How to specify log fields, the log storage type, and log storage capacity - Web Application Firewall

After you enable the Log Service for Web Application Firewall (WAF) feature, you can enable or disable the log collection feature for protected objects and configure log settings based on your business requirements. You can specify log fields, the log storage type, and the log storage period to use the Log Service for WAF feature in a more efficient manner. You can also view the log storage capacity of each Logstore in real time and increase the log storage capacity at the earliest opportunity to ensure that logs can be written to the Logstore. This topic describes how to configure log settings and manage log storage capacity.

Prerequisites

The Log Service for WAF feature is enabled. For more information, see Enable or disable the Log Service for WAF feature.
Web services are added to WAF 3.0 as protected objects. For more information, see Protected objects and protected object groups.

Configure log settings

Specify log fields and the log storage type

Log on to the WAF 3.0 console. In the top navigation bar, select the resource group and the region in which the WAF instance is deployed. You can select Chinese Mainland or Outside Chinese Mainland.
In the left-side navigation pane, choose Security Operations > Log Service.
In the upper-right corner of the Log Service page, click Log Configuration.

On the Fields tab, configure the parameters and click Save. The following table describes the parameters.

Parameter	Description	Operation
Log Storage Period	The duration for which you want to store logs. By default, WAF logs are stored for 180 days. You can change the log storage period.	In the Log Storage Period section, click Configure Now. On the page that appears, find the project whose log storage period you want to change. In the left-side navigation pane of the project details page, move the pointer over logstore and choose > Modify. You can also click Modify in the upper-right corner of the Logstore Attributes panel. Change the value of the Data Retention Period parameter and click Save in the upper-right corner.
Custom Field Settings	The fields that you want WAF logs to include. WAF log fields are classified into required fields and optional fields. Required Fields: Required fields must be included in WAF logs. Optional Fields: Optional fields are fields that you can specify whether to be included in WAF logs. For more information about WAF log fields, see Fields in logs.	Enable optional fields In the Optional Fields section, select the log fields that you want to enable and click the rightwards arrow to move the log fields from the Available Fields section to the Selected Fields section. After you save the settings, the optional fields that you enabled are included in new WAF logs. Disable optional fields In the Selected Fields section, select the log fields that you want to disable and click the leftwards arrow to move the log fields from the Selected Fields section to the Available Fields section. After you save the settings, the optional fields that you disabled are no longer included in new WAF logs.
Log Type	The type of log that you want WAF to store. Valid values: Full Log: All logs are stored, including the logs of allowed requests, monitored requests, and blocked requests. Block Log: Only the logs of blocked requests are stored. Block and Monitor Logs: Only the logs of monitored requests and blocked requests are stored.	In the Log Type section, select Full Log, Block Log, or Block and Monitor Logs.

In the Tips message, click OK.
After you save the settings, the settings take effect for all domain names that are added to your WAF instance. On the Log Collection tab, you can enable or disable the log collection feature for specific protected objects. For more information, see Enable or disable the log collection feature.

Enable or disable the log collection feature

WAF collects and stores logs of protected objects based on the log settings that you configure only after you enable the log collection feature for the objects. You can query and analyze the logs. To enable or disable the log collection feature for protected objects, perform the following steps:

Log on to the WAF 3.0 console. In the top navigation bar, select the resource group and the region in which the WAF instance is deployed. You can select Chinese Mainland or Outside Chinese Mainland.
In the left-side navigation pane, choose Security Operations > Log Service.
In the upper-right corner of the Log Service page, click Log Configuration.
On the Log Collection tab, find the protected object for which you want to enable or disable the log collection feature and turn on or turn off the switch in the Log Collection column.

Manage the log storage capacity of a subscription WAF instance

You can view and upgrade the log storage capacity only if you use a subscription WAF instance. If you use a pay-as-you-go WAF instance, you are charged based on your actual usage of log storage space. The fees are included in the bills of Simple Log Service.

Log on to the WAF 3.0 console. In the top navigation bar, select the resource group and the region in which the WAF instance is deployed. You can select Chinese Mainland or Outside Chinese Mainland.
In the left-side navigation pane, choose Security Operations > Log Service.
Manage your log storage capacity.
- View log storage capacity: In the upper-right corner of the Log Service page, view the log storage usage in percentage and the proportion of used storage space to the total available storage space.
  Important
  If your log storage usage exceeds 80% of the upper limit, you are notified by text message and email. If the log storage capacity is exhausted, WAF logs can no longer be written. We recommend that you increase the log storage capacity of your WAF instance at the earliest opportunity.
- Increase log storage capacity: In the upper-right corner of the Log Service page, click Upgrade Storage. On the page that appears, select a larger storage capacity and complete the payment.