This topic describes how to use Python Program to integrate Web Application Firewall (WAF) logs into a Syslog server to meet regulatory and audit requirements. This allows you to manage all the related logs in your security operations center.
Background information
Log Service is an end-to-end logging service developed by Alibaba Cloud and is widely used by Alibaba Group in big data scenarios. Log Service allows you to complete the collection, consumption, delivery, query, and analysis of log data without the need for development. This improves the O&M efficiency and the operational efficiency and delivers capabilities of processing a large number of logs in the Data Technology (DT) era. WAF is integrated with Log Service. The Log Service for WAF feature allows you to collect, query, and analyze website access logs. For more information, see Overview.
Python Program is a program running on ECS instances to deliver WAF logs to a Syslog server. The consumer library is an advanced mode provided for LogHub consumers. It uses consumer groups to manage the consumption end. Compared with the mode in which data is read by using SDKs, the consumer library enables you to focus only on the business logic. You do not need to concern about the implementation details of Log Service or the fault tolerance among multiple consumers. For more information, see Use consumer groups to consume logs.
The Syslog server centrally manages log messages. It can receive data from multiple Syslog sources.
Prerequisites
- Log Service for WAF is enabled. The log collection feature is enabled for your domain name. For more information, see Get started with the Log Service for WAF feature.
- A Linux ECS instance with the following recommended configurations is deployed:
- Ubuntu operating system
- 2.0 GHz processor or above, with eight cores
- 32 GB of memory
- Available disk space greater than 2 GB (More than 10 GB of available disk space is recommended.)
- A Syslog server is deployed, and the UDP port 514 is enabled on the server to receive Syslog data.
Procedure
Install Log Service SDK for Python on your ECS instance and configure Python Program to deliver WAF logs to the Syslog server. Perform the following steps:
- Replace Log Service and Syslog parameters in Python Program. The following table describes
the parameters.
Parameter Meaning Description SLS Project Log project name A project is the basic unit to isolate and control resources in Log Service. You can log on to the Log Service console to view the log projects of WAF.
The name of a WAF log project starts with
waf-project. Projects that reside in the China (Hangzhou) region are the log projects of WAF instances in the Chinese mainland. Projects that reside in the Singapore region are the log projects of WAF instances outside the Chinese mainland.
SLS Endpoint Log Service endpoint The Log Service endpoint is a URL used to access a project and logs in the project. The endpoint varies based on the Alibaba Cloud region where the project resides and the project name. To view the URL, see Endpoints. SLS Logstore Logstore A Logstore is a unit in Log Service to collect, store, and query log data. Each Logstore belongs to a single project. Each project can have multiple Logstores. You can log on to the Log Service console and click a WAF log project to view the Logstore name.
SLS AccessKey ID and AccessKey Secret AccessKey pair An AccessKey pair consists of an AccessKey ID and an AccessKey secret and is designed to access your cloud resources by using APIs instead of the console. You can use the AccessKey pair to sign API requests so that the requests can pass the security authentication in Log Service. For more information, see AccessKey. You can log on to the User Management console to view the information of your AccessKey pair.
Syslog Host Syslog host The IP address or hostname of the Syslog server. Syslog Port Syslog port The port used to receive Syslog data. The UDP port 514 and the TCP port 1468 are supported. Syslog protocol Syslog protocol The UDP or TCP protocol that is used to receive Syslog data. The parameter value varies based on the configurations of the Syslog server. Syslog separator Syslog delimiter The delimiter used to separate Syslog key-value pairs. The following code provides an example of how to configure Python Program:- Log Service configurations
endpoint = os.environ.get('SLS_ENDPOINT', 'http://ap-southeast-1.log.aliyuncs.com') accessKeyId = os.environ.get('SLS_AK_ID', 'Your AccessKey ID') accessKey = os.environ.get('SLS_AK_KEY', 'Your AccessKey secret') project = os.environ.get('SLS_PROJECT', 'waf-project-548613414276****-ap-southeast-1') logstore = os.environ.get('SLS_LOGSTORE', 'waf-logstore') consumer_group = os.environ.get('SLS_CG', 'WAF-SLS') - Syslog configurations
settings = { "host": "1.2.xx.xx", "port": 514, "protocol": "udp", "sep": ",", "cert_path": None, "timeout": 120, "facility": syslogclient.FAC_USER, "severity": syslogclient.SEV_INFO, "hostname": None, "tag": None }
- Log Service configurations
You can query WAF logs in the Syslog server.