After you enable log collection for the domain names that are protected by Web Application
Firewall (WAF), you can query and analyze the logs of the domain names on the Log
Service page in the WAF console. This topic describes how to query and analyze logs
on the Log Service page.
Prerequisites
Log collection is enabled for the domain names that are protected by WAF. For more
information, see Enable log collection.
WAF collects the logs of the domain names only after log collection is enabled for
the domain names. This way, you can query and analyze the logs of the domain names.
Procedure
- Log on to the Web Application Firewall console.
- In the top navigation bar, select the resource group and region to which the WAF instance
belongs. The region can be Mainland China or International.
- In the left-side navigation pane, choose .
- In the upper section of the Log Service page, select the domain name that you want to manage.
Notice Make sure that log collection is enabled for the domain name. Otherwise, WAF does
not collect the logs of the domain name, and you cannot query or analyze the logs
of the domain name. To enable log collection, turn on Status.

- On the Log Query tab, query and analyze the logs of the selected domain name.

To query and analyze the logs, perform the following steps:
- Specify the query time range by using the time selector.
- Enter a query statement in the search box.
Query statements use the syntax that is specific to Alibaba Cloud Log Service. For
more information about the syntax, see
Search syntax. The log fields that are included in WAF logs are used as query fields in the query
statements. For more information about the log fields that are supported by WAF, see
Log fields supported by WAF.
If you do not know the query syntax, we recommend that you use
Advanced Search. You need only to expand
Advanced Search above the search box, specify search conditions, and click
Search. The query statement is automatically generated based on the search conditions in
the search box.

The following table describes the search conditions that are supported by Advanced
Search.
Search condition |
Description |
IP |
The IP address of the client that sends the request. |
Trace ID |
The unique ID that is generated by WAF for each request. This ID is provided when
WAF returns an error page or a response page that prompts the client to complete slider
CAPTCHA verification to the client. You can use this ID to analyze and troubleshoot
the error.
|
Rule ID |
The ID of the WAF protection rule that is matched by the request. You can obtain the
ID on the Security Report page or by choosing .
|
Server Response Code |
The HTTP status code that is sent by the origin server as a response to the request
forwarded by WAF.
|
Status Code Returned by WAF |
The HTTP status code that is sent by WAF as a response to the request sent by the
client.
|
Protection Features |
The type of the WAF protection rule that is matched by the request. For more information
about WAF protection rules and their configuration methods, see Overview.
|
- If you want to compute and analyze the query results, you must enter an analytic statement
following the search statement in the search box. Otherwise, skip this step.
Analytic statements and search statements are separated by vertical bars (|). The
analytic statements use the standard SQL-92 syntax. For more information about the
analytic statements, see
Log analysis overview.
- Click the Search & Analysis button.
In the lower section of the page, the query result is displayed in a log distribution
histogram and on the
Raw Logs and
Graph tabs. You can use the query result to perform additional operations, such as quick
analysis, statistical analysis, and alert configuration. For more information, see
Manage the query results.
For more information about the examples of log query and analysis, see
Query logs.
- On the Log Analysis tab, view the dashboards that are preconfigured by WAF based on log data.
The dashboards provide a series of charts that are generated based on log data. This
way, you can directly view the service and security data of your website. WAF provides
the following three preconfigured dashboards:
- Operation Center: displays the service operations metrics of your website, including the request trend
and overview of attacks.
- Access Center: displays the access information of your website, such as the access metrics, client
distribution, traffic, and performance.
- Security Center: displays the attack information of your website, such as attack metrics, attack
trends, and attack source distribution.
You need only to specify the query time range to search for specific dashboards. You
can also subscribe to dashboards to receive dashboard data by using different methods,
such as emails or DingTalk messages. For more information about the chart data that
is displayed on dashboards and how to subscribe to dashboards, see View dashboards.
Related operations
A RAM user can use the query and analysis feature of WAF only after the permissions
required for Log Service for WAF are granted to the RAM user. For more information,
see Grant log query and analysis permissions to a RAM user.
For more information about how to perform query and analysis, see Query logs.
For more information about how to modify the settings of WAF logs, such as storage
rules and storage capacity, see Modify log settings.