Security Center integrates logs from Tencent Cloud WAF and Cloud Firewall into CLS for unified security analytics in a cross-cloud environment. You can also ship logs via Kafka or COS, allowing Alibaba Cloud to pull them.-Security Center(Security Center)-阿里云帮助中心

In multi-cloud environments, security logs scattered across providers make unified threat detection harder. Security Center's Agentic SOC and cloud firewall — an AI-driven security operations platform — centralizes log import and analysis across cloud environments. This document covers how to import WAF alert logs from Tencent Cloud into Agentic SOC for unified threat detection.

How it works

Tencent Cloud logs flow into Security Center through four stages:

Aggregate logs in CLS. Logs from Tencent Cloud products, such as Web Application Firewall (WAF), are consolidated into Tencent Cloud Log Service (CLS).
Export to an intermediary. CLS exports logs to TDMQ for CKafka or Cloud Object Storage (COS), which acts as a staging layer for cross-cloud transfer.
Pull into Agentic SOC. Agentic SOC subscribes to and pulls log data from the message queue or COS using standard Kafka or S3 protocols, then sends it to a specified data source.
Ingest and normalize. Create an Ingestion Policy (a configuration that defines how logs are collected and routed) in Agentic SOC and apply a Standardization Rule (a parsing rule that normalizes raw logs into a unified schema). The policy and rule parse and normalize the raw logs before storing them in the data warehouse.

Supported logs

This solution supports importing only the Web Application Firewall (WAF) alert log from Tencent Cloud.

Ship logs to CLS

Consolidate WAF logs into Tencent Cloud Log Service (CLS) before configuring the import.

Web Application Firewall

For detailed instructions, see the official Tencent Cloud documentation: .

Authorize and enable log service. Log in to the WAF console. Go to Access Log > Log shipping or Attack Log > Log shipping. Click Configure and follow the prompts to complete authorization. After authorization, click Tencent Cloud - API key managementCreate on the LogShipping page.
Important
After authorization, the system automatically creates a Logset named waf_post_logset.
Web Application Firewall consoleWeb Application Firewall consoleEnable log shipping. Enable log delivery for the logs you want to collect. For more information, see Enabling Log Shipping.
- Enable Attack Log Shipping: In the WAF console, choose Instance Management in the left navigation pane. On the instance details page, turn on Attack log shipping.
- Enable Access Log Shipping:
  1. In the WAF console, choose Connection Management > Domain names. In the Actions column for the domain, click More > Log shipping.
  2. In the advanced settings window, select a delivery target and click Save.

Cloud Firewall

Note

For detailed instructions, see the official Tencent Cloud documentation: Cloud Firewall - Log Shipping.

Create a sub-account with permissions
Note
Alternatively, you can use an API key from your main account in API Key Management.
1. We recommend that you create a dedicated API account for the firewall log shipping task on the Access Management - User List page and grant it full read/write permissions for CLS: QcloudCLSFullAccess.
2. On the API Key tab of the User Details page, click Create Key, and securely store the generated SecretId and SecretKey (click Download CSV File or copy and save them to a local file). For more information, see Sub-account Access Key Management.
Configure log shipping to CLS
1. In the Cloud Firewall console, navigate to the Log Analysis page. In the Log Shipping section, select the Ship to CLS tab.
2. In the Configure CLS Delivery section, enter the sub-account key (SecurityID and SecurityKey) that you created in the previous step for authentication.
3. Turn on the shipping switch for the desired logs, such as attack logs or access control logs.
  Important
  After you enable shipping, you can view the corresponding CLS log topic information in the Log Topic ID/Name column.

Choose an import method

Agentic SOC imports CLS logs using standard protocols rather than Tencent Cloud-specific APIs. This means you select a protocol vendor — Apache for Kafka or AWS-S3 for object storage — rather than "Tencent Cloud" when granting permissions. (The Tencent Cloud authorization option is used only for threat detection rule linkage, such as IP blocking — not for log import.)

