Updated on 2025-07-23 GMT+08:00

Querying Logs

CFW allows you to query logs generated within the last seven days. The following types of logs are available:

  • Attack event logs: The events detected by attack defense functions, such as IPS, are recorded.
  • Access control logs: All traffic that matches the access control policy are recorded.
  • Traffic logs: All traffic passing through the firewall is recorded.

One or multiple types of logs can be recorded in LTS. You can view log data in the past 1 to 365 days. For details, see Log Management.

Constraints

  • Logs can be stored for up to seven days.
  • For each type of logs, up to 1,000 records can be viewed, and up to 100,000 records can be exported.
  • Traffic logs are collected based on sessions. Data about a connection is not reported until connection is terminated.

Checking Logs

Perform the following operations to view logs.

References

  • Exporting logs: Click in the upper right corner of the log list to export the logs in the list.
  • CFW provides the network packet capture function. You can capture traffic by IP address, port number, or protocol type to quickly locate network faults and identify security risks. For details, see Network Packet Capture.

Follow-up Operations

  • If improper blocking is recorded in access control logs, your normal workloads may have been blocked by IPS. In this case, check the policy configuration. For details about how to modify protection rules, see Managing Protection Rules. For details about how to modify the blacklist and whitelist, see Editing the Blacklist or Whitelist.
  • If improper blocking is recorded in attack event logs, your normal workloads may be blocked by IPS.