After you perform log query and analysis by using the Log Service for WAF feature, you can create a dashboard based on the SQL statement. By default, the dashboard contains the chart that is generated based on the SQL statement.

Background information

This practice provides 13 examples of log charts and alert configurations, including alerts on an abnormal percentage of 4xx status codes (blocked requests excluded), alerts on an abnormal percentage of 5xx status codes, alerts on an abnormal query rate, alerts on an abrupt increase in query rate, alerts on an abrupt decrease in query rate, alerts on requests blocked by HTTP ACL policy in the last five minutes, alerts on requests blocked by web application protection in the last five minutes, alerts on requests blocked by HTTP flood protection in the last five minutes, alerts on requests blocked by anti-scan rules in the last five minutes, alerts on the number of attacks from a single source IP address in the last five minutes, alerts on the number of domains attacked by a single IP address in the last five minutes, alerts on average delay in the last five minutes, and alerts on an abrupt decrease in query rate from a user.

Prerequisites

Procedure

  1. Log on to the WAF console. In the top navigation bar, select the resource group and the region to which your WAF instance belongs. The region can be Chinese Mainland or Outside Chinese Mainland.
  2. Go to the advanced management page of Log Service for WAF.
    1. In the left-side navigation pane, choose Log Management > Log Service.
    2. In the upper-right corner of the Log Service page, click Advanced Settings.
    3. In the dialog box that appears, click OK.
  3. Create a WAF log analysis dashboard.
    1. In the project list, find the log project that you want to manage, and click the project name.
    2. Enter an SQL statement and click Search & Analyze.
      Note For more information about the SQL statements used to query and analyze logs, see Query statements.
    3. After the query is complete, click Add to New Dashboard on the Graph tab.
    4. In the Add to New Dashboard dialog box, configure the following parameters and click OK.
      Parameter Description
      Operation Select Create Dashboard.
      Dashboard Name Enter a dashboard name.
      Chart Name Enter a name for the chart generated based on the SQL statements.
  4. Configure log charts.
    1. In the upper-right corner of the dashboard, click Edit.
      The dashboard enters the edit mode.
    2. In this mode, you can edit or delete the charts on the dashboard. In addition, you can create a new chart by copying a chart.
      Note You can copy a chart to create a new chart. Then, you can edit the new chart. You can add more than one chart to a dashboard. This allows you to display data and configure alerts in various ways.
      • Copy a chart to create a new chart.
        1. Find the chart that you want to copy. Move the pointer over the Actions icon in the upper-right corner of the chart, and click Copy.

          After you copy a chart, an identical chart appears.

        2. Drag the new chart and drop it at an appropriate position on the dashboard.
      • Edit a chart.
        1. Find the chart that you want to edit, move the pointer over the Actions icon in the upper-right corner of the chart, and click Edit.
        2. On the Edit page, modify the chart configurations, such as Chart Name, SQL statements, relative data collection period, and chart type. Then, click OK.
          Note If you have modified the SQL statements, you must click Preview before you click OK. This operation triggers a check of the statement validity. If the SQL statements are invalid, an error message appears, and the OK button becomes unavailable. You can click OK only after you make sure the statements are valid.
      • Delete a chart.

        Find the chart that you want to delete. Move the pointer over the Actions icon in the upper-right corner of the chart, and click Delete.

  5. Configure log alerts.
    1. In the upper-right corner of the dashboard, choose Alerts > Create.
    2. In the Create Alert pane, set the parameters in Alert Configuration, and click Next.
      Parameter Description
      Alert Name The name of the alert. The name must be 1 to 64 characters in length.
      Associated Chart The charts with which an alert is associated.

      The Search Period parameter specifies the time range of log data that WAF reads when you query data. You can select a relative time or a time frame. For example, if you set Search Period to 15 minutes (relative) and start the query at 14:30:06, WAF reads the log data that was written from 14:15:06 to 14:30:06. If you set Search Period to 15 minutes (time frame) and start the query at 14:30:06, WAF reads the log data that was written from 14:15:00 to 14:30:00.

      To associate the alert with more than one chart, click Add and configure the new charts. You can add up to three charts. The number before the chart name is the sequence number of the chart in alert configuration. You can use the sequence number to associate a chart with a conditional expression in the trigger condition.

      Frequency The time interval at which the server checks log data according to the alert configuration.
      Note Currently, the server samples and checks only the first 100 data entries each time the specified time interval arrives.
      Trigger Condition The conditional expression that determines whether the alert is triggered. When the condition is met, the system sends an alert notification based on the specified Frequency and Notification Interval.

      By default, the charts are numbered from 0. In a trigger condition, you can use $0 to indicate the first chart. For example, you can set a trigger condition to $0.domainnum>=10, and this indicates that an alert is triggered if the domainnum parameter in the first chart is greater than or equal to 10.

      If two conditions are jointed with two consecutive ampersands (&&), both the conditions must be met to trigger the alert. If two conditions are jointed with two consecutive vertical bars (||), either of the condition can trigger the alert.

      Note For more syntaxes of conditional expressions, see Syntax of trigger conditions in alert rules.
      Advanced
      Notification Trigger Threshold The threshold for sending an alert notification based on the specified notification interval when the cumulative number of times that the trigger condition is met exceeds this threshold. If the trigger condition is not met, the overall count does not change.

      The default value of Notification Trigger Threshold is 1. That is, each time the specified trigger condition is met, the server checks whether the specified notification interval arrives.

      You can also specify this parameter to enable the server to send an alert notification after the trigger condition is met multiple times. For example, if you set this parameter to 100, the server checks whether the specified notification interval arrives only after the trigger condition is met 100 times. If the specified notification trigger threshold is reached and the specified notification interval arrives, the server sends an alert notification. Then, the overall count is reset. If the server fails to check log data due to exceptions such as a network failure, the overall count does not change.

      Note For more information about the metrics used in alert configuration and the recommended thresholds for the metrics, see Common monitoring metrics.
      Notification Interval The time interval at which the server sends an alert notification.
      If the trigger condition is met several times that exceed the specified notification trigger threshold and the specified notification interval arrives, the server sends an alert notification. If you set this parameter to 5 minutes, you can receive up to one alert notification every 5 minutes for the alert. The default value is No Interval.
      Note By setting Notification Trigger Threshold and Notification Interval, you can control the number of alert notifications that you receive.
      Note After you specify Notification Trigger Threshold, Notification Interval, and Frequency, the system checks whether the trigger conditions are met at the specified frequency and sends notifications if Notification Trigger Threshold is exceeded within a Notification Interval.
    3. In the Create Alert pane, complete the settings for Notifications, and click Submit.
      Multiple common alert notification methods are supported, such as SMS, Voice, Email, and WebHook-DingTalk Bot. You must select a notification method on the right of Notifications and complete the configuration. You can select and configure multiple notification methods.
      • SMS

        Set Phone Number to receive alerts and the Content of the notification. You can specify variables to be included in the notification. Click View all variables to view the description of each variable.

      • Voice

        Set Phone Number to receive alerts and the Content of the notification.

      • Email:

        Set Recipients email addresses, Subject, and Content.

      • WebHook-DingTalk Bot

        Set Request URL to the webhook URL of the DingTalk bot to receive alerts, and specify Content.