table view and raw log view. |
|  > Download Log | Download the current log results to your computer. For details, see Download logs. |
|  > JSON Configurations | Set the display type and expansion level for JSON fields. |
|  > Event Settings | Configure events for raw logs. For details, see Event settings. |
 | Copy the log content. |
 | Label specific information or query error information in the log. This icon also provides copilot assistance. |
 | View context information for a specific log entry in the raw log file. Available only for logs collected by Logtail. For details, see Contextual query. |
 | Monitor log content in real time and extract key log information. Available only for logs collected by Logtail. For details, see LiveTail. |
Displayed fields
Displayed fields appear in the log content panel on the right. Customize which fields are shown depending on the type of analysis you're performing — for example, focus on IP and rule ID when investigating potential attacks, or on status codes when troubleshooting origin errors.
| Action | Description |
|---|---|
Hover over a field > click  | Remove the field from Displayed Fields. The field no longer appears in the log content panel. |
 | Save the current field view to your favorites. Select saved views from the drop-down list above the field panel. |
|  > Tag Settings | Add fields as system tags. |
|  > Alias | Replace field names with aliases. Fields without an alias retain their original names. For details on setting aliases, see Create indexes. |
Indexed fields
| Action | Description |
|---|---|
Hover over a field > click  | Add the field to Displayed Fields so it appears in the log content panel. |
 | View field details, including Basic Distribution and Statistical Metrics. For details, see Field settings. |
Graph
Simple Log Service renders the query results as charts — tables, line charts, column charts, and more. For a full list of chart types, see Charts.
Additional actions on the Graph tab:
| Action | Description |
|---|---|
| Add to New Dashboard | Save the current chart to a dashboard for ongoing monitoring. For details, see Overview of visualization. |
| Save as Scheduled SQL Job | Run this analysis automatically on a schedule and aggregate or store the results. For details, see How Scheduled SQL works. |
| Interaction Occurrences | Drill down into specific data dimensions for more granular analysis. For details, see Configure an interaction occurrence for a dashboard to perform drill-down analysis. |
LogReduce
Click Enable LogReduce to cluster similar logs during log collection. For details, see LogReduce.
SQL Enhancement
Click the 
icon in the upper-right corner to enable Dedicated SQL. Standard SQL may not be able to process all data in a single query when the dataset is large or covers a long time range. Dedicated SQL increases the available computing resources and the amount of data that can be analyzed per query. For details, see Enable Dedicated SQL.
Alerting
Click the 
icon in the upper-right corner to configure an alert rule based on the current query. For details, see Configure an alert rule in Simple Log Service.
Saved search
Click the 
icon in the upper-right corner to save the current query statement as a saved search for quick reuse. For details, see Saved search.
Sharing
Click the 
icon in the upper-right corner to copy a shareable link to the current page. For details, see Embed console pages and share log data.