Cloud Firewall log analysis, modify log type, delivery region, storage duration, capacity-Cloud Firewall(Cloud Firewall)-阿里云帮助中心

Note

Prerequisites: Enable the log analysis feature. For more information, see Enable the log analysis feature.
Access the console: Log on to the Cloud Firewall console. In the navigation pane on the left, choose Detection & Response > Log Analysis.

Set log collection types

Cloud Firewall supports collecting the following traffic logs:

Internet traffic logs
- Attack event logs: Traffic matching Internet firewall intrusion prevention rules.
- Access control logs: Traffic matching Internet firewall access control policies.
- Other traffic logs: All other traffic passing through Internet firewalls.
VPC traffic logs
- Attack event logs: Traffic matching VPC firewall intrusion prevention rules.
- Access control logs: Traffic matching VPC firewall access control policies.
- Other traffic logs: All other traffic passing through VPC firewalls.
DNS traffic logs: All traffic passing through DNS firewalls.
IPv6 traffic logs: Traffic matching IPv6 access control policies of Internet firewalls.
NAT traffic logs: All traffic passing through NAT firewalls.

Modify the log types collected by Cloud Firewall: In the upper-right corner of the Log Analysis page, click Log Delivery to modify the delivery switch for each log type.

Important

Disabling the delivery switch for a log type stops collection of that type. The system does not automatically delete existing logs or the corresponding Project.

Modify log storage region

By default, logs are stored in the China (Hangzhou) region. If your business runs in a different region, cross-region synchronization fees or data integration issues may occur. Change the storage region to match your deployment.

Warning

Before you switch the delivery region:

Switching creates a new log Project and deletes the original. Back up logs manually if needed.
The switch takes 5 to 10 minutes. Do not perform other log operations during this time.
Logs are not delivered or stored during the switch. Perform the switch during off-peak hours.

Procedure: In the upper-right corner of the Log Analysis page, click Log Settings. Then, configure the Log Delivery Mode and Delivery Region.

Log Delivery Mode: Supports Single-Region Shipping and Dual-Region Delivery. Single-Region Shipping is the default. If you have assets both in and outside the Chinese mainland and need log compliance, select Dual-Region Delivery. After enabling Dual-Region Delivery, configure capacity and duration independently for each region.
Important
- With Dual-Region Delivery, each region requires at least 1 TB storage capacity.
- The legacy pay-as-you-go 1.0 billing method does not support this feature. Upgrade to the new billing method to use it.
- You can switch delivery modes only three times per month.
Delivery Region: Select the delivery region from the supported list.

Modify log storage duration

The default storage duration is 180 days (range: 7 to 730 days). Logs beyond this period are automatically deleted and cannot be recovered. Adjust the duration based on your storage capacity and business needs.

Important

When storage reaches capacity, the system stops collecting new logs. Set an appropriate duration and monitor usage regularly.
After you reduce the storage duration, logs exceeding the new duration are automatically deleted within 1 to 2 hours. For example, changing the duration from 180 to 30 days deletes all logs older than 30 days.

Procedure: In the upper-right corner of the Log Analysis page, click Log Settings. Then, modify the settings in the Storage Duration area.

Expand storage capacity

Monitor your log storage usage regularly to prevent collection from stopping when capacity is full.

View storage usage: In the upper-right corner of the Log Analysis page, view the storage usage.

Storage usage on this page has a two-hour delay. When storage is nearly full, expand capacity or purge logs proactively.
Storage capacity expansion: In the upper-right corner of the Log Analysis page, click Adjust Capacity. Select a larger capacity and pay the expansion fee. If you use the Dual-Region Delivery mode, manually allocate the expanded capacity to each delivery region.
Purge existing logs: In the upper-right corner of the Log Analysis page, click Delete All Logs. Click OK in the dialog box. Purging takes 1 to 2 hours.
Warning
- Purged logs cannot be recovered. Use this feature with caution.
- You have four purge opportunities after enabling the log service. Opportunities reset to four upon each Cloud Firewall renewal.