Choose the method based on your real-time requirements and cost priorities:

	Kafka protocol consumption	COS
Real-time performance	Near real-time	Minute-level latency
Configuration complexity	Low	Low
Tencent Cloud costs	Log Service fees	COS storage fees
Alibaba Cloud costs	Agentic SOC log ingestion traffic fees	Agentic SOC log ingestion traffic fees
Best for	Stream-based security computing, rapid alert response	Cost-effective archival, batch offline analysis

Import data using Kafka protocol consumption

Step 1: Configure Kafka on the Tencent Cloud side

Enable Kafka protocol consumption in CLS

For detailed instructions, see the official Tencent Cloud documentation: Consume Logs over Kafka.

Go to the Tencent Cloud Log TopicTencent Cloud - User listTencent Cloud - Policies page and select the log storage Region in the upper-left corner.
Click the target Log Topic to open its details page.
- Web Application Firewall: Typically found under the plain Logset. For details, see Ship logs to CLS.
- Cloud Firewall: You can find the log topic information on the CLS log shipping page.
- Cloud Firewall: You can find the log topic information on the CLS log shipping page.
In the left navigation pane, click Consumption over Kafka. On the Basic Information tab, click Edit, then turn on Current Status. Configure the settings: Click OK.
Setting Value
Timestamp range History + Latest
Consumer data format JSON (select Disable Escape) or Raw Content
Data compression format No Compression
Public access Enabled
Service log Enabled
After completing the configuration, view the consumer parameters to get the connection details needed for the next steps:
Parameter Description
Public endpoint Format: kafkaconsumer-${region}.cls.tencentcs.com:9096
topic The Kafka topic
username Set to ${LogSetID} (the Logset ID)
password Set to ${SecretId}#${SecretKey}

Setting	Value
Timestamp range	History + Latest
Consumer data format	JSON (select Disable Escape) or Raw Content
Data compression format	No Compression
Public access	Enabled
Service log	Enabled

Parameter	Description
Public endpoint	Format: `kafkaconsumer-${region}.cls.tencentcs.com:9096`
topic	The Kafka topic
username	Set to `${LogSetID}` (the Logset ID)
password	Set to `${SecretId}#${SecretKey}`

Set up an AccessKey pair

Use either a main account key or a sub-account key with minimum required permissions.

Main account key: Go to Tencent Cloud API Key Management and click Create Key. Save the generated SecretId and SecretKey by clicking Download CSV FileSub-account Access Key Management or copying them to a local file. For more information, see Managing main account access keysManaging sub-account access key pairsManaging main account access key pairs.
You can use either an API key or a project key.
Sub-account key:
1. On the Tencent Cloud Policies page, create a policy with minimum required permissions. For more information, see Authorization for Kafka Protocol Consumption and Create custom policy by policy syntaxCreate custom policy by policy syntax.
```
{
    "version": "2.0",
    "statement": [{
        "action": [
            "cls:PreviewKafkaRecharge",
            "cls:CreateKafkaRecharge",
            "cls:ModifyKafkaRecharge"
        ],
        "resource": "*",
        "effect": "allow"
    }]
}
```
2. Go to the Tencent Cloud User List page and select an existing sub-account or create a new one.
  - Attach the policy you created.
  - On the User Details page, go to the API Key tab and click Create Key. Save the generated SecretId and SecretKey. For more information, see .

Step 2: Configure Kafka log import in Security Center

Grant Security Center access to Kafka

Go to Security Center console - System Configuration - Feature Settings. In the upper-left corner, select the region where your assets are located: Chinese Mainland or Outside Chinese Mainland.

On the Multi-cloud Configuration Management tab, select Multi-cloud Assets, then click Grant Permission. In the panel, configure:

Parameter	Value
Vendor	Apache
Connection type	Kafka
Endpoint	Public access address from Tencent Cloud CLS
Username	Kafka username from Tencent Cloud CLS
Password	`SecretId#SecretKey` (concatenated from Set up an AccessKey pair)
Communication protocol	`sasl_plaintext`
SASL authentication mechanism	`plain`

Under Configure synchronization policy, set the AK Service Status Check interval — the frequency at which Security Center verifies the Tencent Cloud AccessKey pair. Select Disable to turn off this check.

