All Products
Search
Document Center

Web Application Firewall:Enable or disable log service

Last Updated:Jun 18, 2026

Web Application Firewall (WAF)The log service is disabled by default. The security report feature provided by the system only retains logs for a limited duration. To obtain complete raw logs for in-depth analysis or to meet compliance and audit requirements, you must enable the log service. This topic describes how to enable and disable the log service.

Enable log service

Note

WAF subscription Basic edition instances do not support the log service. To use this feature, choose one of the following methods:

  1. Upgrade your instance edition.

  2. Unsubscribe from the current subscription instance and activate a pay-as-you-go instance.

Pay-as-you-go

  1. Log on to the Web Application Firewall 3.0 console. From the top menu bar, select the resource group and region (Chinese Mainland or Outside Chinese Mainland) for the WAF instance.

  2. In the navigation pane on the left, choose Detection and Response > Log Service.

  3. In the Enable Logging for Protected Objects section, select a region for log storage from the drop-down list. The selected region is where the log service project is created.

    Important

    The log storage region cannot be changed after selection. If you need to change it, you must first disable the log service and then enable it again. Proceed with caution.

  4. Click Enable Log Service. After the service is enabled, WAF does not charge any fees. All log fees are billed by Log Service (SLS).

Subscription

  1. Log on to the Web Application Firewall 3.0 console. From the top menu bar, select the resource group and region (Chinese Mainland or Outside Chinese Mainland) for the WAF instance.

  2. In the navigation pane on the left, choose Detection and Response > Log Service.

  3. Click Upgrade Now to go to the upgrade page. (This step applies only to users who did not enable the log service when purchasing WAF. If you have already purchased WAF, proceed directly to step 5.)

  4. Set Log Service to Enabled, select a log storage capacity, and then complete the payment. If you are unsure about the required capacity, you can use the default configuration, which can be upgraded later.

  5. Return to the WAF Log Service console. In the Log Service section, select a region for log storage from the drop-down list. The selected region is where the log service project is created.

    Important

    The log storage region cannot be changed after selection. If you need to change it, you must first unsubscribe from and release the current WAF instance, and then purchase a new one. Proceed with caution.

  6. Click Enable Log Service.

Follow-up steps

  1. Enable log delivery: After you enable the log service, you must enable log delivery for your WAF protected objects before you can query and analyze log data.

    • Enable individually: On the Log Service page, select a protected object in the upper-left corner and enable the log delivery status.

    • Enable in bulk: Use Log Configuration in the upper-right corner to enable SLS delivery in bulk. For more information, see Log fields and delivery status.

  2. Log query and analysis: You can query and analyze log data for your protected objects, and generate statistical charts or create alerts based on the analysis results. For more information, see Query logs.

Note
  • Log delay: After you enable log delivery for a protected object and traffic is generated, there is approximately a 10-minute delay before you can view the SLS logs. We recommend that you send a test request and wait briefly before going to the log query page to confirm the data.

  • Historical log limitation: The WAF log service only starts recording logs from the moment it is enabled. Historical logs from before enabling cannot be retrieved.

  • Log data deletion: When a subscription WAF instance is unsubscribed, or a pay-as-you-go WAF instance is disabled and released, the associated logs are deleted and cannot be retained or queried.

Project and Logstore

After you enable the log service, the system automatically creates a WAF-dedicated log project (Project) and a logstore (Logstore).

Important

Do not manually delete the log project or logstore that are automatically created by the system. Otherwise, your log data will be cleared.

Resource Type

Description

Log project (Project)

Log Service automatically creates a dedicated log project for WAF. The naming rules are as follows:

  • Pay-as-you-go instance: wafnew-project-Alibaba Cloud account ID-region

  • Subscription instance: wafng-project-Alibaba Cloud account ID-region

You can query the dedicated log project on the homepage of the Log Service console. Click the project name to enter. For more information about log projects, see Manage projects.

Logstore

A logstore is created by default under the WAF log project. All WAF logs are stored in this logstore. The naming rules are as follows:

  • Pay-as-you-go instance: wafnew-logstore

  • Subscription instance: wafng-logstore

This logstore only supports storing WAF logs. It does not support writing other types of data through APIs, SDKs, or other methods. There are no special restrictions on features such as query, statistics, alerting, and streaming consumption.

Important

The normal operation of the logstore depends on the normal status of the Log Service product under your Alibaba Cloud account. If your Log Service product has an overdue payment, the WAF log delivery feature is paused. After you settle the overdue payment, the feature is automatically restored.

For more information about logstores, see Manage Logstores.

Disable Log Service

Pay-as-you-go

Warning

Disabling the log service clears the WAF-dedicated log project (Project) that is automatically created by the system and all log data within it. You will no longer be able to query logs. Confirm that you no longer need the log service before performing this operation.

  1. Log on to the Web Application Firewall 3.0 console. From the top menu bar, select the resource group and region (Chinese Mainland or Outside Chinese Mainland) for the WAF instance.

  2. In the navigation pane on the left, choose Detection and Response > Log Service.

  3. On the Log Service page, click Disable in the upper-right corner. In the dialog box that appears, click OK.

Subscription

The log service for subscription instances does not support being directly disabled. It is automatically disabled only when the WAF instance expires and is released, or when the instance is unsubscribed.

To reduce log service fees, you can use the following methods:

Important

After you reduce the log storage capacity specification, if the capacity reaches the upper limit, new log data cannot be written, which may result in incomplete log data.

FAQ

No log data appears after enabling the log service. How do I troubleshoot this?

If no log data appears after enabling the WAF log service, troubleshoot in the following order:

  1. Check the log delivery switch at the protected object level: Enabling the log service is only a global switch. You also need to select a specific protected object on the Log Service page in the upper-left corner and individually enable the log delivery switch for that object. Enabling only the global log service does not automatically deliver logs.

  2. Confirm whether traffic is passing through WAF: Logs are only generated when traffic is generated on the protected object.

  3. Wait approximately 10 minutes: After enabling log delivery, there is approximately a 10-minute delay before log data is available. You need to wait briefly before viewing the data.

How do I obtain or query WAF logs? Does WAF support API-based log downloads?

You can query and obtain WAF logs through the following methods:

  • Query and download in the console: Go to the WAF console to query logs. You can download logs using the image icon. For specific steps, see Query logs.

  • Obtain logs through APIs: The WAF product does not directly provide OpenAPI interfaces for log query or download. Log data is delivered by default to Alibaba Cloud Log Service (SLS). Use the Log Service OpenAPI (such as GetLogs) together with your project and logstore information to query and obtain logs. For more information, see GetLogs.