Cloud Firewall integrates with Simple Log Service (SLS) to provide log analysis for your protected assets. The log analysis feature lets you collect, query, analyze, transform, and consume traffic logs in real time — all from a dedicated Logstore automatically provisioned for your firewall instance.
Use cases
Log analysis is suited for enterprises that need security compliance, flexible log configuration, and visibility into network traffic.
Compliance audit: Store access logs for more than six months to meet classified protection requirements and respond to log audits.
Security analysis and emergency response: Trace and analyze security incidents, identify threat sources, analyze attack patterns, and block potential attacks.
Data center integration: Export logs to self-managed data centers for centralized log management and analysis.
Performance monitoring: Monitor network performance in real time to identify and diagnose issues, improving service availability and operational efficiency.
Billing
Charges are based on two variables: log storage duration and log storage capacity. Choosing longer retention periods or higher capacity directly increases costs — adjust these settings based on your compliance requirements and expected log volume.
Pay-as-you-go
Fees for the log analysis feature appear in your Simple Log Service bills, not your Cloud Firewall bills.
Subscription
After Cloud Firewall delivers logs to Simple Log Service, SLS does not charge additional fees for the dedicated Logstore itself. Charges apply only if you perform additional operations in the SLS console:
| Operation | Pay-by-feature Logstore | Pay-by-ingested-data Logstore |
|---|---|---|
| Data transformation | Charged | Not charged |
| Data shipping | Charged | Not charged |
| Read traffic over the Internet (stream mode) | Charged | Charged |
For subscription pricing details, see Subscription.
For SLS billing details, see Billable items of pay-by-feature and Billable items of pay-by-ingested-data.
Logstore
After you enable the log analysis feature, Cloud Firewall automatically creates a dedicated project and a dedicated Logstore to store all log data.USD 0.3 per TB per hour
Do not delete the dedicated project or Logstore. Deleted log data cannot be restored. To resume using the feature after deletion, re-enable the log analysis feature.
View the dedicated project and Logstore in the Simple Log Service console.
Limitations
Pay-as-you-go
Only Cloud Firewall logs can be written to the dedicated Logstore.
Subscription
| Limitation | Details |
|---|---|
| Write access | Only Cloud Firewall logs can be written to the dedicated Logstore. Query, analysis, alerting, and consumption have no restrictions. |
| Log storage duration | Cannot be changed in the Simple Log Service console. Change it in the Cloud Firewall console. |
| Overdue payments | If your Simple Log Service account has overdue payments, the log analysis feature stops automatically. Complete overdue payments within the prescribed time limit to restore service. |
| Index fields | Cloud Firewall provides a fixed set of fields that support indexes by default. Custom fields and field modifications are not supported. See Fields that support indexes. |
| Storage capacity | If the log storage capacity is exhausted, new logs cannot be stored. Monitor usage and adjust capacity as needed. |
The log storage usage shown in the Cloud Firewall console is not updated in real time. The displayed value excludes usage from the previous 2 hours.
What's next
Enable the log analysis feature — Start collecting firewall traffic logs.
Query and analyze logs — Specify which log data to collect, query logs, export logs, and change the destination region for log delivery.
Modify log storage configurations — Adjust storage duration, region, capacity, and the log delivery switch.
Export logs — Download logs to your computer or ship them to Object Storage Service (OSS).
Grant a RAM user the permissions to query and analyze logs — Authorize a Resource Access Management (RAM) user to access log analysis.