The Log Service feature is disabled by default for Web Application Firewall (WAF). You must enable Log Service to store, query, and analyze the logs of objects that are protected by WAF. This topic describes how to enable Log Service for WAF.

Prerequisites

A WAF 3.0 instance is purchased. For more information, see Purchase a subscription WAF 3.0 instance and Purchase a pay-as-you-go WAF 3.0 instance.

Procedure

  1. Log on to the WAF 3.0 console. In the top navigation bar, select the resource group and the region to which the WAF instance belongs. You can select Chinese Mainland or Outside Chinese Mainland for the region.
  2. In the left-side navigation pane, choose Security Operations > Log Service.
  3. On the Log Service page, click Enable Now.
    Important
    • If Log Service has been enabled, the Enable Now button is not displayed on the Log Service page. You can directly query logs on the Log Service page. For more information, see Query logs.
    • If you are using a pay-as-you-go WAF instance, Log Service calculates the fees that you are charged for using Log Service.
    • If you are using a subscription WAF instance, you must enable Log Service on the Web Application Firewall 3.0 (Subscription) buy page and select a log storage capacity based on your business requirements. WAF calculates fees based on your selected log storage capacity and the subscription period of your WAF instance.
  4. In the Tips message, click OK.
    After you click OK, Alibaba Cloud automatically creates the dedicated service-linked role AliyunServiceRoleForWAF in the Resource Access Management (RAM) console. For more information about service-linked roles, see Service-linked roles. For more information about RAM, see What is RAM? The service-linked role is used to authorize WAF to access the required cloud resources. For example, the service-linked role allows WAF to access Log Service and store logs to a Logstore of Log Service. For more information about Logstores, see Logstore. For more information about RAM roles, see RAM role overview.
    Important The service-linked role AliyunServiceRoleForWAF can be created only once. If the service-linked role already exists, Alibaba Cloud will not create the role again. For more information about the service-linked role, log on to the RAM console and go to the Roles page.
After you enable the Log Service feature, Log Service automatically creates a dedicated project and a dedicated Logstore for WAF and completes the preparations for log collection. For more information about the dedicated project and Logstore for WAF, see Dedicated project and Logstore for WAF.
Important If you terminate the WAF service, the dedicated Logstore and the logs that are stored in the Logstore are deleted.

Dedicated project and Logstore for WAF

The following table describes the default configurations of the dedicated project and Logstore for WAF.

Important Do not delete or modify the default project or Logstore that is automatically created by Log Service.
Resource type Description
Project Log Service automatically creates a dedicated project for WAF based on the region where your WAF instance resides.
  • WAF instances in the Chinese mainland: The project name is wafnew-project-Alibaba Cloud account ID-cn-hangzhou. This project resides in the China (Hangzhou) region.
  • WAF instances outside the Chinese mainland: The project name is wafnew-project-Alibaba Cloud account ID-ap-southeast-1. This project resides in the Singapore (Singapore) region.

To query the dedicated project for WAF, log on to the Log Service console and click the name of the project.

For more information about projects, see Manage a project.

Logstore A Logstore is created by default in the project. The name of the Logstore is wafnew-logstore. All logs that are collected by WAF are stored in the Logstore. You can view the Logstore in the dedicated project for WAF.

Only WAF logs can be written to the dedicated Logstore. Different write methods are supported, such as calling the API or using an SDK. The dedicated Logstore has no limits on features such as query, statistics, alerting, or streaming consumption.

You are not charged for the dedicated Logstore. However, you can use the dedicated Logstore only when Log Service is running in your Alibaba Cloud account as expected.
Important If Log Service has an overdue bill, the log collection feature of WAF is suspended until you settle the bill.

For more information about Logstores, see Manage a Logstore.

What to do next

After you enable Log Service, you must enable the log collection feature for the protected objects whose logs you want to collect. Then, WAF collects and stores the logs of the protected objects for you to query and analyze. For more information about how to enable the log collection feature, see Log collection.