Web Application Firewall (WAF)The log service is disabled by default. The security report feature provided by the system only retains logs for a limited duration. To obtain complete raw logs for in-depth analysis or to meet compliance and audit requirements, you must enable the log service. This topic describes how to enable and disable the log service.
Enable log service
WAF subscription Basic edition instances do not support the log service. To use this feature, choose one of the following methods:
Upgrade your instance edition.
Unsubscribe from the current subscription instance and activate a pay-as-you-go instance.
Pay-as-you-go
-
Log on to the Web Application Firewall 3.0 console. From the top menu bar, select the resource group and region (Chinese Mainland or Outside Chinese Mainland) for the WAF instance.
-
In the navigation pane on the left, choose .
In the Enable Logging for Protected Objects section, select a region for log storage from the drop-down list. The selected region is where the log service project is created.
ImportantThe log storage region cannot be changed after selection. If you need to change it, you must first disable the log service and then enable it again. Proceed with caution.
Click Enable Log Service. After the service is enabled, WAF does not charge any fees. All log fees are billed by Log Service (SLS).
Subscription
-
Log on to the Web Application Firewall 3.0 console. From the top menu bar, select the resource group and region (Chinese Mainland or Outside Chinese Mainland) for the WAF instance.
-
In the navigation pane on the left, choose .
Click Upgrade Now to go to the upgrade page. (This step applies only to users who did not enable the log service when purchasing WAF. If you have already purchased WAF, proceed directly to step 5.)
Set Log Service to Enabled, select a log storage capacity, and then complete the payment. If you are unsure about the required capacity, you can use the default configuration, which can be upgraded later.
Return to the WAF Log Service console. In the Log Service section, select a region for log storage from the drop-down list. The selected region is where the log service project is created.
ImportantThe log storage region cannot be changed after selection. If you need to change it, you must first unsubscribe from and release the current WAF instance, and then purchase a new one. Proceed with caution.
Click Enable Log Service.
Follow-up steps
Enable log delivery: After you enable the log service, you must enable log delivery for your WAF protected objects before you can query and analyze log data.
Enable individually: On the Log Service page, select a protected object in the upper-left corner and enable the log delivery status.
Enable in bulk: Use Log Configuration in the upper-right corner to enable SLS delivery in bulk. For more information, see Log fields and delivery status.
Log query and analysis: You can query and analyze log data for your protected objects, and generate statistical charts or create alerts based on the analysis results. For more information, see Query logs.
Log delay: After you enable log delivery for a protected object and traffic is generated, there is approximately a 10-minute delay before you can view the SLS logs. We recommend that you send a test request and wait briefly before going to the log query page to confirm the data.
Historical log limitation: The WAF log service only starts recording logs from the moment it is enabled. Historical logs from before enabling cannot be retrieved.
Log data deletion: When a subscription WAF instance is unsubscribed, or a pay-as-you-go WAF instance is disabled and released, the associated logs are deleted and cannot be retained or queried.
Project and Logstore
After you enable the log service, the system automatically creates a WAF-dedicated log project (Project) and a logstore (Logstore).
Do not manually delete the log project or logstore that are automatically created by the system. Otherwise, your log data will be cleared.
Resource Type | Description |
Log project (Project) | Log Service automatically creates a dedicated log project for WAF. The naming rules are as follows:
You can query the dedicated log project on the homepage of the Log Service console. Click the project name to enter. For more information about log projects, see Manage projects. |
Logstore | A logstore is created by default under the WAF log project. All WAF logs are stored in this logstore. The naming rules are as follows:
This logstore only supports storing WAF logs. It does not support writing other types of data through APIs, SDKs, or other methods. There are no special restrictions on features such as query, statistics, alerting, and streaming consumption. Important The normal operation of the logstore depends on the normal status of the Log Service product under your Alibaba Cloud account. If your Log Service product has an overdue payment, the WAF log delivery feature is paused. After you settle the overdue payment, the feature is automatically restored. For more information about logstores, see Manage Logstores. |
Disable Log Service
Pay-as-you-go
Disabling the log service clears the WAF-dedicated log project (Project) that is automatically created by the system and all log data within it. You will no longer be able to query logs. Confirm that you no longer need the log service before performing this operation.
-
Log on to the Web Application Firewall 3.0 console. From the top menu bar, select the resource group and region (Chinese Mainland or Outside Chinese Mainland) for the WAF instance.
-
In the navigation pane on the left, choose .
On the Log Service page, click Disable in the upper-right corner. In the dialog box that appears, click OK.
Subscription
The log service for subscription instances does not support being directly disabled. It is automatically disabled only when the WAF instance expires and is released, or when the instance is unsubscribed.
To reduce log service fees, you can use the following methods:
Reduce the log storage capacity specification: For more information, see Upgrade and downgrade WAF 3.0 instances.
Unsubscribe from the instance and repurchase: For more information, see Unsubscribe from WAF.
After you reduce the log storage capacity specification, if the capacity reaches the upper limit, new log data cannot be written, which may result in incomplete log data.
FAQ
No log data appears after enabling the log service. How do I troubleshoot this?
If no log data appears after enabling the WAF log service, troubleshoot in the following order:
Check the log delivery switch at the protected object level: Enabling the log service is only a global switch. You also need to select a specific protected object on the Log Service page in the upper-left corner and individually enable the log delivery switch for that object. Enabling only the global log service does not automatically deliver logs.
Confirm whether traffic is passing through WAF: Logs are only generated when traffic is generated on the protected object.
Wait approximately 10 minutes: After enabling log delivery, there is approximately a 10-minute delay before log data is available. You need to wait briefly before viewing the data.
How do I obtain or query WAF logs? Does WAF support API-based log downloads?
You can query and obtain WAF logs through the following methods:
Query and download in the console: Go to the WAF console to query logs. You can download logs using the
icon. For specific steps, see Query logs.Obtain logs through APIs: The WAF product does not directly provide OpenAPI interfaces for log query or download. Log data is delivered by default to Alibaba Cloud Log Service (SLS). Use the Log Service OpenAPI (such as
GetLogs) together with your project and logstore information to query and obtain logs. For more information, see GetLogs.