Querying Logs
CFW allows you to query logs generated within the last seven days. The following types of logs are available:
- Attack event log: Events detected by attack defense functions, such as IPS, are recorded. You can modify the protection action if traffic is improperly blocked. For details, see Modifying the Protection Action of an Intrusion Prevention Rule. For details about how to modify the protection action of antivirus, see Modifying the Virus Defense Action for Better Protection Effect.
- Access control logs: All traffic that matches the access control policies are recorded. For details about how to modify a protection rule, see Managing Protection Rules. For details about how to modify the blacklist or whitelist, see Editing the Blacklist or Whitelist.
- Traffic logs: All traffic passing through the firewall is recorded.
One or multiple types of logs can be recorded in LTS. You can view log data in the past 1 to 360 days. For details, see Log Management.
Prerequisites
- You have performed operations in Enabling Internet Border Traffic Protection.
- You have enabled basic intrusion prevention.
Constraints
- Logs can be stored for up to seven days.
- Up to 100,000 records can be exported for a single log.
- Log in to the management console.
- Click in the upper left corner of the management console and select a region or project.
- In the navigation pane on the left, click and choose . The Dashboard page will be displayed.
- (Optional) If the current account has only one firewall instance, the firewall details page is displayed. If there are multiple firewall instances, click View in the Operation column of a firewall to go to its details page.
- In the navigation pane, choose Log Audit > Log Query. The Attack Event Logs tab page is displayed. You can view details about attack events in the past week.
Figure 1 Attack event logs
Table 1 Attack event log parameters Parameter
Description
Time
Time when an attack occurred.
Attack Type
Type of the attack event, including IMAP, DNS, FTP, HTTP, POP3, TCP, and UDP.
Risk Level
It can be Critical, High, Medium, or Low.
Rule ID
Rule ID
Rule Name
Matched rule in the library.
Source IP Address
Source IP address of an attack event.
Tags
IP address type identifier.
- Other tags: IP addresses that are not WAF back-to-source IP addresses. No special actions required.
- WAF back-to-source IP addresses: Source IP Address is a WAF back-to-source IP address. If the Action of this record is Block, Block IP, or Discard, you need to manually set the action to Allow.
Operation: Find the rule based on its ID. In the Operation column of the rule, click Observe.
Source Country/Region
Geographical location of the attack source IP address.
Source Port
Source port of an attack.
Destination IP Address
Attacked IP address.
Destination Country/Region
Geographical location of the attack target IP address.
Destination Port
Destination port of an attack.
Protocol
Protocol type of an attack.
Application
Application type of an attack.
Direction
It can be outbound or inbound.
Action
Action of the firewall. It can be:
- Allow
- Block
- Block IP
- Discard
Operation
You can click View to view the basic information and attack payload of an event.
- Log in to the management console.
- Click in the upper left corner of the management console and select a region or project.
- In the navigation pane on the left, click and choose . The Dashboard page will be displayed.
- (Optional) If the current account has only one firewall instance, the firewall details page is displayed. If there are multiple firewall instances, click View in the Operation column of a firewall to go to its details page.
- In the navigation pane, choose Log Audit > Log Query. Click the Access Control Logs tab and check the traffic details in the past week. For details about how to modify the action taken on an IP address, see Adding Protection Rules to Block or Allow Traffic or Adding Blacklist or Whitelist Items to Block or Allow Traffic.
Figure 2 Access control logs
Table 2 Access control log parameters Parameter
Description
Hit Time
Time of access.
Source IP Address
Source IP address of the access.
Source Country/Region
Geographical location of the source IP address.
Source Port
Source port for access control. It can be a single port or consecutive port groups (example: 80-443).
Destination IP Address
Destination IP address.
Destination Host
Destination domain name
Destination Country/Region
Geographical location of the destination IP address.
Destination Port
Destination port for access control. It can be a single port or consecutive port groups (example: 80-443).
Protocol
Protocol type for access control.
Action
Action taken on an event. It can be Observe, Block, or Allow.
Rule
Type of an access control rule. It can be a blacklist or whitelist.
- Log in to the management console.
- Click in the upper left corner of the management console and select a region or project.
- In the navigation pane on the left, click and choose . The Dashboard page will be displayed.
- (Optional) If the current account has only one firewall instance, the firewall details page is displayed. If there are multiple firewall instances, click View in the Operation column of a firewall to go to its details page.
- In the navigation pane, choose Traffic Log tab to view the number of traffic bytes and packets in the past week.
. Click the Figure 3 Traffic logs
Table 3 Traffic log parameters Parameter
Description
Start Time
Time when traffic protection started.
End Time
Time when traffic protection ended.
Source IP Address
Source IP address of the traffic
Source Country/Region
Geographical location of the access source IP address.
Source Port
Source port of the traffic.
Destination IP Address
Destination IP address.
Destination Country/Region
Geographical location of the destination IP address.
Destination Port
Destination port of the traffic.
Protocol
Protocol type of the traffic.
Stream Size
Total number of bytes of protected traffic.
Stream Packets
Total number of protected packets.
Related Operations
Exporting logs: Click in the upper right corner to export the logs in the list.
Follow-up Operations
- If improper blocking is recorded in access control logs, check whether your protection rules, blacklist, and whitelist configurations are correct.
- If improper blocking is recorded in attack event logs, your normal workloads may be blocked by IPS.
- If the traffic from an IP address is improperly blocked, add it to the whitelist.
- If the traffic from multiple IP addresses is blocked, check logs to see whether it is blocked by a single rule or multiple rules.
- Blocked by a single rule: Modify the protection action of the rule. For details, see Modifying the Action of a Basic Protection Rule.
- Blocked by multiple rules: Modify the protection mode. For details, see Adjusting the IPS Protection Mode to Block Network Attacks.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.