After you enable the log analysis feature, if the default log storage configurations of the feature do not meet your business requirements, you can modify the configurations. The configurations include the collected log type, storage region, and storage duration. This way, you can make sure that the configurations of the log analysis feature meet your business requirements.
Prerequisites
The log analysis feature of Cloud Firewall is enabled. For more information, see Overview.
Configure collected log types
The log analysis feature collects traffic logs of your assets, retrieves and analyzes the collected logs in real time, and displays the results on a dashboard. This allows you to quickly analyze the access patterns and potential attacks of the assets and take effective attack prevention measures.
Supported log types
Cloud Firewall can collect the following types of traffic logs:
Internet traffic logs
Attack event logs: logs of traffic that hits intrusion prevention rules created for the Internet firewall.
Access control logs: logs of traffic that hits access control policies created for the Internet firewall.
Other traffic logs: logs of other traffic that passes through the Internet firewall.
VPC traffic logs
Attack event logs: logs of traffic that hits intrusion prevention rules created for virtual private cloud (VPC) firewalls.
Access control logs: logs of traffic that hits access control policies created for VPC firewalls.
Other traffic logs: logs of other traffic that passes through VPC firewalls.
DNS traffic logs: logs of all traffic that passes through Domain Name System (DNS) firewalls.
IPv6 traffic logs: logs of traffic that hits IPv6 access control policies created for the Internet firewall.
NAT traffic logs: logs of all traffic that passes through NAT firewalls.
By default, the switches of all log types are turned on. You can turn off the switches based on your business requirements.
If you turn off the switch of a specific log type, Cloud Firewall no longer collects logs of the type. The project dedicated to the logs and the delivered logs are not automatically deleted.
Turn on or turn off a log delivery switch
Log on to the Cloud Firewall console.
In the left-side navigation pane, choose .
In the upper-right corner of the page, click Log Delivery to turn on or turn off the switch of a specific log type.
Change the log storage region
By default, logs collected by the log analysis feature are stored in the Singapore region. If your services are not deployed in the Singapore region, issues such as additional costs for cross-region log delivery and data connection failures may occur. To avoid such issues, you can change the log storage region to the region where your services are deployed or a region close to the region where your services are deployed.
Before you change the log storage region, take note of the following items:
After you change the region in Cloud Firewall that uses the subscription billing method, the original logs are lost. Back up the logs before you change the region. The original Logstore is not deleted after you change the region in Cloud Firewall that uses the pay-as-you-go billing method. Retain or delete the original Logstore based on your business requirements.
The change requires approximately 5 minutes to 10 minutes to complete. Do not perform log-related operations during the change.
Logs that are generated during the change are not delivered or stored. We recommend that you perform the change during off-peak hours.
If a timeout error occurs during the change, refresh the page after 5 minutes to 10 minutes and check whether the change is complete. If the issue persists, submit a ticket.
Log on to the Cloud Firewall console.
In the left-side navigation pane, choose .
In the upper-right corner of the page, click Region for Log Delivery to change the region to which logs are delivered.
Change the log storage duration
By default, logs are stored for 180 days. Logs that are stored longer than the log storage duration are automatically deleted and cannot be restored. You can change the log storage duration based on the log storage capacity and your business requirements. You can set the log storage duration to 7 days to 730 days. If you use Cloud Firewall that uses the pay-as-you-go billing method and you want to restore a larger amount of logs, you can modify the log storage duration in the Simple Log Service console.
If the log storage capacity is exhausted, new logs are no longer collected. We recommend that you specify an appropriate log storage duration and monitor the log storage usage on a regular basis.
After you change the log storage duration, Cloud Firewall stores logs only within the new log storage duration and automatically deletes logs that are stored longer than the log storage duration. The logs are automatically deleted in 1 hour to 2 hours.
For example, if you change the log storage duration from 180 days to 30 days, logs that are stored for more than 30 days are automatically deleted after the change takes effect.
Log on to the Cloud Firewall console.
In the left-side navigation pane, choose .
In the upper-right corner of the page, click Log Storage Period. In the dialog box that appears, specify a value and click Save.
Manage log storage capacity
No limits are imposed on log storage capacity for Cloud Firewall that uses the pay-as-you-go billing method.
If the log storage capacity is exhausted, new logs cannot be written to the dedicated Logstore and the log data is incomplete. To avoid this issue, we recommend that you monitor the usage of log storage on a regular basis.
Log on to the Cloud Firewall console.
In the left-side navigation pane, choose .
In the upper-right corner of the Logs tab, view the log storage usage.
The log storage usage that is displayed is not updated in real time and is delayed for 2 hours. We recommend that you increase the log storage capacity or delete logs to release the used storage before the capacity is exhausted.
Optional. If the capacity is about to be exhausted, increase the log storage capacity or delete existing logs to release the used storage.
WarningYou cannot restore logs after the logs are deleted. Proceed with caution.
Increase the log storage capacity: In the upper-right corner of the Logs tab, click Upgrade Storage. On the page that appears, specify a larger log storage capacity and complete the payment.
NoteThe fee for additional log storage capacity is USD 80 per 1,000 GB-month. The subscription duration of the log storage capacity varies based on the subscription duration of Cloud Firewall. You cannot modify the subscription duration.
Delete existing logs: In the upper-right corner of the Logs tab, click Delete All Logs. In the dialog box that appears, click OK. The deletion requires approximately 1 hour to 2 hours to complete.
NoteAfter you enable the log analysis feature, you can clear the log storage four times. Each time you renew your subscription to Cloud Firewall, the quota to clear the log storage is reset to four times.
What to do next
You can query and analyze collected logs in real time to monitor traffic exceptions and protect your assets. For more information, see Query and analyze logs.
To prevent the issue that new logs cannot be collected due to insufficient log storage, you must monitor the log storage usage. We recommend that you configure notifications for Log Storage Capacity. For more information, see Configure notifications.
Can I export the traffic logs of Cloud Firewall to a third-party system?