Analyzing Huawei Cloud WAF Logs for O&M Insights

Introduction

Web Application Firewall (WAF) examines all HTTP and HTTPS requests to detect and block attacks such as SQL injections, cross-site scripting (XSS), Trojan upload, and command or code injections. You can check the access and attack logs for real-time decision-making, device O&M, and service trend analysis.

Prerequisites

You have purchased and used a Huawei Cloud WAF instance.

Procedure

1. Add a website to WAF.
   1. Log in to the management console.
   2. Click in the upper left corner to select the desired region and project.
   3. Click in the upper left corner and choose Security & Compliance > Web Application Firewall.
   4. Add the domain name by referring to Add a Domain Name to WAF.

2. Enable WAF logging to collect WAF logs to LTS. For details, see Enabling LTS for WAF Logging.
   1. On the WAF console, choose Events in the navigation pane and click the Configure Logs tab. Enable logging and select a log group and log stream. If necessary, create a log group and a log stream first.
   2. Click OK.
   Figure 1 Configuring logs
   

3. Click in the upper left corner and choose Management & Governance > Log Tank Service.
4. On the Log Management page, click the name of a log stream to access its details page, click in the upper right corner. Click the Cloud Structuring Parsing tab. Select JSON, select a sample log event, and complete the configuration. For details, see Log Structuring.
   Figure 2 Configuring logs in JSON format
   

5. On the log stream details page, click Visualization and run SQL queries. For details about how to visualize query results, see Log Structuring.
   • To count the number of attacks within a week, run the following SQL statement:

     select count(*) as attack_times

   • To count the number of attacks by type in one day, run the following SQL statement:

     select attack,count(*) as times group by attack

     The query results can be displayed in a table, bar chart, line chart, pie chart, or number chart.