Querying Logs
CFW allows you to query logs generated within the last seven days. The following types of logs are available:
- Attack event log: Information about the traffic detected by IPS, including the risk level, affected port, matched rule, and attack event type. If traffic is incorrectly blocked, you can modify the IPS protection action. For details, see Modifying the Action of a Basic Protection Rule.
- Access control log: all traffic that matches the access control policy. For details about how to modify the protection rule, see Editing a Protection Rule.
- Traffic log: all traffic passing through the firewall.
- On the Log Query page, you can check and export log data of the last seven days. For details, see Querying Logs.
- If logs are recorded in LTS, you can view log data in the past 1 to 360 days. For details, see Log Management.
Prerequisites
- You have performed operations in Enabling EIP Protection.
- You have enabled basic intrusion prevention.
Constraints
- Logs can be stored for up to seven days.
- Up to 100,000 records can be exported for a single log.
Attack Event Logs
- Log in to the management console.
- Click in the upper left corner of the management console and select a region or project.
- In the navigation pane on the left, click and choose . The Dashboard page will be displayed.
- (Optional) If the current account has only one firewall instance, the firewall details page is displayed. If there are multiple firewall instances, click View in the Operation column to go to the details page.
- In the navigation pane, choose Log Audit > Log Query. The Attack Event Logs tab page is displayed. You can view details about attack events in the past week.
Figure 1 Attack event logs
Table 1 Attack event log parameters Parameter
Description
Time
Time when an attack occurred.
Attack Type
Type of the attack event, including IMAP, DNS, FTP, HTTP, POP3, TCP, and UDP.
Severity
It can be Critical, High, Medium, or Low.
Rule ID
Rule ID
Rule Name
Matched rule in the library.
Source IP Address
Source IP address of an attack event.
Source Country/Region
Geographical location of the attack source IP address.
Source Port
Source port of an attack.
Destination IP Address
Attacked IP address.
Destination Country/Region
Geographical location of the attack target IP address.
Destination Port
Destination port of an attack.
Protocol
Protocol type of an attack.
Application
Application type of an attack.
Direction
It can be outbound or inbound.
Action
Action taken on an event. It can be Observe, Block, or Allow.
Operation
You can click View to view the basic information and attack payload of an event.
Access Control Logs
- Log in to the management console.
- Click in the upper left corner of the management console and select a region or project.
- In the navigation pane on the left, click and choose . The Dashboard page will be displayed.
- (Optional) If the current account has only one firewall instance, the firewall details page is displayed. If there are multiple firewall instances, click View in the Operation column to go to the details page.
- In the navigation pane, choose Log Audit > Log Query. Click the Access Control Logs tab and check the traffic details in the past week. For details about how to modify the response action of an IP address, see Adding a Protection Rule or Adding an Item to the Blacklist or Whitelist.
Figure 2 Access control logs
Table 2 Access control log parameters Parameter
Description
Hit Time
Time of access.
Source IP
Source IP address of the access.
Source Country/Region
Geographical location of the source IP address.
Source Port
Source port for access control. It can be a single port or consecutive port groups (example: 80-443).
Destination IP
Destination IP address.
Destination Country/Region
Geographical location of the destination IP address.
Destination Port
Destination port for access control. It can be a single port or consecutive port groups (example: 80-443).
Protocol
Protocol type for access control.
Action
Action taken on an event. It can be Observe, Block, or Allow.
Rule
Type of an access control rule. It can be a blacklist or whitelist.
Traffic Logs
- Log in to the management console.
- Click in the upper left corner of the management console and select a region or project.
- In the navigation pane on the left, click and choose . The Dashboard page will be displayed.
- (Optional) If the current account has only one firewall instance, the firewall details page is displayed. If there are multiple firewall instances, click View in the Operation column to go to the details page.
- In the navigation pane, choose Traffic Log tab to view the number of traffic bytes and packets in the past week.
. Click the Figure 3 Traffic logs
Table 3 Traffic log parameters Parameter
Description
Start Time
Time when traffic protection started.
End Time
Time when traffic protection ended.
Source IP
Source IP address of the traffic
Source Country/Region
Geographical location of the access source IP address.
Source Port
Source port of the traffic.
Destination IP
Destination IP address.
Destination URL
Destination domain name to be accessed
Destination Country/Region
Geographical location of the destination IP address.
Destination Port
Destination port of the traffic.
Protocol
Protocol type of the traffic.
Stream Size
Total number of bytes of protected traffic.
Stream Packets
Total number of protected packets.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot