You can use Simple Log Service to configure custom monitoring charts and alerts for the protected objects of Web Application Firewall (WAF). This way, you can obtain the overall traffic and security status of your services. This topic describes how to use Simple Log Service to configure monitoring and alerting for WAF.
Prerequisites
Web services are added to WAF on the Website Configuration page. For more information, see Website configuration overview.
Simple Log Service is enabled for a WAF instance. For more information, see Enable or disable Simple Log Service for WAF.
After you enable Simple Log Service for a WAF instance, Simple Log Service automatically creates a project and a Logstore for the WAF instance. The logs of specific protected objects are stored in the Logstore. You can configure monitoring and alerting for WAF in the Simple Log Service console.
Procedure
In the WAF console, enable the log collection feature for protected objects.
Log on to the WAF 3.0 console. In the top navigation bar, select the resource group and the region in which the WAF instance is deployed. You can select Chinese Mainland or Outside Chinese Mainland for the region.
In the left-side navigation pane, choose .
In the upper part of the Log Service page, select a protected object whose logs you want to view and turn on Status to enable the log collection feature for the protected object.
After you turn on Status, the log collection feature takes effect for the protected object within a few minutes.
In the Simple Log Service console, configure alerts.
Create a log analysis dashboard.
Log on to the Simple Log Service console.
In the Projects section, find the project that you want to manage and click the name of the project.
Enter an SQL statement and click Search & Analyze. For more information, see Step 4.
NoteFor information about the SQL statements that are used to query and analyze logs, see Query statements.
On the Graph tab, click Add to New Dashboard.
In the Add to New Dashboard dialog box, configure the parameters and click OK. The following table describes the parameters.
Parameter
Description
Operation
Select Create Dashboard.
Layout Mode
Select a layout mode for the new dashboard.
Dashboard Name
Enter a name for the dashboard.
After you create a dashboard, you are redirected to the new dashboard. By default, the dashboard contains the chart that is generated when you execute the SQL statement that you entered in Step iii. You can modify the chart or create more charts on the dashboard.
Configure a log chart.
In the left-side navigation pane of the Simple Log Service console, choose
.In the upper-right corner of the dashboard page, click Edit.
In edit mode, you can modify or delete the charts on the dashboard. You can also create a new chart by copying a chart.
NoteYou can copy a chart to create a new chart. Then, you can modify the new chart. You can add multiple charts to a dashboard. This way, you can view the data of your services and configure alerts based on your business requirements.
Copy a chart to create a new chart.
Find the chart that you want to copy, move the pointer over the icon in the upper-right corner of the chart, and then click Copy.
After you copy a chart, an identical chart appears next to the original chart.
Drag the new chart to the desired position on the dashboard.
Modify a chart.
Find the chart that you want to modify. Move the pointer over the icon in the upper-right corner of the chart and click Edit.
On the Edit page, modify the chart configurations, such as the chart name, SQL statements, relative data collection period, and chart type. Then, click OK.
NoteIf you modify an SQL statement, click Preview before you click OK. This operation triggers a validity check on the statement. If the SQL statement is invalid, an error message appears and the OK button remains unavailable. You can click OK only after you confirm that the statement is valid.
Delete a chart.
Find the chart that you want to delete, move the pointer over the Edit icon in the upper-right corner of the chart, and then click Delete.
Configure log alerts.
In the upper-right corner of the dashboard page, choose
.In the Alert Monitoring Rule panel, configure the parameters and click OK.
The following table describes the parameters and provides sample parameter values.
Parameter
Description
Example
Rule Name
The name of the alert monitoring rule.
Website Logs_Alert Monitoring Rule
Check Frequency
The frequency at which query and analysis results are checked.
Hourly: Query and analysis results are checked every hour.
Daily: Query and analysis results are checked at a specific point in time every day.
Weekly: Query and analysis results are checked at a specific point in time on a specific day of each week.
Fixed Interval: Query and analysis results are checked at a specific interval.
Cron: Query and analysis results are checked at an interval that is specified by a cron expression.
A cron expression can specify an interval that is accurate to the minute. The cron expression is based on the 24-hour clock. For example, 0 0/1 * * * indicates that query and analysis results are checked at an interval of 1 hour starting 00:00.
Daily, 00:00
Query Statistics
Click the input box. In the Query Statistics dialog box, configure query statement-related settings. For information about the limits of query and analysis, see Query and analysis.
Associated Report: On this tab, you can select a dashboard to monitor data.
Advanced Settings: On this tab, you can select Logstore, Metricstore, or Resource Data from the Type drop-down list to specify the type of data that you want to monitor.
Logstore: Logs are stored. For information about the query and analysis configurations, see Query and analyze logs.
Metricstore: Metrics are stored. For information about the query and analysis configurations, see Query and analyze metric data.
Resource Data: You can specify the external data that you want to associate with the alert rule. For more information, see Create resource data.
If you specify multiple query statements, you can configure the Set Operations parameter to associate the query and analysis results of the statements. For more information, see Multi-set operations.
0: Select the request success ratio chart on the SLB Operation Logs dashboard.
1: Select the request_time trend chart on the SLB Operation Logs dashboard.
Set the Set Operations parameter to CROSS JOIN.
Group Evaluation
Simple Log Service can group query and analysis results.
Custom Label: Simple Log Service groups query and analysis results based on the fields that you configure. After Simple Log Service groups the query and analysis results, Simple Log Service checks whether the query and analysis results in each group meet the trigger condition. If the query and analysis results in each group meet the trigger condition in each check period, an alert is triggered for each group.
