You can use Simple Log Service to configure custom monitoring charts and alerts for the protected objects of Web Application Firewall (WAF). This way, you can obtain the overall traffic and security status of your services. This topic describes how to use Simple Log Service to configure monitoring and alerting for WAF.
Prerequisites
Web services are added to WAF on the Website Configuration page. For more information, see Website configuration overview.
The Simple Log Service for WAF feature is enabled. For more information, see Enable or disable the Simple Log Service for WAF feature.
After you enable the feature for a WAF instance, Simple Log Service (SLS) automatically creates a project and a Logstore for the WAF instance and collects the logs of protected objects that you specify to the Logstore. You can configure monitoring and alerting for WAF in the Simple Log Service console.
Procedure
In the WAF console, enable the Simple Log Service for WAF feature for a protected object.
Log on to the WAF 3.0 console. In the top navigation bar, select the resource group and the region in which the WAF instance is deployed. You can select Chinese Mainland or Outside Chinese Mainland for the region.
In the left-side navigation pane, choose .
In the upper part of the Log Service page, select a protected object whose logs you want to view and turn on Status to enable the feature.
After you turn on Status, the feature takes effect for the protected object within a few minutes.
In the Simple Log Service console, configure alerts.
Create a log analysis dashboard.
Log on to the Simple Log Service console.
In the Projects section, find the project that you want to manage and click the name of the project.
Enter an SQL statement and click Search & Analyze. For more information, see Step 4.
NoteFor more information about the SQL statements that are used to query and analyze logs, see Query statements.
On the Graph tab, click Add to New Dashboard.
In the Add to New Dashboard dialog box, configure the parameters and click OK. The following table describes the parameters.
Parameter
Description
Operation
Select Create Dashboard.
Layout Mode
Select a layout mode for the dashboard.
Dashboard Name
Enter a name for the dashboard.
After you create a dashboard, you are redirected to the dashboard. By default, the dashboard contains the chart that is generated when you execute the SQL statement in Step iii. You can modify the chart or add additional charts to the dashboard.
Configure a chart.
In the left-side navigation pane of the Simple Log Service console, choose
and click the created dashboard.In the upper-right corner of the dashboard page, click Edit.
In edit mode, modify or delete existing charts on the dashboard. You can also create a chart by copying an existing chart.
NoteYou can copy a chart to create another chart. Then, you can modify the new chart. You can add multiple charts to a dashboard. This way, you can view the data of your services and configure alerts based on your business requirements.
Copy a chart to create another chart
Find the chart that you want to copy, move the pointer over the icon in the upper-right corner of the chart, and then click Copy.
After you copy a chart, an identical chart appears next to the original chart.
Drag the chart to the desired position on the dashboard.
Modify an existing chart
Find the chart that you want to modify, move the pointer over the icon in the upper-right corner of the chart, and then click Edit.
On the Edit Chart page, modify the chart configurations, such as the chart name, SQL statements, relative query time range, and chart type. Then, click OK.
Delete an existing chart
Find the chart that you want to delete, move the pointer over the icon in the upper-right corner of the chart, and then click Delete.
Configure alerts.
In the upper-right corner of the dashboard page, choose
.In the Alert Monitoring Rule panel, configure the parameters and click OK.
The following table describes the parameters and provides examples of parameter values.
Parameter
Description
Example
Rule Name
The name of the alert rule.
Website Logs_Alert Rule
Check Frequency
The frequency at which query and analysis results are checked. Valid values:
Fixed Interval: Query and analysis results are checked at a specific interval.
Cron: Query and analysis results are checked at an interval that is specified by a cron expression.
A cron expression can specify an interval that is accurate to the minute. The cron expression is based on the 24-hour clock. For example, 0 0/1 * * * indicates that query and analysis results are checked at an interval of 1 hour starting 00:00.
Fixed Interval, 15 Minutes
Query Statistics
Click Create. In the Query Statistics dialog box, configure information about a query statement. For more information about the limits of query and analysis, see Query and analysis.
Associated Report: On this tab, you can select a dashboard to monitor data.
Advanced Settings: On this tab, you can select Logstore, Metricstore, or Resource Data from the Type drop-down list to specify the type of data that you want to monitor.
Logstore: Logs are stored. For more information about query and analysis configurations, see Query and analyze logs.
Metricstore: Metrics are stored. For more information about query and analysis configurations, see Query and analyze metric data.
Resource Data: You can specify the external data that you want to associate with the alert rule. For more information, see Create resource data.
If you specify multiple query statements, you can configure the Set Operations parameter to associate the query and analysis results of the statements. For more information, see Specify query statements.
0: Select the request success ratio chart on the SLB Operation Logs dashboard.
1: Select the response_time trend chart on the SLB Operation Logs dashboard.
Set the Set Operations parameter to CROSS JOIN.
