How to query logs - Web Application Firewall

After you enable the log delivery feature for the protected objects of Web Application Firewall (WAF), you can query and analyze the logs of the protected objects. Then, you can generate charts and configure alerts based on the query and analysis results.

Prerequisites

The Simple Log Service for WAF feature is enabled. For more information, see Enable or disable the Simple Log Service for WAF feature.
Web services are added to WAF 3.0 as protected objects. For more information, see Configure protected objects and protected object groups.
The log delivery feature is enabled for the protected objects of WAF. For more information, see Manage log delivery status.

Query and analyze logs

Log on to the WAF 3.0 console. In the top navigation bar, select the resource group and region of the WAF instance. You can select Chinese Mainland or Outside Chinese Mainland.
In the left-side navigation pane, choose Detection and Response > Log Service.
In the upper part of the Log Service page, select the protected object whose logs you want to query.
Important
Make sure that the log delivery feature is enabled for the protected object. If the log delivery feature is disabled for the protected object, WAF does not collect the logs of the protected object, and you cannot query or analyze the logs of the protected object. To enable the log delivery feature for a protected object, turn on Status for the protected object on the Log Service page. You can also go to the Log Configuration page and turn on the switch in the Status of Delivery to Simple Log Service column for the protected object on the Delivery Settings tab. For more information, see Manage log delivery status.

On the Log Query tab, enter a query statement. Then, execute the statement to query and analyze the logs of the protected object that you selected.

日志查询与分析

To query and analyze the logs of the protected object, perform the following steps:

Enter a search statement in the search box that is labeled 1 in the preceding figure.

You must write the search statement based on the syntax that is specific to Alibaba Cloud Simple Log Service. For more information about the syntax, see Search syntax. You can include the fields of WAF logs in the search statement as search fields. For more information about the log fields that are supported by WAF, see Log fields.

If you are not familiar with the search syntax, we recommend that you click Advanced Search to configure advanced settings. You can click Advanced Search above the search box. Then, specify search conditions and click Search. A search statement is automatically generated in the search box based on the search conditions. 高级搜索 The following table describes the search conditions that you can specify.

Search condition	Description
IP	The IP address of the client that sends the request.
Request ID	The unique identifier that WAF generates for the client request. The request ID is provided when WAF returns a block page or a response page to the client. The response page prompts the client to complete slider CAPTCHA verification. You can use the request ID to analyze and troubleshoot errors.
Rule ID	The ID of the WAF protection rule that matches the request. To query the rule ID, go to the Basic Web Protection page. You can also go to the Security Reports page and view the details of matched rules or statistics. For more information, see Security reports.
Status Code Returned from Origin Server	The HTTP status code that is sent by the origin server in response to the request forwarded by WAF.
Status Code Returned from WAF	The HTTP status code that is included in the response from WAF to the client.
Protection Module	The WAF protection module that matches the request. For more information about WAF protection modules and how to configure the modules, see Protection configuration overview.

If you want to perform calculation and statistical operations on the search results, append an analytic statement to the search statement in the search box that is labeled 1 in the preceding figure. If you do not want to analyze the search results, skip this step.
Separate the analytic statement and search statement with a vertical bar (|). Write the analytic statement based on the standard SQL-92 syntax. For more information about analytic statements, see Log analysis overview.
Specify the time range to query logs by using the time picker that is labeled 2 in the preceding figure.
Click Search & Analyze that is labeled 3 in the preceding figure.
In the lower part of the page, you can view the query and analysis results in a log distribution histogram and on the Raw Logs, Graph, and LogReduce tabs. You can perform various operations based on the query and analysis results. For example, you can perform quick analysis, generate charts, and configure alerts. For more information, see Description of query and analysis results.

Description of query and analysis results

Histogram

分布直方图

When you move the pointer over a green rectangle, you can view the period of time that is represented by the rectangle and the number of returned logs within the period of time.
If you double-click a green rectangle, you can view log distribution at a finer-grained level. You can also view the returned logs within the specified period of time on the Raw Logs tab.

Raw Logs

The Raw Logs tab displays query and analysis results.

Section	Description
1	Click Table or Raw Data to switch between the display formats of logs.
2	: allows you to copy log content. : allows you to label specific information or query error information in log content. This icon also serves as a copilot. : allows you to view the context information of a specific log in the raw log file. You can use contextual query only on the logs that are collected by Logtail. For more information, see Contextual query. : allows you to monitor log content in real time and extract key log information. You can use LiveTail only on the logs that are collected by Logtail. For more information, see LiveTail.
3	: allows you to specify a download scope and download logs. For more information, see Download logs. > JSON Configurations: allows you to specify the display type of JSON and the level of JSON expansion. > Event Settings: allows you to configure events for raw logs. For more information, see Configure events.
4	: allows you to add a view to your favorites. After fields are displayed in Section 5, you can add the current view to your favorites. Then, you can select the view from the drop-down list above Section 4. > Tag Settings: allows you to add fields as system tags. > Alias: After you turn on Alias, the names of fields are replaced with aliases. If no alias is configured for a field, the name of the field is retained. For more information about how to configure a field alias, see Create indexes.
5	Below Displayed Fields, move the pointer over a field and click the icon to remove the field from Displayed Fields. Then, the field is no longer displayed in the log content on the right side. Below Indexed Fields, move the pointer over a field and click the icon to add the field to Displayed Fields. Then, the field is displayed in the log content on the right side. : allows you to view field details, including Basic Distribution and Statistical Metrics. For more information, see Quick analysis.

Supported operations

View charts

After you execute a query statement, you can view the query and analysis results on the Graph tab.

View query and analysis results: Simple Log Service renders the results of the query statement to charts. Simple Log Service provides various types of charts, such as tables, line charts, and column charts. Simple Log Service provides two versions of charts: Pro and Standard. For more information, see Overview of charts (Pro) and Chart overview.
Add a chart to a dashboard: Simple Log Service provides dashboards on which you can analyze data in real time. You can click Add to New Dashboard to save the query and analysis results as a chart to a dashboard. For more information, see Overview of visualization.
Configure interaction occurrences: Interaction occurrences are important for data analysis. You can use interaction occurrences to switch between the levels of data dimensions and the analysis granularities to obtain more detailed information. For more information, see Interaction occurrences.
Create a Scheduled SQL job: Simple Log Service provides the Scheduled SQL feature. You can use the feature to automatically analyze data at a scheduled time and aggregate data for storage. You can also use the feature to project and filter data. For more information, see How Scheduled SQL works.

LogReduce

On the LogReduce tab, you can click Enable LogReduce to cluster similar logs during log collection. For more information, see LogReduce.

SQL enhancement

If you use the Standard SQL feature to analyze a large amount of data that is generated over a period of time, Simple Log Service cannot analyze all data in a single query request. You can enable the Dedicated SQL feature to increase computing resources and the amount of data that can be analyzed in a single query request. For more information, see Enable Dedicated SQL.

Scan

If you need to query or analyze logs but you cannot or did not create indexes, you can use the scan feature. For more information, see Scan logs.

Alerting

You can click the 另存为告警 icon to configure alerts for query and analysis results. For more information, see Configure an alert rule in Simple Log Service.

Saved search

You can click the 快速查询 icon to save a query statement as a saved search. For more information, see Saved search.

Sharing

You can click the icon to copy the link of the current page and share the link with other users.