You can configure multiple fields.
No Grouping: Only one alert is triggered in each check period when the trigger condition is met.
Auto Label: If you select Metricstore from the Type drop-down list in the Query Statistics dialog box, Simple Log Service automatically groups query and analysis results. Metricstore specifies that the query and analysis results of metrics are monitored.
After Simple Log Service groups the query and analysis results, Simple Log Service checks whether the query and analysis results in each group meet the trigger condition. If the query and analysis results in each group meet the trigger condition in each check period, an alert is triggered for each group.
No Grouping
Trigger Condition
The trigger condition and severity of an alert.
Trigger condition
Data is returned: If data is returned in the query and analysis results, an alert is triggered.
the query result contains: If the query and analysis results contain N data entries, an alert is triggered.
data matches the expression: If the query and analysis results contain data that matches a specific expression, an alert is triggered.
the query result contains and matches: If the query and analysis results contain N data entries that match a specific expression, an alert is triggered.
Severity
This parameter is used to denoise alerts and manage alert notifications. When you create an alert policy or an action policy, you can add severity-based conditions. For more information, see Specify severity levels for alerts.
If you specify a trigger condition, you can specify a severity for the condition. In this case, all alerts that are triggered based on the alert monitoring rule have the same severity.
If you specify more than one trigger condition, you can specify a severity for each condition. You can click Create to specify more trigger conditions.
For information about the syntax of conditional expressions in alert monitoring rules, see Syntax of trigger conditions in alert rules.
data matches the expression
$0.success_ratio <90&&$1.Average response time\(s\) >60
Severity: Medium
NoteIf a field contains parentheses (), use backslashes (\) to escape the parentheses ().
Add Annotation
Simple Log Service allows you to add annotations as non-identifying attributes to alerts. Annotations are in the key-value pair format. This parameter is used to denoise alerts and manage alert notifications. When you create an alert policy or an action policy, you can add annotation-based conditions. For more information, see Labels and annotations.
If you turn on Auto-Add Annotations, fields such as __count__ are automatically added to alerts. For more information, see Auto-Add switch.
Title: Monitor the request success ratio and average response time of a website
Description: Request success ratio: ${success_ratio}, Average response time: ${Average response time(s)}
Auto-Add Annotations: turned on
Threshold of Continuous Triggers
The threshold at which an alert is triggered. If the number of consecutive times the specified trigger condition is met reaches the value of this parameter, an alert is triggered. The system does not count the number of times when the specified trigger condition is not met.
1
Destination
The location to which alerts are sent. Select Simple Log Service Notification.
Simple Log Service Notification
Alert Policy
Alert policies are used to merge, silence, and suppress alerts.
If you select Simple Mode or Standard Mode, you do not need to configure an alert policy. By default, Simple Log Service uses the built-in alert policy sls.builtin.dynamic to manage alerts.
If you select Advanced Mode, you can select a built-in or custom alert policy to manage alerts. For information about how to create an alert policy, see Create an alert policy.
Simple Mode
Action Policy
Action policies are used to manage alert notification methods and the frequency at which alert notifications are sent.
If you set the Alert Policy parameter to Simple Mode, you need to only configure an action group for this parameter.
After you configure an action group, Simple Log Service automatically creates an action policy named
Rule name-Action policy
. Alert notifications are sent based on the action policy for all alerts that are triggered based on the alert monitoring rule. For more information, see Notification methods.ImportantYou can modify an action policy on the Action Policy tab. For more information, see Create an action policy. If you add conditions when you modify an action policy, the value of the Alert Policy parameter automatically changes to Standard Mode.
If you set the Alert Policy parameter to Standard Mode or Advanced Mode, you can select a built-in or custom action policy to send alert notifications. For information about how to create an action policy, see Create an action policy.
If you set the Alert Policy parameter to Advanced Mode, you can turn on or turn off Custom Action Policy. For more information, see Dynamic action policy mechanism.
Notification Method: SMS Message
Recipient: LogServiceOperations
Alert Template: SLS builtin content template
Period: Any Time
Repeat Interval
If duplicate alerts are triggered during the specified period, the action policy that you select is executed only once, and only one alert notification is sent.
5 Minutes
In the left-side navigation pane, click the icon to view the created alert rules and configure the recipients of alert notifications and alert policies. For more information, see Step 1: Create users and a user group and Create an alert policy.
After you configure an alert monitoring rule, Simple Log Service monitors the query and analysis results based on the rule. If the query and analysis results meet the specified trigger condition, an alert is triggered. You can view the alert records on the Alert Rule Center tab. For more information, see Step 3: View alert records.
References
Examples of alert configurations based on WAF logs: provides sample alert configurations based on log query and analysis results in WAF. The alerts include alerts for abnormal percentage of 4xx status codes (blocked requests are not counted), abnormal percentage of 5xx status codes, abnormal number of queries per second (QPS), sudden increase in QPS, sudden decrease in QPS, requests blocked by access control list (ACL) policies in the previous 5 minutes, requests blocked by the Protection Rules Engine in the previous 5 minutes, requests blocked by HTTP flood protection policies in the previous 5 minutes, requests blocked by scan protection policies in the previous 5 minutes, attacks from a single IP address, large number of domain names that are under attacks from a single IP address, abnormal average latency in the previous 5 minutes, and sudden decrease in traffic.