- What's New
- Function Overview
- Service Overview
- Billing
- Getting Started
-
User Guide
- Granting LTS Permissions to IAM Users
- Purchasing LTS Resource Packages
- Log Management
-
Log Ingestion
- Overview
-
Using ICAgent to Collect Logs
- Overview
- Installing ICAgent (Intra-Region Hosts)
- Installing ICAgent (Extra-Region Hosts)
- Managing ICAgent
- Managing Host Groups
- Ingesting BMS Text Logs to LTS
- Ingesting CCE Application Logs to LTS
- Ingesting ECS Text Logs to LTS
- Ingesting ServiceStage Containerized Application Logs to LTS
- Ingesting ServiceStage Cloud Host Logs to LTS
- Ingesting Self-Built Kubernetes Application Logs to LTS
- Setting ICAgent Structuring Parsing Rules
-
Ingesting Cloud Service Logs to LTS
- Overview
- Ingesting AOM Logs to LTS
- Ingesting APIG Logs to LTS
- Ingesting CBH Logs to LTS
- Ingesting CFW Logs to LTS
- Ingesting CTS Logs to LTS
- Ingesting DDS Logs to LTS
- Ingesting DMS for Kafka Logs to LTS
- Ingesting DRS Logs to LTS
- Ingesting GaussDB(DWS) Logs to LTS
- Ingesting ELB Logs to LTS
- Ingesting Enterprise Router Logs to LTS
- Ingesting FunctionGraph Logs to LTS
- Ingesting GaussDB Logs to LTS
- Ingesting GES Logs to LTS
- Ingesting TaurusDB Logs to LTS
- Ingesting GeminiDB Logs to LTS
- Ingesting GeminiDB Mongo Logs to LTS
- Ingesting GeminiDB Cassandra Logs to LTS
- Ingesting IoTDA Logs to LTS
- Ingesting ModelArts Logs to LTS
- Ingesting MRS Logs to LTS
- Ingesting RDS for MySQL Logs to LTS
- Ingesting RDS for PostgreSQL Logs to LTS
- Ingesting RDS for SQL Server Logs to LTS
- Ingesting ROMA Connect Logs to LTS
- Ingesting SMN Logs to LTS
- Ingesting SecMaster Logs to LTS
- Ingesting OBS Files to LTS (Beta)
- Ingesting VPC Logs to LTS
- Ingesting WAF Logs to LTS
- Using APIs to Ingest Logs to LTS
- Ingesting Logs to LTS Across IAM Accounts
- Using Kafka to Report Logs to LTS
- Using Flume to Report Logs to LTS
- Log Search and Analysis
-
Log Visualization
- Overview
- Visualizing Logs in Statistical Charts
-
Visualizing Logs in Dashboards
- Creating a Dashboard
- Adding a Dashboard Filter
-
Dashboard Templates
- APIG Dashboard Templates
- CCE Dashboard Templates
- CDN Dashboard Templates
- CFW Dashboard Templates
- CSE Dashboard Templates
- DCS Dashboard Template
- DDS Dashboard Template
- DMS Dashboard Template
- DSL Dashboard Template
- ER Dashboard Template
- METRIC Dashboard Template
- Nginx Dashboard Templates
- VPC Dashboard Template
- WAF Dashboard Templates
- Log Alarms
- Log Transfer
- Log Processing
- Configuration Center
- Querying Real-Time LTS Traces
-
Best Practices
- Overview
-
Log Ingestion
- Collecting Logs from Third-Party Cloud Vendors, Internet Data Centers, and Other Huawei Cloud Regions to LTS
- Collecting Kubernetes Logs from Third-Party Clouds, IDCs, and Other Huawei Cloud Regions to LTS
- Collecting Syslog Aggregation Server Logs to LTS
- Importing Logs of Self-built ELK to LTS
- Using Flume to Report Logs to LTS
- Collecting Zabbix Data Through ECS Log Ingestion
- Collecting Logs from Multiple Channels to LTS
- Log Search and Analysis
- Log Transfer
- Billing
- Developer Guide
-
API Reference
- Before You Start
- API Overview
- Calling APIs
- API Calling Examples
- Examples
-
APIs
- Host Group Management
- Log Group Management
- Log Stream Management
- Log Management
- Log Ingestion
- Log Transfer
- Log Collection Beyond Free Quota
- Cloud Log Structuring
- Container Log Ingestion from AOM to LTS
- Alarm Topics
- Message Template Management
- SQL Alarm Rules
- Keyword Alarm Rules
- Alarm List
- Tag Management
- Dashboard Management
- Log Charts
- Quick Search
- Multi-Account Log Aggregation
- Permissions Policies and Supported Actions
- Appendix
- SDK Reference
-
FAQs
- Overview
- Consultation
- Log Management
-
Host Management
- What Do I Do If ICAgent Installation Fails in Windows and the Message "SERVICE STOP" Is Displayed?