Group Evaluation
Simple Log Service can group query and analysis results. Valid values:
Custom Label: Simple Log Service groups query and analysis results based on the fields that you configure. After Simple Log Service groups the query and analysis results, Simple Log Service checks whether the query and analysis results in each group meet the trigger condition. If the query and analysis results in each group meet the trigger condition in each check period, an alert is triggered for each group.
You can configure multiple fields.
No Grouping: Only one alert is triggered in each check period when the trigger condition is met.
No Grouping
Trigger Condition
The trigger condition and severity of an alert.
Trigger condition
Data is returned: If data is returned in the query and analysis results, an alert is triggered.
the query result contains: If the query and analysis results contain N data entries, an alert is triggered.
data matches the expression: If the query and analysis results contain data that matches a specific expression, an alert is triggered.
the query result contains and matches: If the query and analysis results contain N data entries that match a specific expression, an alert is triggered.
Severity
This parameter is used to denoise alerts and manage alert notifications. When you create an alert policy or an action policy, you can add severity-based conditions. For more information, see Specify severity levels for alerts.
If you specify a trigger condition, you can specify a severity for the condition. In this case, all alerts that are triggered based on the alert rule have the same severity.
If you specify more than one trigger condition, you can specify a severity for each condition. You can click Create to specify additional trigger conditions.
For more information about the syntax of conditional expressions in alert rules, see Syntax of trigger conditions in alert rules.
data matches the expression
$0.success_ratio <90&&$1.Average response time\(s\) >60
Severity: Medium
NoteIf a field contains parentheses (), you must use backslashes (\) to escape the parentheses ().
Add Annotation
Simple Log Service allows you to add annotations as non-identifying attributes to alerts. Annotations are in the key-value pair format. This parameter is used to denoise alerts and manage alert notifications. When you create an alert policy or an action policy, you can add annotation-based conditions. For more information, see Add labels and annotations.
If you turn on Auto-Add Annotations, fields such as __count__ are automatically added to alerts. For more information, see Automatic annotations.
Title: Monitor the request success ratio and average response time of a website
Description: Request success ratio: ${success_ratio}, Average response time: ${Average response time(s)}
Auto-Add Annotations: turned on
Threshold of Continuous Triggers
The threshold at which an alert is triggered. If the number of consecutive times that the specified trigger condition is met reaches the value of this parameter, an alert is triggered. The system does not count the number of times when the specified trigger condition is not met.
1
Destination
The destination to which alerts are sent. Select Simple Log Service Notification.
Simple Log Service Notification
Alert Policy
Alert policies are used to merge, silence, and inhibit alerts.
If you set the Alert Policy parameter to Simple Mode or Standard Mode, you do not need to configure an alert policy. By default, Simple Log Service uses the built-in alert policy sls.builtin.dynamic to manage alerts.
If you set the Alert Policy parameter to Advanced Mode, you can select a built-in or custom alert policy to manage alerts. For more information about how to create an alert policy, see Create an alert policy.
Simple Mode
Action Policy
Action policies are used to manage alert notification methods and the frequency at which alert notifications are sent.
If you set the Alert Policy parameter to Simple Mode, you need to only configure an action group for this parameter.
After you configure an action group, Simple Log Service automatically creates an action policy named
Rule name-Action policy
. Alert notifications are sent based on the action policy for all alerts that are triggered based on the alert rule. For more information, see Notification methods.ImportantYou can modify an action policy on the Action Policy tab. For more information, see Create an action policy. If you add conditions when you modify an action policy, the value of the Alert Policy parameter is automatically changed to Standard Mode.
If you set the Alert Policy parameter to Standard Mode or Advanced Mode, you can select a built-in or custom action policy to send alert notifications. For more information about how to create an action policy, see Create an action policy.
If you set the Alert Policy parameter to Advanced Mode, you can turn on or turn off Custom Action Policy. For more information, see Dynamic action policy mechanism.
Notification Method: SMS Message
Recipient: LogServiceOperations
Alert Template: SLS builtin content template
Period: Any Time
Repeat Interval
If duplicate alerts are triggered during the specified period, the action policy that you select is executed only once and only one alert notification is sent.
5 Minutes
In the left-side navigation pane, click the icon to view the created alert rule and configure the recipients of alert notifications and alert policies. For more information, see 1. Configure a notification recipient and Create an alert policy.
After you create an alert rule, Simple Log Service monitors the query and analysis results based on the alert rule. If the query and analysis results meet the specified trigger condition, an alert is triggered. You can view the alert records on the Alert Rule Center tab. For more information, see View alert records.
References
For more information about the charts and sample alert configurations based on the query and analysis results of logs in WAF, see Examples of alert configurations based on WAF logs. The examples include alert rules for an abnormal percentage of 4xx status codes (blocked requests excluded from counting), abnormal percentage of 5xx status codes, abnormal queries per second (QPS), and request blocked by the Protection Rules Engine in the previous 5 minutes.