Create a data import task

Create a data source (skip if you already have one for Tencent Cloud logs).
1. Go to . Select the region: Chinese Mainland or Outside Chinese Mainland.
2. On the Data Source tab, create a data source to receive logs from Tencent Cloud. For instructions, see Set up data sources.
  - Source data source type: Select User Log Service or Agentic SOC Dedicated Collection Channel.
  - Add instances: Create a new Logstore to isolate Tencent Cloud log data.

On the Data Import tab, click Add Data. Configure:

Parameter	Value
Endpoint	Public access address for Kafka protocol consumption from Tencent Cloud
Topics	Consumer topic from Tencent Cloud
Value type	`json` (if Consumer Data Format is JSON) or `text` (if Raw Content)
Data source name	The data source created in step 1
Target Logstore	Auto-fetched from the selected data source

Click OK. Security Center begins pulling logs from Tencent Cloud automatically.

Import data using COS

Step 1: Prepare COS on the Tencent Cloud side

Create a CLS-to-COS shipping task

For detailed instructions, see the official Tencent Cloud documentation: Create a Shipping Task to COS.

Go to the Tencent Cloud - log topic page and select the log storage Region.
Click the target Log Topic to open its details page.
- Web Application Firewall: Typically found under the waf_post_logset Logset. For details, see Ship logs to CLS.

In the left navigation pane, select Shipping to COS, then click Add Shipping Configuration. Configure the shipping task:

If a confirmation page for log archival appears, click Still Ship To COS to proceed.

Basic configuration:

Setting	Value
Time range	No end time (required for ongoing data analysis)
File size	Trigger value for log delivery. When accumulated log size reaches this value, logs are delivered to COS.
Shipping interval	Time interval for delivery. Logs from each interval are compressed and sent to COS.

Important

Important: File size and shipping interval use a logical OR relationship — delivery triggers when either condition is met.

Bucket configuration:

Setting	Value
COS bucket and Cloud Firewall	Select or create a bucket to store WAF and Cloud Firewall (CFW) logs
File naming	Delivery time naming (recommended for easy data identification)
File compression	gzip or No Compression
COS storage class	Standard. See Storage Class Overview.

Warning

Warning: Security Center does not support lzop or snappy compression.

Advanced configuration:
Setting Value
Consumer data format JSON
JSON Disable Escape

Get the COS bucket endpoint. Go to the Tencent Cloud Bucket List page and open the bucket you configured. Copy the domain name from the Domain Information section.
Important
The endpoint must not include the bucket name. The format is cos.${region}.myqcloud.com.

Setting	Value
Consumer data format	JSON
JSON	Disable Escape

Set up an AccessKey pair

Use either a main account key or a sub-account key with minimum required permissions.

Main account key: Go to Tencent Cloud API Key Management and click Create Key. Save the generated SecretId and SecretKey. For more information, see .
You can use either an API key or a project key.

Sub-account key:

On the page, create a policy with minimum required permissions. For more information, see Authorization for Shipping to COS and Create custom policy by policy syntaxCreate custom policy by policy syntax.

{
    "version": "2.0",
    "statement": [
        {
            "effect": "allow",
            "action": [
                "cls:DescribeTopics",
                "cls:DescribeLogsets",
                "cls:DescribeIndex",
                "cls:CreateShipper"
            ],
            "resource": "*"
        },
        {
            "effect": "allow",
            "action": [
                "tag:DescribeResourceTagsByResourceIds",
                "tag:DescribeTagKeys",
                "tag:DescribeTagValues",
                "cls:ModifyShipper",
                "cls:DescribeShippers",
                "cls:DeleteShipper",
                "cls:DescribeShipperTasks",
                "cls:RetryShipperTask",
                "cls:DescribeShipperPreview",
                "cos:GetService",
                "cam:ListAttachedRolePolicies",
                "cam:AttachRolePolicy",
                "cam:CreateRole",
                "cam:DescribeRoleList"
            ],
            "resource": "*"
        }
    ]
}

Go to the page and select an existing sub-account or create a new one.
- Attach the policy you created.
- On the User Details page, go to the API Key tab and click Create Key. Save the generated SecretId and SecretKey. For more information, see Managing sub-account access keys.

