Web Application Firewall (WAF) is integrated with Simple Log Service to provide the WAF logging feature. The feature collects and stores access logs and protection logs of protected objects, such as cloud service instances and domain names, in WAF. You can use this feature to query and analyze logs, configure charts, configure alert rules, and ship logs to downstream services for consumption. This feature allows you to focus more on log analysis.
Assets
We recommend that you do not delete the projects or Logstores that are related to WAF logs. If you delete the projects or Logstores, existing logs are deleted, and new logs cannot be delivered to Simple Log Service.
Subscription WAF instances
If you use a WAF instance that resides in the Chinese mainland, Simple Log Service automatically creates a project named wafng-project-<Alibaba Cloud account ID>-cn-hangzhou and a dedicated Logstore named wafng-logstore after the WAF logging feature is enabled.
If you use a WAF instance that resides outside the Chinese mainland, Simple Log Service automatically creates a project named wafng-project-<Alibaba Cloud account ID>-ap-southeast-1 project and a dedicated Logstore named wafng-logstore after the WAF logging feature is enabled.
ImportantIf you have enabled the pay-by-ingested-data billing mode, Simple Log Service creates a dedicated Logstore that uses the pay-by-ingested-data billing mode by default. If you want to switch the billing mode from pay-by-ingested-data to pay-by-feature, you can modify the configurations of the Logstore. For more information, see Modify the configurations of a Logstore.
Pay-as-you-go WAF instances
If you use a WAF instance that resides in the Chinese mainland, Simple Log Service automatically creates a project named wafnew-project-<Alibaba Cloud account ID>-cn-hangzhou and a dedicated Logstore named wafnew-logstore after the WAF logging feature is enabled.
If you use a WAF instance that resides outside the Chinese mainland, Simple Log Service automatically creates a project named wafnew-project-Alibaba Cloud account ID-ap-southeast-1 project and a dedicated Logstore named wafnew-logstore after the WAF logging feature is enabled.
Billing
Subscription WAF instances
The fees of the WAF logging feature are included in your WAF bills. You are charged based on the log retention period and log storage capacity. For more information, see Billing overview.
Pay-as-you-go WAF instances
The fees of the WAF logging feature are included in your Simple Log Service bills.
If the billing mode of the related Logstore is pay-by-feature, you are charged based on the storage usage, read traffic, number of requests, data transformation, and data shipping after WAF logs are delivered to Simple Log Service. For more information, see Billable items of pay-by-feature.
If the billing method of the related Logstore is pay-by-ingested-data, you are charged for the volume of ingested raw data after WAF logs are delivered to Simple Log Service. For more information, see Billable items of pay-by-ingested-data.
Limits
If you have overdue payments for your Simple Log Service resources, the WAF logging feature becomes unavailable.
You can write only WAF data to the dedicated Logstores. For features such as query, analysis, alerting, and consumption, no limits are imposed.
The available storage capacity of WAF logs must be sufficient. If the log storage capacity is exhausted, new logs cannot be stored.
NoteThe log storage capacity that is displayed in the Simple Log Service console is not updated in real time.
Benefits
Classified protection compliance: The WAF logging feature can retain website access logs for more than six months and help your website meet the requirements for classified protection.
Simple configuration: You need to only perform simple operations to enable the feature to collect access logs and protection logs from the domain name of your website in real time. You can specify a custom log retention period and a custom log storage capacity. You can also select a website for log collection based on your business requirements.
Real-time analysis: The feature provides real-time log analysis and out-of-the-box dashboards. The dashboards provide insights into the attacks and access to your website.
Real-time alerting: The feature supports custom monitoring and alerting for specific metrics in near real time. You can respond to critical business exceptions at the earliest opportunity.
High compatibility: The feature is compatible with solutions such as stream computing, cloud storage, and visualization. You can extract more value from your business data.
Scenarios
Trace web attack logs to identify the source of security threats.
Monitor web requests in real time and view traffic trends.
Obtain information about the efficiency of security operations and handle issues at the earliest opportunity.
Generate and deliver security network logs to self-managed data and computing centers.