Get started with the Log Service for WAF feature - Web Application Firewall

Web Application Firewall (WAF) is integrated with Log Service to provide the Log Service for WAF feature. The feature collects the full logs of domain names that are protected by WAF in real time. You can query and analyze the collected logs and visualize the results on dashboards. This can help you meet the classified protection requirements for your website and the requirements for website operations and website protection. This topic describes how to enable and use the Log Service for WAF feature.

Background information

The Log Service for WAF feature stores only the logs of the domain names for which log collection is enabled. If log collection is disabled for a domain name, the Log Service for WAF feature does not store the logs of the domain name.

After you enable log collection for a domain name, the Log Service for WAF feature automatically stores the logs of the domain name based on the following default configuration.


Configuration item	Default setting	Modification to the default setting
Log storage duration	By default, logs are stored for 180 days.	Modification is supported. You can modify the default settings to store only the logs that are generated when WAF blocks requests.
Custom field configuration	By default, WAF logs contain all required fields and some optional fields.	Modification is supported. Valid values: 15 to 360. Unit: days.
Log type	By default, the Log Service for WAF feature stores full logs, including the logs that are generated when WAF allows requests and blocks requests.	Modification is supported. You can modify the optional fields that are included in WAF logs.

You can modify the preceding default settings. For more information, see Modify log settings.

Prerequisites

A subscription WAF instance that runs the Business, Enterprise, or Exclusive edition is purchased.
The domain names of your website are added to WAF.
If the domain names are not added to WAF, the Log Service for WAF feature does not collect the logs of the domain names. We recommend that you add the domain names of your website to WAF before you enable the feature. For more information about how to add a domain name to WAF, see Tutorial.
Log Service is activated.
The first time you log on to the Log Service console, you must activate Log Service as prompted.
You can use the dedicated Logstore for WAF only if Log Service is running as expected within your Alibaba Cloud account.
Note If Log Service has an overdue payment, the log collection feature of WAF is suspended until you settle the payment.

Step 1: Enable the Log Service for WAF feature

Log on to the WAF console. In the top navigation bar, select the resource group and the region to which your WAF instance belongs. The region can be Chinese Mainland or Outside Chinese Mainland.
In the left-side navigation pane, choose Security Operations > Log Service.
On the Log Service page, click Upgrade Now and complete the upgrade as prompted.
Note If Log Service is set to YES when you purchase your WAF instance, skip this step.
Upgrade procedure:
1. On the Upgrade/Downgrade page, set the Log Service parameter to YES. Then, specify a value for Log Storage Size based on your business requirements.
2. Click Buy Now and complete the payment.
Authorize WAF to access the required cloud services. For more information, see Create the AliyunServiceRoleForWAF role.

After the Log Service for WAF feature is enabled, Log Service automatically creates a dedicated project and a dedicated Logstore for your WAF instance within the same Alibaba Cloud account. This facilitates log collection. For more information about the default settings of the dedicated project and dedicated Logstore, see Dedicated project and dedicated Logstore for WAF.

Step 2: Use the Log Service for WAF feature

Log on to the WAF console. In the top navigation bar, select the resource group and the region to which your WAF instance belongs. The region can be Chinese Mainland or Outside Chinese Mainland.
In the left-side navigation pane, choose Security Operations > Log Service.
Select a domain name from the domain name drop-down list and turn on Status to enable log collection for the domain name.
The domain name drop-down list in Section 1 contains only the domain names that are added to WAF. If the domain name that you want to select is not added to WAF, you must add the domain name to WAF first. For more information, see Tutorial.
On the Log Query tab, execute a query statement to query and analyze the logs of the domain name. For more information, see Query logs.
For more information about examples of log query and analysis, see Query and analysis examples.
On the Log Analysis tab, view the dashboards that are preconfigured by WAF based on logs.
The dashboards provide a series of charts that are generated based on logs. This way, you can directly view the service and security data of your website. WAF provides the following three preconfigured dashboards:
- Operation Center: displays the service operations metrics of your website. The service operations metrics include the request trend and the overview of attacks.
- Access Center: displays the access information about your website. The access information includes access metrics, client distribution, traffic, and performance.
- Security Center: displays the attack information about your website. The attack information includes attack metrics, attack trends, and attack source distribution.
You need to specify only the query time range to search for dashboards. You can also subscribe to dashboards to receive dashboard data by using different notification methods such as emails. For more information about the chart data that is displayed on dashboards and how to subscribe to dashboards, see View dashboards.

Dedicated project and dedicated Logstore for WAF

Log Service automatically creates a dedicated project and a dedicated Logstore for WAF. The following table describes the default settings of the dedicated project and the dedicated Logstore.

Important Do not delete or modify the default project, Logstore, index, or dashboard settings that are created by Log Service. Log Service automatically updates and upgrades the log query and analysis feature for WAF logs on an irregular basis. Log Service also updates the indexes of the dedicated Logstore and the preconfigured dashboards.


Resource type	Description
Project	Log Service automatically creates a dedicated project for WAF. For more information about the dedicated project, see Project. Log Service creates the dedicated project based on the region of your WAF instance. WAF instances in the In the Chinese mainland: The project name is `wafnew-project-Alibaba Cloud account ID-cn-hangzhou`. This project resides in the China (Hangzhou) region. WAF instances Outside the Chinese mainland: The project name is `wafnew-project-Alibaba Cloud account ID-ap-southeast-1`. This project resides in the Singapore (Singapore) region. You can view the dedicated project on the homepage of the Log Service console. If you want to access the dedicated project, click the name of the dedicated project. For more information about projects, see Manage a project.
Logstore	A Logstore is automatically created in the dedicated project. For more information about the Logstore, see Logstore. The Logstore name is `waf-logstore`. All logs that are collected by WAF are stored in the Logstore. You can view the Logstore in the dedicated project. For more information about Logstores, see Manage a Logstore. Only WAF logs can be written to the dedicated Logstore. Different write methods are supported, such as APIs and SDKs. The dedicated Logstore has no limits on features such as query, statistics, alerting, or streaming consumption.
Shard	By default, the dedicated Logstore contains two shards, and the automatic sharding feature is enabled for the Logstore. For more information about shards, see Shards. You can view the attributes of the shards on the Logstore Attributes page. For more information about how to manage shards, see Manage shards.
Dashboard	The dedicated project contains the following three preconfigured dashboards: Operation Center, Access Center, and Security Center. For more information, see Dashboards. You can view the dashboards in the dedicated project. For more information about the dashboards, see View dashboards.

References

Before a RAM user can use the Log Service for WAF feature, the RAM user must be granted the permissions that are required for the Log Service for WAF feature. For more information, see Grant log query and analysis permissions to a RAM user.
For more information about how to query and analyze WAF logs, see Query logs.
For more information about how to modify the settings of WAF logs, such as storage rules and storage capacity, see Modify log settings.