Help Center> Cloud Firewall> User Guide> Auditing Logs> Querying Logs
Updated on 2024-04-09 GMT+08:00
View PDF

Querying Logs

CFW allows you to query logs generated within the last seven days. The following types of logs are available:

  • Attack event log: Information about the traffic detected by IPS, including the risk level, affected port, matched rule, and attack event type. If traffic is incorrectly blocked, you can modify the IPS protection action. For details, see Modifying the Action of a Basic Protection Rule.
  • Access control log: all traffic that matches the access control policy. For details about how to modify the protection rule, see Editing a Protection Rule.
  • Traffic log: all traffic passing through the firewall.
  • On the Log Query page, you can check and export log data of the last seven days. For details, see Querying Logs.
  • If logs are recorded in LTS, you can view log data in the past 1 to 360 days. For details, see Log Management.

Prerequisites

Constraints

  • Logs can be stored for up to seven days.
  • Up to 100,000 records can be exported for a single log.

Attack Event Logs

  1. Log in to the management console.
  2. Click in the upper left corner of the management console and select a region or project.
  3. In the navigation pane on the left, click and choose Security & Compliance > Cloud Firewall. The Dashboard page will be displayed.
  4. (Optional) If the current account has only one firewall instance, the firewall details page is displayed. If there are multiple firewall instances, click View in the Operation column to go to the details page.
  5. In the navigation pane, choose Log Audit > Log Query. The Attack Event Logs tab page is displayed. You can view details about attack events in the past week.

    Figure 1 Attack event logs
    Table 1 Attack event log parameters

    Parameter

    Description

    Time

    Time when an attack occurred.

    Attack Type

    Type of the attack event, including IMAP, DNS, FTP, HTTP, POP3, TCP, and UDP.

    Severity

    It can be Critical, High, Medium, or Low.

    Rule ID

    Rule ID

    Rule Name

    Matched rule in the library.

    Source IP Address

    Source IP address of an attack event.

    Source Country/Region

    Geographical location of the attack source IP address.

    Source Port

    Source port of an attack.

    Destination IP Address

    Attacked IP address.

    Destination Country/Region

    Geographical location of the attack target IP address.

    Destination Port

    Destination port of an attack.

    Protocol

    Protocol type of an attack.

    Application

    Application type of an attack.

    Direction

    It can be outbound or inbound.

    Action

    Action taken on an event. It can be Observe, Block, or Allow.

    Operation

    You can click View to view the basic information and attack payload of an event.

Access Control Logs

  1. Log in to the management console.
  2. Click in the upper left corner of the management console and select a region or project.
  3. In the navigation pane on the left, click and choose Security & Compliance > Cloud Firewall. The Dashboard page will be displayed.
  4. (Optional) If the current account has only one firewall instance, the firewall details page is displayed. If there are multiple firewall instances, click View in the Operation column to go to the details page.
  5. In the navigation pane, choose Log Audit > Log Query. Click the Access Control Logs tab and check the traffic details in the past week. For details about how to modify the response action of an IP address, see Adding a Protection Rule or Adding an Item to the Blacklist or Whitelist.

    Figure 2 Access control logs
    Table 2 Access control log parameters

    Parameter

    Description

    Hit Time

    Time of access.

    Source IP

    Source IP address of the access.

    Source Country/Region

    Geographical location of the source IP address.

    Source Port

    Source port for access control. It can be a single port or consecutive port groups (example: 80-443).

    Destination IP

    Destination IP address.

    Destination Country/Region

    Geographical location of the destination IP address.

    Destination Port

    Destination port for access control. It can be a single port or consecutive port groups (example: 80-443).

    Protocol

    Protocol type for access control.

    Action

    Action taken on an event. It can be Observe, Block, or Allow.

    Rule

    Type of an access control rule. It can be a blacklist or whitelist.

Traffic Logs

  1. Log in to the management console.
  2. Click in the upper left corner of the management console and select a region or project.
  3. In the navigation pane on the left, click and choose Security & Compliance > Cloud Firewall. The Dashboard page will be displayed.
  4. (Optional) If the current account has only one firewall instance, the firewall details page is displayed. If there are multiple firewall instances, click View in the Operation column to go to the details page.
  5. In the navigation pane, choose Log Audit > Log Query. Click the Traffic Log tab to view the number of traffic bytes and packets in the past week.

    Figure 3 Traffic logs
    Table 3 Traffic log parameters

    Parameter

    Description

    Start Time

    Time when traffic protection started.

    End Time

    Time when traffic protection ended.

    Source IP

    Source IP address of the traffic

    Source Country/Region

    Geographical location of the access source IP address.

    Source Port

    Source port of the traffic.

    Destination IP

    Destination IP address.

    Destination URL

    Destination domain name to be accessed

    Destination Country/Region

    Geographical location of the destination IP address.

    Destination Port

    Destination port of the traffic.

    Protocol

    Protocol type of the traffic.

    Stream Size

    Total number of bytes of protected traffic.

    Stream Packets

    Total number of protected packets.

Parent topic: Auditing Logs