Step 2: Configure COS log import in Security Center

Grant Security Center access to COS

Go to . Select the region: Chinese Mainland or Outside Chinese Mainland.

On the Multi-cloud Configuration Management tab, select Multi-cloud Assets, click Grant Permission, then select IDC from the dropdown. In the panel, configure:

Parameter	Value
Vendor	AWS-S3
Connection type	S3
Endpoint	COS bucket access domain name (from Create a CLS-to-COS shipping task)
Access Key ID	`SecretId` from Set up an AccessKey pair
Secret Access Key	`SecretKey` from Set up an AccessKey pair

Under Configure synchronization policy, set the AK Service Status Check interval. Select Disable to turn off this check.

Create a data import task

Go to Security Center console > Agentic SOC > Integration Center. Select the region: Chinese Mainland or Outside Chinese Mainland.

On the Data Import tab, click Add Data. Configure:

Parameter	Value
Endpoint	COS bucket access domain name
Bucket	COS bucket name
Data source name	A custom data source with normal status (Custom Log Capability or Agentic SOC Dedicated Data Collection Channel). If none exists, see Set up data sources.
Target Logstore	Auto-fetched from the selected data source

Click OK. Security Center begins pulling logs from Tencent Cloud automatically.

Analyze imported data

After logs arrive in Simple Log Service (SLS), configure ingestion and detection rules to enable analysis in Agentic SOC.

Create an ingestion policy. Follow Add a product to Agentic SOC 2.0 to create an ingestion policy with:
- Data Source: The target data source configured in the data import task.
- Standardization Rule: Agentic SOC provides built-in standardization rules for Tencent Cloud logs. To create custom rules, see Standardized log access rules.
- Standardization Method: Defaults to Real-time Consumption and cannot be changed.
Configure threat detection rules. Enable or create log detection rules in rule management based on your security needs. The system analyzes logs, generates alerts, and creates security events. For instructions, see Configure threat detection rules.

Billing

This solution involves fees from both Tencent Cloud and Alibaba Cloud. Review the billing documentation for each service before implementation.

Tencent Cloud:

Service	Fee items	Billing documentation
CLS	Log storage, read/write operations	Tencent Cloud Log Service billing overview
COS	Storage capacity, requests, public network traffic	Tencent Cloud COS billing overview

Alibaba Cloud:

Costs depend on the data source type selected during setup.

For Agentic SOC billing, see Agentic SOC Subscription and Agentic SOC Pay-As-You-Go. For Simple Log Service (SLS) billing, see SLS billing overview.

Data source type	Agentic SOC fee items	SLS fee items	Details
Agentic SOC Dedicated Collection Channel	Log ingestion fees + log storage and write fees (both consume Log Ingestion Traffic)	Fees other than storage and writes (such as public network traffic)	Agentic SOC creates and manages the SLS resources, so Agentic SOC is billed for Logstore storage and write operations.
User Log Service	Log ingestion fees (Log Ingestion Traffic)	All log-related fees (storage, writes, public network traffic)	Log resources are fully managed by SLS, so all log-related fees are billed by SLS.

FAQ

No log data appears in SLS after creating the import task.

Work through these checks in order:

Check Tencent Cloud: Log in to the Tencent Cloud console and confirm that logs have been generated and delivered to your CLS, Kafka topic, or COS bucket.
Check authorization credentials: In Security Center, on the Multi-cloud Assets page, verify the authorization status. Confirm the AccessKey pair is valid and the password uses the correct SecretId#SecretKey concatenated format for Tencent Cloud Kafka.
Check network connectivity: If using Kafka, confirm that public access is enabled for the Kafka service in Tencent Cloud and that your security group or firewall rules allow access from Security Center's service IPs.
Check the import task: In Security Center, on the Data Import page, review the task status and error logs, then make corrections based on the reported information.

Why select Apache or AWS-S3 instead of Tencent Cloud when granting permissions?

Log import uses standard, protocol-based connections rather than vendor-specific APIs:

Apache represents the Kafka protocol; AWS-S3 represents the S3 object storage protocol.
The Tencent Cloud authorization option is used only to integrate Agentic SOC threat detection rules with Tencent Cloud for security event linkage (such as blocking IPs). It cannot be used for log import.