You can use CloudMonitor to configure monitoring and alerting for metrics and attacks that are launched against websites that are added to WAF. This topic describes how to use CloudMonitor to configure monitoring and alerting for WAF.
Prerequisites
Create an alert contact or alert contact group
Configure monitoring and alerting for attack events
Configure monitoring and alerting for WAF metrics
Configure monitoring and alerting for custom metrics
You can use Log Service to configure monitoring and alerting for custom metrics. For more information, see Use Log Service to configure monitoring and alerting.
Attack events that can be monitored by CloudMonitor
CloudMonitor allows you to configure monitoring and alerting for web attacks, HTTP flood attacks, scan attacks, and unauthorized access control events on domain names that are added to WAF. You can select a notification method by which you want to receive alerts based on the severity level of events. The notification methods include text messages, emails, DingTalk, or the alert callback feature. For more information, see Configure monitoring and alerting for attack events.
Event type | Event name | Event description | Event status | Event level |
---|---|---|---|---|
Attack | waf_event_aclattack | An unauthorized access control event occurs. | acl | Critical |
Exceed | waf_event_bandwidth_exceed | The bandwidth exceeds the threshold. | overrun | Critical |
Attack | waf_event_ccattack | An HTTP flood attack occurs. | cc | Critical |
Exceed | waf_event_qps_exceed | The queries per second (QPS) exceeds the threshold. | overrun | Critical |
Attack | waf_event_webattack | A web attack occurs. | web | Critical |
Attack | waf_event_webscan | A web scan attack occurs. | webscan | Critical |
WAF service metrics that can be monitored by CloudMonitor
CloudMonitor allows you to configure monitoring and alerting for WAF service metrics of domain names that are added to WAF. You can specify the method that you want to use to identify exceptions on the metrics and select a notification method, such as by using text messages, emails, DingTalk, or the alert callback feature. For more information about how to configure monitoring and alerting for WAF service metrics, see Configure monitoring and alerting for WAF metrics.Metric | Dimension | Description | Remarks |
---|---|---|---|
4XX_ratio | Domain | The percentage of the HTTP 4xx status codes that are returned per minute. The value does not include the percentage of HTTP 405 status codes that are returned. | The value is displayed as a decimal number. |
5XX_ratio | Domain | The percentage of the HTTP 5xx status codes that are returned per minute. | The value is displayed as a decimal number. |
acl_blocks_5m | Domain | The number of requests that are blocked by access control policies in the previous 5 minutes. | None. |
acl_rate_5m | Domain | The percentage of requests that are blocked by access control policies in the previous 5 minutes. | The value is displayed as a decimal number. |
cc_blocks_5m | Domain | The number of requests that are blocked by HTTP flood protection in the previous 5 minutes. | None. |
cc_rate_5m | Domain | The percentage of requests that are blocked by HTTP flood protection in the previous 5 minutes. | The value is displayed as a decimal number. |
waf_blocks_5m | Domain | The number of requests that are blocked by web attack protection in the previous 5 minutes. | None. |
waf_rate_5m | Domain | The percentage of requests that are blocked by web attack protection in the previous 5 minutes. | The value is displayed as a decimal number. |
QPS | Domain | The number of queries per second. | None. |
qps_ratio | Domain | The minute-granularity growth rate of QPS. | The value is displayed as a percentage. |
qps_ratio_down | Domain | The minute-granularity decrease rate of QPS. | The value is displayed as a percentage. |