All Products
Search

This Product

    Web Application Firewall:Configure log fields to be delivered and delivery status

    Document Center

    Web Application Firewall:Configure log fields to be delivered and delivery status

    Last Updated:Dec 16, 2024

    In Web Application Firewall (WAF), after you enable the Simple Log Service for WAF feature, you can retain the default settings of log fields to be delivered or configure log fields to be delivered for specific protected objects based on your business requirements. You can manage and configure log fields for different protected objects in a centralized manner.

    Default Field Settings tab

    You can predefine log fields for delivery. After you configure the default field settings, the settings are applied to all protected objects and log delivery tasks. You must log on to the WAF console to configure the settings. In the left-side navigation pane, choose Detection and Response > Log Service. On the page that appears, click Log Configuration in the upper-right corner. On the Default Field Settings tab of the page that appears, configure the following parameters.

    Parameter

    Description

    Required Fields

    Required fields are always included in WAF logs. You cannot modify the required fields. For more information, see Required fields.

    Optional Fields

    Optional fields are included in WAF logs based on your settings. WAF logs include the optional fields that you enable. For more information, see Optional fields.

    Note

    The storage usage of WAF logs increases with the number of optional fields that you enable. If you have sufficient log storage capacity, we recommend that you enable more optional fields to analyze logs in a more comprehensive manner.

    Log Type

    In the Log Type section, you can select multiple log types and specify a sampling ratio for each type. The sampling ratio refers to the proportion of logs that are selected and collected for storage and analysis to all logs that are generated. After you select a log type, you can specify a sampling ratio for the type from 1% to 100%. The following list describes the log types that you can select:

    • Normal Request Logs: Only normal requests are recorded.

    • Detection Logs: Requests that match protection rules and on which the Monitor, JavaScript Validation, Slider CAPTCHA, Strict Slider CAPTCHA Verification, Add Tag, and Dynamic Token-based Authentication actions are performed are recorded.

    • Block Log: Only attack requests that are blocked by WAF are recorded. If you are concerned about security events and want to prevent less important logs from occupying log storage, we recommend that you select this value.

    Note

    If you want to perform comprehensive audit and in-depth analysis, select all log types to record full logs.

    After you complete the default field settings, click Save. If the The operation is successful. message appears, the settings take effect globally. If you want to modify the settings, go back to the Default Field Settings tab.

    Delivery Settings tab

    You can separately configure log fields and log types for a protected object. After you configure the settings, the settings have a higher priority than the default field settings. If you purchase a subscription WAF 3.0 instance of the Enterprise or Ultimate edition and add web services in hybrid cloud mode, you can also deliver the log fields of the protected objects that are generated for the web services to a Kafka or syslog platform. This type of protected object is also referred to as hybrid cloud protected objects.

    Status of Delivery to Simple Log Service column

    You can enable or disable log delivery to Simple Log Service for a protected object.

    1. Log on to the WAF 3.0 console. In the top navigation bar, select the resource group and region of your WAF instance. The region can be Chinese Mainland or Outside Chinese Mainland.

    2. In the left-side navigation pane, choose Detection and Response > Log Service.

    3. In the upper-right corner of the Log Service page, click Log Configuration. On the page that appears, click the Delivery Settings tab, find the protected object that you want to manage, and then turn on the switch in the Status of Delivery to Simple Log Service column. image indicates that log delivery is enabled.

    Note

    You can manage delivery status for multiple protected objects at a time. For example, you can select multiple protected objects in the list of protected objects, click Batch Manage below the list, and then select Enable Delivery to Simple Log Service or Disable Delivery to Simple Log Service.

    Field of Delivery to Simple Log Service column

    You can configure the log fields to be delivered to Simple Log Service. In the left-side navigation pane of the WAF console, choose Detection and Response > Log Service. On the page that appears, click Log Configuration in the upper-right corner. On the Delivery Settings tab of the page that appears, find the protected object that you want to manage and click Field Settings in the Field of Delivery to Simple Log Service column. Then, configure the parameters in the Fields dialog box. After you complete the field settings, click OK. If the The operation is successful. message appears, the settings take effect on the protected object.