- What Do I Do If ICAgent Upgrade Fails on the LTS Console?
- What Do I Do If I Could Not Query New Logs on LTS?
- What Do I Do If ICAgent Restarts Repeatedly After Being Installed?
- What Do I Do If ICAgent Is Displayed as Offline on the LTS Console After Installation?
- What Do I Do If I Do Not See a Host with ICAgent Installed on the LTS Console?
- How Do I Create a VPC Endpoint on the VPCEP Console?
- How Do I Obtain an AK/SK Pair?
- How Do I Install ICAgent by Creating an Agency?
-
Log Ingestion
- What Do I Do If LTS Cannot Collect Logs After I Configure Host Log Ingestion?
- Will LTS Stop Collecting Logs After the Free Quota Is Used Up If I Disable "Continue to Collect Logs When the Free Quota Is Exceeded" in AOM?
- What Do I Do If the CPU Usage Is High When ICAgent Is Collecting Logs?
- What Kinds of Logs and Files Does LTS Collect?
- How Do I Disable the Function of Collecting CCE Standard Output Logs to AOM on the LTS Console?
- What Log Rotation Scheme Should I Use for ICAgent to Collect Logs?
- Does LTS Use the Log4j Plug-in to Report Logs?
- How Long Does It Take to Generate Logs After Configuring Log Ingestion?
- What Do I Do If LTS Cannot Collect Logs After I Configure Log Ingestion with ICAgent?
- Log Search and Analysis
-
Log Transfer
- Does LTS Delete Logs That Have Been Transferred to OBS Buckets?
- What Are the Common Causes of LTS Log Transfer Abnormalities?
- How Do I Transfer CTS Logs to an OBS Bucket?
- What Do I Do If I Cannot View Historical Data in an OBS Bucket After Transferring Data from LTS to OBS?
- What Do I Do If I Cannot Find a New Partition in a DLI Table After Logs Are Transferred to DLI?
-
More Documents
- User Guide (ME-Abu Dhabi Region)
- API Reference (ME-Abu Dhabi Region)
- User Guide(Paris Regions)
- API Reference(Paris Regions)
- User Guide (Kuala Lumpur Region)
- API Reference (Kuala Lumpur Region)
- User Guide (Ankara Region)
-
API Reference (Ankara Region)
- Before You Start
- Calling APIs
- API Calling Examples
- APIs
- Permissions and Supported Actions
- Appendix
- Change History
- Videos
- General Reference
Copied.
CFW Dashboard Templates
CFW is a next-generation cloud-native firewall. It protects Internet and VPC borders on the cloud by real-time intrusion detection and prevention, global unified access control, full traffic analysis, log audit, and tracing. CFW employs AI for intelligent defense, and can be elastically scaled to meet changing business needs, helping you easily handle security threats. It allows you to view the risk levels, affected ports, matched rules, and attack event types of detected dangerous traffic in attack event logs. You can also view all traffic allowed or blocked in access control logs to better adjust access control policies.
CFW dashboard templates support Viewing CFW Access Log Center, Viewing CFW Traffic Log Center, and Viewing CFW Attack Log Center.
Prerequisites
- Logs have been collected from CFW. For details, see Ingesting CFW Logs to LTS.
- Logs have been structured. For details, see Setting Cloud Structuring Parsing.
Viewing CFW Access Log Center
- Log in to the LTS console. In the navigation pane, choose Log Management.
- In the Log Applications area, click CFW Log Center and choose Go to the Dashboard.
- In the dashboard list, choose CFW dashboard templates under Dashboard Templates and click CFW access log center to view the chart details.
