If you want to deliver the hybrid cloud logs of Web Application Firewall (WAF) to a syslog or Kafka platform, you can use the external delivery feature. After logs are delivered, you can use the logs to meet log O&M requirements, explore data values, and improve the efficiency of service operations. This topic describes how to configure external delivery settings for hybrid cloud logs.
Prerequisites
A subscription WAF instance that runs the Enterprise or Ultimate edition and supports the hybrid cloud mode is purchased, and the Simple Log Service for WAF feature is enabled for the instance.
The domain name whose logs you want to deliver is added as a protected object. Make sure that this prerequisite is met if the domain name is added to WAF in hybrid cloud - SDK integration mode. For more information, see Configure protected objects and protected object groups.
The image of hybrid cloud WAF is upgraded to the latest version.
Configure external delivery settings for hybrid cloud logs
In a hybrid cloud environment, logs may be generated by different cloud services and on-premises facilities. You can use the external delivery feature to send logs from different sources to your log management platform for centralized monitoring, analysis, and management. WAF allows you to deliver hybrid cloud logs to a syslog or Kafka platform. The following sections describe how to configure the related settings for your protected objects.
Manage log delivery configurations
Log on to the WAF 3.0 console. In the top navigation bar, select the resource group and region of the WAF instance. You can select Chinese Mainland or Outside Chinese Mainland.
In the left-side navigation pane, choose . In the upper-right corner of the page that appears, click Log Configuration. By default, the Default Field Settings tab appears.
On the Default Field Settings tab, configure default settings for fields that you want to deliver. The fields in all logs are delivered. For more information about log fields, see Log fields.
On the Log Configuration page, click the Delivery Settings tab.
In the upper-right corner, click . The Delivery Configurations panel appears. In this panel, you can create, modify, and delete log delivery configurations. The first time you configure external delivery settings for hybrid cloud logs, you can click Configure External Delivery. Then, configure the parameters and click OK. The following table describes the parameters. You can create multiple log delivery configurations to meet requirements in different scenarios. You can also apply the same log delivery configuration to different protected objects for centralized log management.
ImportantIf you apply a log delivery configuration to a hybrid cloud protected object and turn on the switch in the Status of External Delivery column, you cannot directly delete the configuration. To delete the configuration, disable the external delivery feature and try again.
Type
Parameter
Description
SYSLOG
Configuration Item
The name of the log delivery configuration.
The name must be 1 to 100 characters in length and can contain letters, digits, periods (.), underscores (_), and hyphens (-).
NoteYou cannot change the name after the configuration is created.
Server IP Address/Port
The IP address and port of the syslog server that receives logs.
RFC
The Request for Comments (RFC) document that defines the syslog protocol.
Protocol
The type of the transport layer protocol. Valid values: TCP and UDP.
KAFKA
Configuration Item
The name of the log delivery configuration.
The name must be 1 to 100 characters in length and can contain letters, digits, periods (.), underscores (_), and hyphens (-).
NoteYou cannot change the name after the configuration is created.
Topic ID/Name
The ID or name of the topic that you want to use.
Domain Name
The domain name whose logs you want to deliver. Make sure that the domain name is reachable.
Protocol
PLAINTEXT
Scenario: Data encryption or authentication is not required.
SASL_PLAINTEXT
Scenario: Data encryption is not required, but authentication is required.
SASL_SSL
Scenario: Data encryption and authentication are required.
Compression Type
The compression type of the logs that you want to deliver. Valid values: none, gzip, zstd, lz4, and snappy.
Custom CA
The custom Certificate Authority (CA) certificate that you want to use.
Enable or disable the external delivery feature
After you create a log delivery configuration, go back to the Delivery Settings page. On the page, find the protected object that you want to manage and click the
icon in the Status of External Delivery column to enable the external delivery feature. If you want to view logs after you configure the related settings, log on to your syslog or Kafka platform to query and analyze logs in real time.
If you want to disable the external delivery feature, go back to the Delivery Settings page. On the page, find the protected object that you want to manage and disable the feature.
After you enable the external delivery feature, only new logs are delivered. Historical logs are not delivered.
If you want to enable the external delivery feature for multiple protected objects at a time, select the protected objects in the list of protected objects, click Batch Manage below the list, and then select Enable External Delivery or Disable External Delivery. Take note that you can apply only the same log delivery configuration to multiple protected objects that you manage at a time.
If you want to change the log delivery configuration of a protected object, disable the external delivery feature for the protected object and then re-enable the feature. This way, you can select a different log delivery configuration.
Configure log fields for external delivery
If you want to use the same field settings for all log delivery tasks, configure default field settings. For more information, see Configure log fields to be delivered.
If you want to use different field settings for specific protected objects, click Field Settings in the Field of External Delivery column of the protected objects and configure custom settings. For more information, see Log fields.