    Status of External Delivery column

    Important

    Only hybrid cloud protected objects support external delivery.

    Before you can use external delivery, you must create an external delivery configuration. In the left-side navigation pane of the WAF console, choose Detection and Response > Log Service. On the page that appears, click Log Configuration. On the Delivery Settings tab of the page that appears, click Delivery Configurations. In the panel that appears, view existing external delivery configurations. If the existing configurations do not meet your requirements, click Configure External Delivery to create a configuration. In the dialog box that appears, select a configuration type and configure other parameters based on the following table.

    Type: SYSLOG

    Parameter

    Description

    Type

    Select SYSLOG.

    Configuration Item

    Enter a name for the external delivery configuration.

    Server IP Address/Port

    Enter the public IPv4 address and port of the syslog server that receives logs.

    RFC

    Select the Request for Comments (RFC) protocol that is used by your log management system. Valid values: RFC3164 and RFC5424.

    Protocol

    Select the transport layer protocol. Valid values: TCP and UDP.

    You can configure this parameter based on your reliability, performance, and management requirements for log data transmission. If you use a centralized log management system and the system supports retransmission and loss marking, we recommend that you select TCP. If you want to process a large amount of log data in a short period of time and the logs are less important, we recommend that you select UDP.

    Type: KAFKA

    Parameter

    Description

    Type

    Select KAFKA.

    Configuration Item

    Enter a name for the external delivery configuration.

    Topic ID/Name

    Enter the ID or name of the topic that you want to use.

    Domain Name

    Enter the address of your Kafka cluster.

    Note

    You can specify domain names together with a port or IP addresses together with a port. Separate multiple domain names or IP addresses with commas (,) Example: kafka.aliyuncs.com:9093,127.0.0.1:9093,kafka2.aliyuncs.com:9093.

    Protocol

    Select the required protocol. Valid values: PLAINTEXT, SASL_PLAINTEXT, and SASL_SSL. We recommend that you select a protocol based on the security configuration of your Kafka cluster.

    SASL Username

    Enter the username that is used to connect to your Kafka cluster. If you set the Protocol parameter to SASL_PLAINTEXT or SASL_SSL, you must configure this parameter for identity verification.

    SASL Password

    Enter the password that is used to connect to your Kafka cluster. If you set the Protocol parameter to SASL_PLAINTEXT or SASL_SSL, you must configure this parameter for identity verification.

    Compression Type

    Select a compression algorithm. Valid values: gzip, zstd, lz4, and snappy. If no compression is required, select none.

    Custom CA

    Configure the custom Certificate Authority (CA) certificate that you want to use. If you set the Protocol parameter to SASL_SSL, this parameter is required.

    Note

    The CA certificate must start with -----BEGIN CERTIFICATE----- and end with -----END CERTIFICATE-----.

    If an existing external delivery configuration meets your requirements, find the protected object that you want to manage on the Delivery Settings tab and turn on the switch in the Status of External Delivery column. image indicates that external delivery is enabled. In the dialog box that appears, select the external delivery configuration.

    Note

    If you want to enable external delivery for multiple protected objects at a time, select the protected objects in the list of protected objects, click Batch Manage below the list, and then select Enable External Delivery or Disable External Delivery.

    Field of External Delivery column

    You can configure optional fields and log types for external delivery. In the left-side navigation pane of the WAF console, choose Detection and Response > Log Service. On the page that appears, click Log Configuration in the upper-right corner. On the Delivery Settings tab of the page that appears, find the protected object that you want to manage and click Field Settings in the Field of External Delivery column. Then, configure the parameters in the Fields dialog box. After you complete the field settings, click OK. If the The operation is successful. message appears, the settings take effect on the protected object.