Analyzing Huawei Cloud WAF Logs for O&M Insights
Introduction
Web Application Firewall (WAF) examines all HTTP and HTTPS requests to detect and block attacks such as SQL injections, cross-site scripting (XSS), Trojan upload, and command or code injections. You can check the access and attack logs for real-time decision-making, device O&M, and service trend analysis.
Prerequisites
- You have purchased and used a WAF instance.
Restrictions
- WAF logging is available only for cloud WAF instances.
Procedure
- Add a website to WAF.
- Log in to the management console.
- Click in the upper left corner to select the desired region and project.
- Click in the upper left corner and choose Security > Web Application Firewall.
- Add the domain name by referring to "Add a Domain Name to WAF".
- Enable WAF logging to collect WAF logs to LTS..
- On the WAF console, choose Events in the navigation pane and click the Configure Logs tab. Enable logging and select a log group and log stream. If necessary, create a log group and a log stream first.
- Click OK.
Figure 1 Configuring logs
- Go to the log stream details page on the LTS console, choose Log Configuration in the navigation pane on the left, and click the Log Structuring tab. Select JSON, select a sample log event, and complete the configuration.
Figure 2 Configuring logs in JSON format
- On the log stream details page, click Visualization and run SQL queries. For details about how to visualize query results, see "Log Structuring".
- To count the number of attacks within a week, run the following SQL statement:
select count(*) as attack_times
Figure 3 Number of attacks within a week
- To count the number of attacks by type in one day, run the following SQL statement:
select attack,count(*) as times group by attack
You can visualize the results in a table, bar chart, line chart, pie chart, or number chart. The following figure presents the results in a pie chart.
Figure 4 Number of attacks by type
- To count the number of attacks within a week, run the following SQL statement:
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.