Querying Logs

Prerequisites

• You have performed operations in Enabling EIP Protection.
• You have enabled basic intrusion prevention.

Constraints

• Logs can be stored for up to seven days.
• Up to 100,000 records can be exported for a single log.

Attack Event Logs

1. Log in to the management console.
2. Click in the upper left corner of the management console and select a region or project.
3. In the navigation pane on the left, click and choose Security & Compliance > Cloud Firewall. The Dashboard page will be displayed.
4. (Optional) Switch firewall instance: Select a firewall from the drop-down list in the upper left corner of the page.
5. In the navigation pane, choose Log Audit > Log Query. The Attack Event Logs tab page is displayed. You can view details about attack events in the past week.
   Figure 1 Attack event logs
   

   Table 1 Attack event log parameters

   Parameter	Description
   Time	Time when an attack occurred.
   Attack Type	Type of the attack event, including IMAP, DNS, FTP, HTTP, POP3, TCP, and UDP.
   Severity	It can be Critical, High, Medium, or Low.
   Rule ID	Rule ID
   Rule Name	Matched rule in the library.
   Source IP Address	Source IP address of an attack event.
   Tags	IP address type identifier. Other tags: IP addresses that are not WAF back-to-source IP addresses. No special actions required. WAF back-to-source IP addresses: Source IP Address is a WAF back-to-source IP address. If the Action of this record is Block, Block IP, or Discard, you need to manually set the action to Allow. Operation: Find the rule based on its ID. In the Operation column of the rule, click Observe.
   Source Country/Region	Geographical location of the attack source IP address.
   Source Port	Source port of an attack.
   Destination IP Address	Attacked IP address.
   Destination Country/Region	Geographical location of the attack target IP address.
   Destination Port	Destination port of an attack.
   Protocol	Protocol type of an attack.
   Application	Application type of an attack.
   Direction	It can be outbound or inbound.
   Action	Action of the firewall. It can be: Allow Block Block IP Discard
   Operation	You can click View to view the basic information and attack payload of an event.

Access Control Logs

1. Log in to the management console.
2. Click in the upper left corner of the management console and select a region or project.
3. In the navigation pane on the left, click and choose Security & Compliance > Cloud Firewall. The Dashboard page will be displayed.
4. (Optional) Switch firewall instance: Select a firewall from the drop-down list in the upper left corner of the page.
5. In the navigation pane, choose Log Audit > Log Query. Click the Access Control Logs tab and check the traffic details in the past week. For details about how to modify the action taken on an IP address, see Adding a Protection Rule or Adding an Item to the Blacklist or Whitelist.
   Figure 2 Access control logs
   

   Table 2 Access control log parameters

   Parameter	Description
   Hit Time	Time of access.
   Source IP	Source IP address of the access.
   Source Country/Region	Geographical location of the source IP address.
   Source Port	Source port for access control. It can be a single port or consecutive port groups (example: 80-443).
   Destination IP	Destination IP address.
   Destination URL	Destination domain name
   Destination Country/Region	Geographical location of the destination IP address.
   Destination Port	Destination port for access control. It can be a single port or consecutive port groups (example: 80-443).
   Protocol	Protocol type for access control.
   Action	Action taken on an event. It can be Observe, Block, or Allow.
   Rule	Type of an access control rule. It can be a blacklist or whitelist.

Traffic Logs

1. Log in to the management console.
2. Click in the upper left corner of the management console and select a region or project.
3. In the navigation pane on the left, click and choose Security & Compliance > Cloud Firewall. The Dashboard page will be displayed.
4. (Optional) Switch firewall instance: Select a firewall from the drop-down list in the upper left corner of the page.
5. In the navigation pane, choose Log Audit > Log Query. Click the Traffic Log tab to view the number of traffic bytes and packets in the past week.
   Figure 3 Traffic logs
   

   Table 3 Traffic log parameters

   Parameter	Description
   Start Time	Time when traffic protection started.
   End Time	Time when traffic protection ended.
   Source IP	Source IP address of the traffic
   Source Country/Region	Geographical location of the access source IP address.
   Source Port	Source port of the traffic.
   Destination IP	Destination IP address.
   Destination URL	Destination domain name to be accessed
   Destination Country/Region	Geographical location of the destination IP address.
   Destination Port	Destination port of the traffic.
   Protocol	Protocol type of the traffic.
   Stream Size	Total number of bytes of protected traffic.
   Stream Packets	Total number of protected packets.

Related Operations

To export logs, click on the right of the date and time picker.

Follow-up Operations

• If improper blocking is recorded in access control logs, check whether your protection rules, blacklist, and whitelist configurations are correct.
• If improper blocking is recorded in attack event logs, your normal workloads may be blocked by IPS.
  • If an IP address is improperly blocked, add it to the whitelist.
  • If multiple IP addresses are improperly blocked, change the protection mode.