Web Application Firewall (WAF) is integrated with Log Service to provide the Log Service for WAF feature. The feature collects the full logs of domain names that are protected by WAF in real time. You can query and analyze the collected logs and visualize the results on dashboards. This can help you meet the classified protection requirements for your website and the requirements for website operations and website protection. This topic describes how to enable and use the Log Service for WAF feature.
Background information
The Log Service for WAF feature stores only the logs of the domain names for which log collection is enabled. If log collection is disabled for a domain name, the Log Service for WAF feature does not store the logs of the domain name.
Configuration item | Default setting | Modification to the default setting |
---|---|---|
Log storage duration | By default, logs are stored for 180 days. | Modification is supported. You can modify the default settings to store only the logs that are generated when WAF blocks requests. |
Custom field configuration | By default, WAF logs contain all required fields and some optional fields. | Modification is supported. Valid values: 15 to 360. Unit: days. |
Log type | By default, the Log Service for WAF feature stores full logs, including the logs that are generated when WAF allows requests and blocks requests. | Modification is supported. You can modify the optional fields that are included in WAF logs. |
Prerequisites
- A subscription WAF instance that runs the Business, Enterprise, or Exclusive edition is purchased. For more information, see Purchase a subscription WAF instance.
- The domain names of your website are added to WAF.
If the domain names are not added to WAF, the Log Service for WAF feature does not collect the logs of the domain names. We recommend that you add the domain names of your website to WAF before you enable the feature. For more information about how to add a domain name to WAF, see Tutorial.
- Log Service is activated.
The first time you log on to the Log Service console, you must activate Log Service as prompted.
You can use the dedicated Logstore for WAF only if Log Service is running as expected within your Alibaba Cloud account.Note If Log Service has an overdue payment, the log collection feature of WAF is suspended until you settle the payment.
Step 1: Enable the Log Service for WAF feature
After the Log Service for WAF feature is enabled, Log Service automatically creates a dedicated project and a dedicated Logstore for your WAF instance within the same Alibaba Cloud account. This facilitates log collection. For more information about the default settings of the dedicated project and dedicated Logstore, see Dedicated project and dedicated Logstore for WAF.
Step 2: Use the Log Service for WAF feature
Dedicated project and dedicated Logstore for WAF
Log Service automatically creates a dedicated project and a dedicated Logstore for WAF. The following table describes the default settings of the dedicated project and the dedicated Logstore.
Resource type | Description |
---|---|
Project | Log Service automatically creates a dedicated project for WAF. For more information
about the dedicated project, see Project. Log Service creates the dedicated project based on the region of your WAF instance.
You can view the dedicated project on the homepage of the Log Service console. If you want to access the dedicated project, click the name of the dedicated project. For more information about projects, see Manage a project. |
Logstore | A Logstore is automatically created in the dedicated project. For more information
about the Logstore, see Logstore. The Logstore name is waf-logstore . All logs that are collected by WAF are stored in the Logstore. You can view the
Logstore in the dedicated project. For more information about Logstores, see Manage a Logstore.
Only WAF logs can be written to the dedicated Logstore. Different write methods are supported, such as APIs and SDKs. The dedicated Logstore has no limits on features such as query, statistics, alerting, or streaming consumption. |
Shard | By default, the dedicated Logstore contains two shards, and the automatic sharding
feature is enabled for the Logstore. For more information about shards, see Shards. You can view the attributes of the shards on the Logstore Attributes page.
For more information about how to manage shards, see Manage shards. |
Dashboard | The dedicated project contains the following three preconfigured dashboards: Operation Center, Access Center, and Security Center. For more information, see Dashboards. You can view the dashboards in the dedicated project.
For more information about the dashboards, see View dashboards. |
References
- Before a RAM user can use the Log Service for WAF feature, the RAM user must be granted the permissions that are required for the Log Service for WAF feature. For more information, see Grant log query and analysis permissions to a RAM user.
- For more information about how to query and analyze WAF logs, see Query logs.
- For more information about how to modify the settings of WAF logs, such as storage rules and storage capacity, see Modify log settings.