Help Center> Web Application Firewall> Best Practices> Analyzing WAF Logs with LTS> Using LTS to Configure Block Alarms for WAF Rules
Updated on 2024-02-05 GMT+08:00

Using LTS to Configure Block Alarms for WAF Rules

After you authorize WAF to access Log Tank Service (LTS), you can use the attack logs recorded by LTS for quick and efficient real-time analysis, device O&M management, and analysis of service trends.

This topic walks you through how to enable LTS quick analysis for WAF attack logs and configure alarm rules to analyze WAF attack logs and generate alarms. In this way, you can gain insight into the protection status of your workloads in WAF in real time and make informed decisions.

Prerequisites

  • You have connected the website you want to protect to WAF.
  • You have enabled WAF attack log stream in LTS.
  • You have enabled Simple Message Notification (SMN).

Quickly Analyzing Rule Block Logs

  1. Log in to the management console.
  2. Click in the upper left corner of the management console and select a region or project.
  3. Click in the upper left corner of the page and choose Management & Governance > Log Tank Service.

    Figure 1 Log stream name configured for attack logs

  4. In the log group list, expand the WAF log group and choose log stream attack.
  5. On the log stream details page, click in the upper right corner. On the page displayed, click the Cloud Structured Parsing tab.
  6. Select JSON for log structuring. Then, click Select from existing events and select a log in the dialog box displayed on the right.
  7. Click Intelligent Extraction to find the fields you want to analyze quickly. Enable these fields in the Quick Analysis column. After this, you can collect and analyze periodic logs.

    Figure 2 Log extraction field

  8. Find the category field, click in the Alias column, change the field name, and click to save the settings.

    There is already a built-in category field in the system so you need to change the alias name of the category field, or your settings cannot be saved.

  9. In the lower right corner of the list, click Save. LTS quickly analyzes and collects statistics on logs in the specified period.
  10. In the navigation pane, choose Visualization. On the right pane, select a log query time range, enter an SQL statement in the search box, and click Query.

    You can group logs by rule and URI. Enter the following SQL statement in the search box to query logs of a specified rule:

    select rule, uri, count(*) as cnt where action = 'block' group by rule, uri order by cnt desc

Creating an Alarm Rule

  1. Click in the upper left corner of the page and choose Management & Governance > Log Tank Service.
  2. In the navigation pane on the left, choose Alarms > Alarm Rules.
  3. Click Create. In the dialog box displayed on the right, specify related parameters. Table 1 describes the parameters.

    Figure 3 Create Alarm Rule
    Table 1 Parameter description

    Parameter

    Description

    Example Value

    Rule Name

    Name of the custom rule

    WAF alarms

    Statistics

    Select By SQL.

    By SQL

    Charts

    Click Configure from Scratch.

    • Specify Log Group Name and Log Stream Name.
    • Query Time Range: Time range for log statistics
    • Query Statement: Enter the SQL statement configured in Step 10, for example, select rule,uri,count(*) as cnt where action='block' group by rule,uri order by cnt desc.

    None

    Query Frequency

    Frequency which triggers alarms Generally, a fixed custom interval of 5 minutes is selected.

    Custom interval

    5

    minutes

    Conditional Expression

    Alarm threshold

    cnt>5

    Alarm Severity

    Select an alarm severity based on the blocking emergency of the rule. The options are critical, major, minor, and info.

    Major

    Send Notification

    Select Yes.

    Yes

    SMN Topic

    Select a topic from the drop-down list or create a topic.

    If there are no topics, click View Topic and perform the following steps to create a topic:
    1. Create a topic. For details, see Creating a Topic.
    2. Add one or more subscriptions to the topic. You will need to provide a phone number, email address, function, platform application endpoint, DMS endpoint, or HTTP/HTTPS endpoint for receiving alarm notifications. For details, see Adding a Subscription.
    3. Confirm the subscription. After the subscription is added, confirm the subscription.

    For details about topics and subscriptions, see the Simple Message Notification User Guide.

    None

    Time Zone/Language

    You can modify the language and time zone for receiving messages.

    None

    Message Templates

    Select an existing template from the drop-down list box or click Create Message Template and create a template.

    sql_template

  4. Confirm all parameters and click OK. The alarm rule is configured. When the alarm rule is triggered, you will receive an alarm email or SMS message.