The Log Service feature is disabled by default for Web Application Firewall (WAF). You must enable Log Service to store, query, and analyze the logs of objects that are protected by WAF. This topic describes how to enable Log Service for WAF.
- Log on to the WAF 3.0 console. In the top navigation bar, select the resource group and the region to which the WAF instance belongs. You can select Chinese Mainland or Outside Chinese Mainland for the region.
- In the left-side navigation pane, choose .
- On the Log Service page, click Enable Now. Important
- If Log Service has been enabled, the Enable Now button is not displayed on the Log Service page. You can directly query logs on the Log Service page. For more information, see Query logs.
- If you are using a pay-as-you-go WAF instance, Log Service calculates the fees that you are charged for using Log Service.
- If you are using a subscription WAF instance, you must enable Log Service on the Web Application Firewall 3.0 (Subscription) buy page and select a log storage capacity based on your business requirements. WAF calculates fees based on your selected log storage capacity and the subscription period of your WAF instance.
- In the Tips message, click OK. After you click OK, Alibaba Cloud automatically creates the dedicated service-linked role AliyunServiceRoleForWAF in the Resource Access Management (RAM) console. For more information about service-linked roles, see Service-linked roles. For more information about RAM, see What is RAM? The service-linked role is used to authorize WAF to access the required cloud resources. For example, the service-linked role allows WAF to access Log Service and store logs to a Logstore of Log Service. For more information about Logstores, see Logstore. For more information about RAM roles, see RAM role overview.Important The service-linked role AliyunServiceRoleForWAF can be created only once. If the service-linked role already exists, Alibaba Cloud will not create the role again. For more information about the service-linked role, log on to the RAM console and go to the Roles page.
Dedicated project and Logstore for WAF
The following table describes the default configurations of the dedicated project and Logstore for WAF.
|Project||Log Service automatically creates a dedicated project for WAF based on the region
where your WAF instance resides.
To query the dedicated project for WAF, log on to the Log Service console and click the name of the project.
For more information about projects, see Manage a project.
|Logstore||A Logstore is created by default in the project. The name of the Logstore is
Only WAF logs can be written to the dedicated Logstore. Different write methods are supported, such as calling the API or using an SDK. The dedicated Logstore has no limits on features such as query, statistics, alerting, or streaming consumption.
You are not charged for the dedicated Logstore. However, you can use the dedicated Logstore only when Log Service is running in your Alibaba Cloud account as expected.
Important If Log Service has an overdue bill, the log collection feature of WAF is suspended until you settle the bill.
For more information about Logstores, see Manage a Logstore.