Using LTS to Quickly Query and Analyze WAF Access Logs

Prerequisites

• You have connected the website you want to protect to WAF.
• You have enabled LTS for WAF logging.

Procedure

1. Log in to the management console.
2. Click in the upper left corner of the management console and select a region or project.
3. Click in the upper left corner of the page and choose Management & Governance > Log Tank Service.
4. In the Log Group Name column, click the name of the target log group (for example, lts-waf) to go the log stream page.
5. In the Log Stream Name column, click the name of the log stream used for WAF access logs (for example, lts-waf-access). Then, select the Log Stream tab.
   Figure 1 Accessing the log stream page
   

6. On the log stream details page, click in the upper right corner. On the page displayed, click the Cloud Structured Parsing tab.
7. Select JSON as the log structure, as shown in Figure 2.
   Figure 2 JSON
   

8. In the Step 1 Select a sample log event. area, click Select from existing log events. In the displayed Select Log Event dialog box, select a log and click OK.
   Figure 3 Select Log Event
   

9. In the Step 2 Extract fields area, click Intelligent Extraction and enable quick analysis for the log field you want to analyze (for example, remote_ip).

   remote_ip: IP address of a client from which the request originates.

   Figure 4 Selecting log fields for quick analysis
   

10. Click Save. Then, LTS will start a quick analysis and do statistics for logs collected in a certain period.
    Figure 5 Quickly analysis of access logs
    

11. In the navigation pane, choose Visualization. On the right pane, select a log query time range, enter an SQL statement in the search box, and click Query to query the specified log.

    You can enter either of the following SQL statements in the search box to query logs of a specified IP address:

    select * where remote_ip = 'xx.xx.xx.xx' or select * where remote_ip like 'xx.xx.xx%'