Cloud Firewall automatically records all traffic in logs and provides the Log Audit page to display event logs, traffic logs, and operation logs. This allows you to trace the sources of attacks and audit traffic in a convenient manner. By default, you can query the audit logs of the previous seven days. This enables you to monitor your assets in real time and handle security events in an efficient manner.
By default, Cloud Firewall retains the logs of the previous seven days. If you want to store logs for more than seven days, meet specific classified protection requirements, or export raw log data, you can enable the log analysis feature. For more information, see Overview.
Audit log types
The log audit feature supports event logs, traffic logs, and operation logs.
Event logs: logs of traffic that is identified as potential threats or abnormal behavior by Cloud Firewall. Event logs display the key information about security events, including the time when an event is detected, threat type, source IP address, destination IP address, application type, severity, and policy action. This facilitates event tracing and analysis.
You can click Obtain Attack Sample in the event log list to generate attack samples within the previous seven days for the logs of events that are blocked by the virtual patching and basic protection features. Then, you can view the details of attack events based on the attack samples. The generated attack samples can be retained for one month.
Traffic logs: logs of normal network traffic that passes through Cloud Firewall. You can view information such as the source IP address, destination IP address, port, protocol, and traffic volume. Traffic logs are valuable for network behavior analysis and understanding network usage patterns.
Operation logs: logs of all operations performed in the Cloud Firewall console, such as changes to the configurations of rules or system settings and interventions performed by the administrator. Operation logs can help you audit user behavior and manage system changes.
Query audit logs
This section describes how to use the log audit feature to query traffic logs. The query conditions vary based on the type of log. The query conditions displayed on the Log Audit page shall prevail.
Log on to the Cloud Firewall console.
In the left-side navigation pane, choose .
Click the Traffic Logs tab and click a tab based on the firewall type.
Specify the query conditions and time range and click Search.
Key fields of traffic logs
The following table describes the key fields of traffic logs to help you better understand the details of traffic characteristics and behavior.
When you query traffic logs, you can click List Configurations to the right of the query conditions and select the fields that you want to display in the traffic log list. In addition to the required fields, you can select up to eight optional fields.
Field | Description |
Rule Name/Rule ID | The name of the access control policy or protection policy that the traffic hits. If no policy name is displayed, the traffic does not hit an access control policy or a protection policy. |
Pre-match Access Control Policy Status | When traffic passes through Cloud Firewall, Cloud Firewall matches the traffic against access control policies in sequence based on the priorities of the policies. If Cloud Firewall cannot identify the application or domain name of the traffic when Cloud Firewall matches the traffic against an access control policy, the value of the Pre-match Access Control Policy Status parameter is Application Unidentified or Domain Name Unidentified, and the value of the Pre-match Access Control Policy parameter is the name of the access control policy. Valid values for Pre-match Access Control Policy Status:
|
Pre-match Access Control Policy | |
Application Identification Status | The identification status of the application of the traffic when Cloud Firewall matches the traffic against access control policies. Valid values:
|
What to do next
By default, Cloud Firewall retains the logs of the previous seven days. If you want to store logs for more than seven days or meet specific classified protection requirements, you can enable the log analysis feature. For more information, see Overview.
Cloud Firewall provides the packet capture feature. You can use the feature to capture network data packets for specific IP addresses and ports, and analyze the packets. This helps you identify exceptions that occur on your network, analyze attack behavior, and identify the security risks of network communications. For more information, see Use the packet capture feature.
Why are traffic logs of ICMP detection periodically sent by Cloud Firewall?
Why do traffic logs record traffic whose application type is Unknown?
Is log analysis data retained after I release Cloud Firewall?