- The Blockage Trends (Internet Access) chart displays the blockage trend of Internet access. The associated query and analysis statement is:
select time_series(MILLIS_TO_TIMESTAMP(hit_time), 'PT1M', 'yyyy-MM-dd HH:mm:ss', '0') as t_time,COUNT(*) as frequency WHERE action='deny' AND direction='out2in' group by t_time order by t_time
- The Blockage Trends (Server-Originated Access) chart displays the blockage trend of server-originated access. The associated query and analysis statement is:
select time_series(MILLIS_TO_TIMESTAMP(hit_time), 'PT1M', 'yyyy-MM-dd HH:mm:ss', '0') as t_time,COUNT(*) as frequency WHERE action='deny' AND direction='in2out' group by t_time order by t_time
- The 5 Most Blocked Applications chart displays the top 5 applications with the most Internet access blocks. The associated query and analysis statement is:
SELECT app, COUNT(*) as frequency WHERE action='deny' AND direction='out2in' GROUP BY app ORDER BY frequency DESC LIMIT 5
- The 5 Most Blocked Destinations chart displays the top 5 destinations with the most Internet access blocks. The associated query and analysis statement is:
SELECT dst_ip, COUNT(*) as frequency WHERE action='deny' AND direction='out2in' GROUP BY dst_ip ORDER BY frequency DESC LIMIT 5
- The 5 Most Blocked Sources chart displays the top 5 sources with the most Internet access blocks. The associated query and analysis statement is:
SELECT src_ip, COUNT(*) as frequency WHERE action='deny' AND direction='out2in' GROUP BY src_ip ORDER BY frequency DESC LIMIT 5
- The 5 Most Blocked Applications (Server-Originated Access) chart displays the top 5 applications with the most server-originated access blocks. The associated query and analysis statement is:
SELECT app, COUNT(*) as frequency WHERE action='deny' AND direction='in2out' GROUP BY app ORDER BY frequency DESC LIMIT 5
- The 5 Most Blocked Destinations (Server-Originated Access) chart displays the top 5 destinations with the most server-originated access blocks. The associated query and analysis statement is:
SELECT dst_ip, COUNT(*) as frequency WHERE action='deny' AND direction='in2out' GROUP BY dst_ip ORDER BY frequency DESC LIMIT 5
- The 5 Most Blocked Sources (Server-Originated Access) chart displays the top 5 sources with the most server-originated access blocks. The associated query and analysis statement is:
SELECT src_ip, COUNT(*) as frequency WHERE action='deny' AND direction='in2out' GROUP BY src_ip ORDER BY frequency DESC LIMIT 5
- The Blockage Trends (Internet Access) chart displays the blockage trend of Internet access. The associated query and analysis statement is:
Viewing CFW Traffic Log Center
- Log in to the LTS console. In the navigation pane, choose Log Management.
- In the Log Applications area, click CFW Log Center and choose Go to the Dashboard.
- In the dashboard list, choose CFW dashboard templates under Dashboard Templates and click CFW traffic log center to view the chart details.
- The Traffic Trends (Internet Access) chart displays the traffic trend of Internet access. The associated query and analysis statement is:
select time_series(MILLIS_TO_TIMESTAMP(start_time), 'PT1M', 'yyyy-MM-dd HH:mm:ss', '0') as t_time, SUM(to_s_bytes) AS 'Inbound', SUM(to_c_bytes) AS 'Outbound' WHERE direction='out2in' group by t_time order by t_time
- The Region Distribution of Inbound Internet Access (China) chart displays the distribution of inbound Internet access by region in China. The associated query and analysis statement is:
SELECT count(*) AS PV, ip_to_province(src_ip) AS province WHERE direction='out2in' and IP_TO_COUNTRY (src_ip) = 'China' GROUP BY province HAVING province not in ('','Reserved address','*') ORDER BY PV DESC
- The Region Distribution of Inbound Internet Access (Global) chart displays the distribution of inbound Internet access by region in the world. The associated query and analysis statement is:
SELECT count(*) AS PV, ip_to_country(src_ip) AS country WHERE direction='out2in' GROUP BY country HAVING country not in ('','Reserved address','*') ORDER BY PV DESC
- The Application Distribution of Internet Access chart displays the application distribution of Internet access. The associated query and analysis statement is:
