After you enable log collection for the domain names that are protected by Web Application Firewall (WAF), you can query and analyze the logs of the domain names on the Log Service page in the WAF console. This topic describes how to query and analyze logs on the Log Service page.

Prerequisites

Log collection is enabled for the domain names that are protected by WAF. For more information, see Step 2: Enable the log collection feature.

WAF collects the logs of the domain names only after log collection is enabled for the domain names. This way, you can query and analyze the logs of the domain names.

Procedure

  1. Log on to the WAF console.
  2. In the top navigation bar, select the resource group and region to which the WAF instance belongs. The region can be Mainland China or International.
  3. In the left-side navigation pane, choose Log Management > Log Service.
  4. In the upper section of the Log Service page, select the domain name that you want to manage.
    Notice Make sure that log collection is enabled for the domain name. Otherwise, WAF does not collect the logs of the domain name, and you cannot query or analyze the logs of the domain name. To enable log collection, turn on Status.
    Domain name
  5. On the Log Query tab, query and analyze the logs of the selected domain name. Query and analysis steps
    To query and analyze the logs, perform the following steps:
    1. Specify the query time range by using the time selector.
    2. Enter a query statement in the search box.
      Query statements use the syntax that is specific to Alibaba Cloud Log Service. For more information about the syntax, see Search syntax. The log fields that are included in WAF logs are used as query fields in the query statements. For more information about the log fields that are supported by WAF, see Log fields supported by WAF.
      If you do not know the query syntax, we recommend that you use Advanced Search. You need only to expand Advanced Search above the search box, specify search conditions, and click Search. The query statement is automatically generated based on the search conditions in the search box. Advanced SearchThe following table describes the search conditions that are supported by Advanced Search.
      Search condition Description
      IP The IP address of the client that sends the request.
      Trace ID The unique ID that is generated by WAF for each request. This ID is provided when WAF returns an error page or a response page that prompts the client to complete slider CAPTCHA verification to the client. You can use this ID to analyze and troubleshoot the error.
      Rule ID The ID of the WAF protection rule that is matched by the request. You can obtain the ID on the Security Report page or by choosing System Management > Protection Rule Group.
      Server Response Code The HTTP status code that is sent by the origin server as a response to the request forwarded by WAF.
      Status Code Returned by WAF The HTTP status code that is sent by WAF as a response to the request sent by the client.
      Protection Features The type of the WAF protection rule that is matched by the request. For more information about WAF protection rules and their configuration methods, see Overview.
    3. If you want to compute and analyze the query results, you must enter an analytic statement following the search statement in the search box. Otherwise, skip this step.
      Analytic statements and search statements are separated by vertical bars (|). The analytic statements use the standard SQL-92 syntax. For more information about the analytic statements, see Log analysis overview.
    4. Click the Search & Analysis button.
      In the lower section of the page, the query result is displayed in a log distribution histogram and on the Raw Logs and Graph tabs. You can use the query result to perform additional operations, such as quick analysis, statistical analysis, and alert configuration. For more information, see Manage query and analysis results.
    For more information about the examples of log query and analysis, see Query logs.
  6. On the Log Analysis tab, view the dashboards that are preconfigured by WAF based on log data.
    The dashboards provide a series of charts that are generated based on log data. This way, you can directly view the service and security data of your website. WAF provides the following three preconfigured dashboards:
    • Operation Center: displays the service operations metrics of your website, including the request trend and overview of attacks.
    • Access Center: displays the access information of your website, such as the access metrics, client distribution, traffic, and performance.
    • Security Center: displays the attack information of your website, such as attack metrics, attack trends, and attack source distribution.

    You need only to specify the query time range to search for specific dashboards. You can also subscribe to dashboards to receive dashboard data by using different methods, such as emails or DingTalk messages. For more information about the chart data that is displayed on dashboards and how to subscribe to dashboards, see View dashboards.

Related operations

A RAM user can use the query and analysis feature of WAF only after the permissions required for Log Service for WAF are granted to the RAM user. For more information, see Grant log query and analysis permissions to a RAM user.

For more information about how to perform query and analysis, see Query logs.

For more information about how to modify the settings of WAF logs, such as storage rules and storage capacity, see Modify log settings.