Help Center> Web Application Firewall> Best Practices> Using LTS to Quickly Query and Analyze WAF Access Logs
Updated on 2022-10-10 GMT+08:00
View PDF

Using LTS to Quickly Query and Analyze WAF Access Logs

After you authorize WAF to access Log Tank Service (LTS), you can use the WAF logs recorded by LTS for quick and efficient real-time analysis, device O&M management, and analysis of service trends.

This practice uses the access log stream lts-waf-access of log group lts-waf as an example to describe how to use LTS to quickly query and analyze logs.

Prerequisites

Procedure

  1. Log in to the management console.
  2. Click in the upper left corner of the management console and select a region or project.
  3. Click in the upper left corner of the page and choose Management & Governance > Log Tank Service.
  4. In the Log Group Name/ID column, click the name of the target log group (for example, lts-waf) to go the log stream page.
  5. In the Log Stream Name/ID column, click the name of log stream used for WAF access logs (for example, lts-waf-access), as shown in Figure 1. Then, select the Raw Logs tab.

    Figure 1 Accessing the log stream page

  6. In the navigation pane on the left, choose Log Configuration. Then, go to the Log Content tab.
  7. Select JSON as the log structure, as shown in Figure 2.

    Figure 2 JSON

    If log content has been configured for the log stream, click in the upper right corner of the parameter configuration area to reconfigure log content.

  8. In the Step 1 Select a sample log event. area, click Select from existing log event. In the displayed Select Log Event dialog box, select a log and click OK.

    Figure 3 Select Log Event

  9. In the Step 2 Extract fields area, click Intelligent Extraction and enable () quick analysis for the log field you want to analyze (for example, remote_ip) as shown in Figure 4.

    remote_IP: IP address of a client from which the request originates.

    Figure 4 Selecting log fields for quick analysis

  10. Click Save. Then, LTS will start a quick analysis and do statistics for logs collected in a certain period. Figure 5 shows an example.

    Figure 5 Quickly analysis of access logs

  11. In the navigation pane, choose Visualization. On the right pane, select a log query time range, enter an SQL statement in the search box, and click Query to query the specified log.

    You can enter either of the following SQL statements in the search box to query logs of a specified IP address:

    select * where remote_ip = 'xx.xx.xx.xx' or select * where remote_ip like 'xx.xx.xx%'