Updated on 2024-11-04 GMT+08:00

Querying Logs

CFW allows you to query logs generated within the last seven days. The following types of logs are available:

One or multiple types of logs can be recorded in LTS. You can view log data in the past 1 to 360 days. For details, see Log Management.

Prerequisites

Constraints

  • Logs can be stored for up to seven days.
  • Up to 100,000 records can be exported for a single log.
  1. Log in to the management console.
  2. Click in the upper left corner of the management console and select a region or project.
  3. In the navigation pane on the left, click and choose Security & Compliance > Cloud Firewall. The Dashboard page will be displayed.
  4. (Optional) If the current account has only one firewall instance, the firewall details page is displayed. If there are multiple firewall instances, click View in the Operation column of a firewall to go to its details page.
  5. In the navigation pane, choose Log Audit > Log Query. The Attack Event Logs tab page is displayed. You can view details about attack events in the past week.

    Figure 1 Attack event logs
    Table 1 Attack event log parameters

    Parameter

    Description

    Time

    Time when an attack occurred.

    Attack Type

    Type of the attack event, including IMAP, DNS, FTP, HTTP, POP3, TCP, and UDP.

    Risk Level

    It can be Critical, High, Medium, or Low.

    Rule ID

    Rule ID

    Rule Name

    Matched rule in the library.

    Source IP Address

    Source IP address of an attack event.

    Tags

    IP address type identifier.

    • Other tags: IP addresses that are not WAF back-to-source IP addresses. No special actions required.
    • WAF back-to-source IP addresses: Source IP Address is a WAF back-to-source IP address. If the Action of this record is Block, Block IP, or Discard, you need to manually set the action to Allow.

      Operation: Find the rule based on its ID. In the Operation column of the rule, click Observe.

    Source Country/Region

    Geographical location of the attack source IP address.

    Source Port

    Source port of an attack.

    Destination IP Address

    Attacked IP address.

    Destination Country/Region

    Geographical location of the attack target IP address.

    Destination Port

    Destination port of an attack.

    Protocol

    Protocol type of an attack.

    Application

    Application type of an attack.

    Direction

    It can be outbound or inbound.

    Action

    Action of the firewall. It can be:

    • Allow
    • Block
    • Block IP
    • Discard

    Operation

    You can click View to view the basic information and attack payload of an event.

  1. Log in to the management console.
  2. Click in the upper left corner of the management console and select a region or project.
  3. In the navigation pane on the left, click and choose Security & Compliance > Cloud Firewall. The Dashboard page will be displayed.
  4. (Optional) If the current account has only one firewall instance, the firewall details page is displayed. If there are multiple firewall instances, click View in the Operation column of a firewall to go to its details page.
  5. In the navigation pane, choose Log Audit > Log Query. Click the Access Control Logs tab and check the traffic details in the past week. For details about how to modify the action taken on an IP address, see Adding Protection Rules to Block or Allow Traffic or Adding Blacklist or Whitelist Items to Block or Allow Traffic.

    Figure 2 Access control logs
    Table 2 Access control log parameters

    Parameter

    Description

    Hit Time

    Time of access.

    Source IP Address

    Source IP address of the access.

    Source Country/Region

    Geographical location of the source IP address.

    Source Port

    Source port for access control. It can be a single port or consecutive port groups (example: 80-443).

    Destination IP Address

    Destination IP address.

    Destination Host

    Destination domain name

    Destination Country/Region

    Geographical location of the destination IP address.

    Destination Port

    Destination port for access control. It can be a single port or consecutive port groups (example: 80-443).

    Protocol

    Protocol type for access control.

    Action

    Action taken on an event. It can be Observe, Block, or Allow.

    Rule

    Type of an access control rule. It can be a blacklist or whitelist.

  1. Log in to the management console.
  2. Click in the upper left corner of the management console and select a region or project.
  3. In the navigation pane on the left, click and choose Security & Compliance > Cloud Firewall. The Dashboard page will be displayed.
  4. (Optional) If the current account has only one firewall instance, the firewall details page is displayed. If there are multiple firewall instances, click View in the Operation column of a firewall to go to its details page.
  5. In the navigation pane, choose Log Audit > Log Query. Click the Traffic Log tab to view the number of traffic bytes and packets in the past week.

    Figure 3 Traffic logs
    Table 3 Traffic log parameters

    Parameter

    Description

    Start Time

    Time when traffic protection started.

    End Time

    Time when traffic protection ended.

    Source IP Address

    Source IP address of the traffic

    Source Country/Region

    Geographical location of the access source IP address.

    Source Port

    Source port of the traffic.

    Destination IP Address

    Destination IP address.

    Destination Country/Region

    Geographical location of the destination IP address.

    Destination Port

    Destination port of the traffic.

    Protocol

    Protocol type of the traffic.

    Stream Size

    Total number of bytes of protected traffic.

    Stream Packets

    Total number of protected packets.

Related Operations

Exporting logs: Click in the upper right corner to export the logs in the list.

Follow-up Operations

  • If improper blocking is recorded in access control logs, check whether your protection rules, blacklist, and whitelist configurations are correct.
  • If improper blocking is recorded in attack event logs, your normal workloads may be blocked by IPS.