Enable the log analysis feature of Cloud Firewall to collect Internet traffic logs, VPC traffic logs, and DNS traffic logs - Simple Log Service

The log analysis feature is a one-stop service provided by Cloud Firewall and Simple Log Service (SLS). It lets you collect, query, analyze, process, and consume traffic logs from protected assets in real time. This helps you monitor and protect your network assets and meet classified protection compliance requirements. This topic describes how to enable the log analysis feature in the Cloud Firewall console to collect traffic logs in SLS.

Prerequisites

You have created the service-linked role for Cloud Firewall, AliyunServiceRoleForCloudFW. For more information, see Authorize Cloud Firewall to access other cloud resources.
If you use a Resource Access Management (RAM) user, you must grant the RAM user the permissions to query and analyze the logs of Cloud Firewall. For more information, see Grant a RAM user the permissions to query and analyze logs.

Limits

The log analysis feature is provided only in the following editions of Cloud Firewall: Premium Edition, Enterprise Edition, Ultimate Edition, and Cloud Firewall that uses the pay-as-you-go billing method.

Enable the log analysis feature

Method 1:

Visit the Cloud Firewall buy page.
Set the Log Analysis parameter to Yes, configure the Log Storage Capacity parameter, click Buy Now, and then complete the payment.
For more information, see Subscription 2.0.
Log on to the Cloud Firewall console.
In the left-side navigation pane, choose Log Monitoring > Log Analysis.
Click Enable Now to enable the log analysis feature.

Method 2:

Log on to the Cloud Firewall console.
In the left-side navigation pane, choose Log Monitoring > Log Analysis.
On the Log Analysis page, click Upgrade Now or Enable Now.
Enable the log analysis feature as prompted.
On the Log Analysis page of the Cloud Firewall console, click Log Delivery in the upper-right corner, and turn on the switches for the traffic logs that you want to collect.
The log analysis feature collects all traffic logs of Cloud Firewall in real time.

Related operations

Operation	Description
Disable log delivery	On the Logs tab of the Log Analysis page, click Log Delivery and select the log types that you want to disable. Important Disabling log delivery does not automatically delete the project or the delivered logs. After you disable log delivery, delete the project that was automatically created in the SLS console to avoid incurring unnecessary fees. For more information, see Manage projects.
Modify log storage configurations	For information about how to set the log type, modify the log storage region, modify the storage duration of logs, manage log storage capacity, and delete logs, see Modify log storage configurations. Warning Monitor the usage of your log storage capacity while using the log analysis feature. If the used storage exceeds 70% of the total capacity, promptly upgrade the log storage capacity to ensure that new logs can be stored. After you delete logs from the storage space, the log data cannot be restored. Use this feature with caution.

References

You can query and analyze collected logs in real time to monitor traffic exceptions and protect your assets.
To prevent the issue that new logs cannot be collected due to insufficient log storage, you must monitor the log storage usage. We recommend that you configure notifications for Log Storage Capacity.
How do I reduce the storage occupied by logs?
FAQ about logs
Can I export the traffic logs of Cloud Firewall to a third-party system?

After traffic logs are delivered to SLS, you can query, analyze, download, deliver, and process logs, and create alerts in SLS. For more information, see Common operations on logs of cloud services.