Web Application Firewall (WAF) is integrated with Log Service to provide the Log Service for WAF feature. The feature collects and stores access logs and protection logs of domain names that are added to WAF. You can use this feature to query and analyze log data, configure charts to generate, configure alert rules, and deliver log data to downstream services for consumption. This feature allows you to focus on log analysis.

Intended users

  • Large-scale enterprises and organizations, such as financial entities and public service sectors that need to meet log storage requirements. The logs include host, network, and security logs of various assets in the cloud.
  • Organizations, such as large-scale real estate, e-commerce, financial entities, and public service sectors that have security operations centers (SOCs) and want to collect and manage security and alert logs in a centralized manner.
  • Enterprises with advanced technologies, such as companies in the IT, gaming, or financial industry, which require in-depth analysis on logs collected from various assets in the cloud and automated alert handling.
  • All users who need to trace business security events and generate weekly, monthly, and yearly reports, or users who need to meet classified protection requirements (MLPS level 3 or higher).


  • Trace web attack logs and identify the source of security threats.
  • View requests and query the request status and trends.
  • Obtain information about the efficiency of security operations and respond to issues at the earliest opportunity.
  • Generate and deliver security network logs to self-managed data and computing centers.


  • Compliance audits: This feature allows you to store website access logs for more than six months to meet classified protection requirements.
  • Flexible configuration:
    • This feature allows you to collect and store web access and protection logs with a few steps.
    • This feature allows you to configure the custom log storage duration and capacity and specify the websites whose logs you want to collect.
    • This feature allows you to modify existing report templates or create custom report templates based on your business or security requirements.
  • Real-time log analysis: WAF provides the real-time log analysis feature and an out-of-the-box (OOTB) report center, and supports interactive data mining. This allows you to identify and analyze various attacks on your website and access details in real time.
  • Real-time alerting: You can customize monitoring and alert rules based on specific metrics. This way, you can respond to exceptions that occur in critical services at the earliest opportunity.
  • Collaboration: You can use this feature together with other data solutions such as real-time computing, cloud storage, and visualization to further explore the value of data.

Billing and enabling

Subscription WAF instances that run the Pro edition or higher support the Log Service for WAF feature.

You can use the Log Service for WAF feature only after you enable the feature. When you use the Log Service for WAF feature, you are charged based on the log storage capacity that you purchase. For more information about billing, see Billing.

For more information about how to enable the Log Service for WAF feature, see Enable Log Service for WAF.


Feature Description
Log collection After you enable the Log Service for WAF feature, you can enable log collection for domain names that are added to WAF. WAF can collect and store logs for the domain names only after log collection is enabled for the domain names. You can query and analyze the collected log data. For more information about the log fields supported by WAF, see Log fields supported by WAF.

You can modify log settings, such as the storage period, optional log fields, and storage type. The storage types are Logs and Block Logs. For more information, see Modify log settings.

Log query and analysis You can use query statements to query and analyze collected logs.

Each query statement consists of a search statement and an analytic statement that uses the standard SQL-92 syntax. The search statement and analytic statement are separated by a vertical bar (|). For more information about search statements, see Search syntax. For more information about analytic statements, see Log analysis overview. By default, analysis results are displayed in tables. You can also choose to view analysis results in charts, such as line charts, column charts, or pie charts.

You can create alert rules based on query statements. After an alert rule is created, Log Service regularly checks query and analysis results. If a query and analysis result meets the trigger condition that you specify in the alert rule, Log Service sends an alert notification. For more information, see Log alerts.

Dashboards A dashboard provides real-time data analysis results. You can view multiple charts that are generated based on query and analysis results on a dashboard.

The Log Service for WAF feature provides the following three dashboards based on common business and security scenarios: Operation Center, Access Center, and Security Center dashboards. If you want to view the business and security data of your website, you need only to specify a time range on the dashboards. You do not need to enter a query statement.

You can subscribe to dashboards to send dashboard data to specific recipients by using emails.

Management of log storage space You can query the amount of storage that is occupied by logs on a regular basis. You can also increase the storage capacity or delete the stored logs based on your business requirements.
Integrate WAF logs into a Syslog server To meet regulatory and audit requirements, you can use Python programs to deliver logs from WAF to a Syslog server. This allows you to manage all the related logs in your security operations center.