SELECT app, COUNT(*) AS num WHERE direction='out2in' GROUP BY app ORDER BY num DESC
- The Top 5 Source IP Addresses chart displays the top 5 source IP addresses of Internet access. The associated query and analysis statement is:
select src_ip, SUM(bytes)/1024 as sum_bytes WHERE direction='out2in' GROUP BY src_ip ORDER BY sum_bytes DESC LIMIT 5
- The Top 5 Destination IP Addresses chart displays the top 5 destination IP addresses of Internet access. The associated query and analysis statement is:
select dst_ip, SUM(bytes)/1024 as sum_bytes WHERE direction='out2in' GROUP BY dst_ip ORDER BY sum_bytes DESC LIMIT 5
- The Traffic Trends (Server-Originated Access) chart displays the traffic trend of server-originated access. The associated query and analysis statement is:
select time_series(MILLIS_TO_TIMESTAMP(start_time), 'PT1M', 'yyyy-MM-dd HH:mm:ss', '0') as t_time, SUM(to_c_bytes) AS 'Inbound', SUM(to_s_bytes) AS 'Outbound' WHERE direction='in2out' group by t_time order by t_time
- The Destination Region Distribution of Server Originated Access (China) chart displays the destination region distribution of server-originated access in China. The associated query and analysis statement is:
SELECT count(*) AS PV, ip_to_province(dst_ip) AS province WHERE direction='in2out' and IP_TO_COUNTRY (dst_ip) = 'China' GROUP BY province HAVING province not in ('','Reserved address','*') ORDER BY PV DESC
- The Destination Region Distribution (Global) chart displays the destination region distribution in the world. The associated query and analysis statement is:
SELECT count(*) AS PV, ip_to_country(dst_ip) AS country WHERE direction='in2out' GROUP BY country HAVING country not in ('','Reserved address','*') ORDER BY PV DESC
- The Application Distribution (Server-Originated Access) chart displays the application distribution of server-originated access. The associated query and analysis statement is:
SELECT app, COUNT(*) AS num WHERE direction='in2out' GROUP BY app ORDER BY num DESC
- The Top 5 Source IP Addresses (Server-Originated Access) chart displays the top 5 source IP addresses of server-originated access. The associated query and analysis statement is:
select src_ip, SUM(bytes)/1024 as sum_bytes WHERE direction='in2out' GROUP BY src_ip ORDER BY sum_bytes DESC LIMIT 5
- The Top 5 Destination IP Addresses (Server-Originated Access) chart displays the top 5 destination IP addresses of server-originated access. The associated query and analysis statement is:
select dst_ip, SUM(bytes)/1024 as sum_bytes WHERE direction='in2out' GROUP BY dst_ip ORDER BY sum_bytes DESC LIMIT 5
- The Traffic Trends (Internet Access) chart displays the traffic trend of Internet access. The associated query and analysis statement is:
Viewing CFW Attack Log Center
- Log in to the LTS console. In the navigation pane, choose Log Management.
- In the Log Applications area, click CFW Log Center and choose Go to the Dashboard.
- In the dashboard list, choose CFW dashboard templates under Dashboard Templates and click CFW attack log center to view the chart details.
- Attack Trends. The associated query and analysis statement is:
select time_series(MILLIS_TO_TIMESTAMP(event_time), 'PT1M', 'yyyy-MM-dd HH:mm:ss', '0') as t_time, count(*) as frequency group by t_time order by t_time
- Sources (China). The associated query and analysis statement is:
SELECT count(*) as PV,ip_to_province(src_ip) as province WHERE IP_TO_COUNTRY (src_ip) = 'China' GROUP BY province HAVING province not in ('','Reserved address','*')
- Sources (Global). The associated query and analysis statement is:
SELECT count(*) AS PV,ip_to_country(src_ip) AS country GROUP BY country HAVING country not in ('','Reserved address','*')
- Types. The associated query and analysis statement is:
SELECT attack_type, COUNT(*) as num GROUP BY attack_type ORDER BY num
- Top 5 Destinations. The associated query and analysis statement is:
SELECT dst_ip, COUNT(*) as frequency GROUP BY dst_ip ORDER BY frequency DESC LIMIT 5
- Top 5 Sources. The associated query and analysis statement is:
SELECT src_ip, COUNT(*) as frequency GROUP BY src_ip ORDER BY frequency DESC LIMIT 5
- Attack Trends. The associated query and analysis statement is:
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot