How to modify log settings-Web Application Firewall(WAF)-阿里云帮助中心

After you enable the Log Service for WAF feature, you can adjust how WAF collects and stores logs — including the retention period, which fields to include, and whether to store all traffic or only blocked requests. Configuring these settings lets you balance storage consumption against the depth of visibility you need for security analysis and compliance audits.

Log settings apply to all domain names for which log collection is enabled.

The available log settings depend on the billing method of your WAF instance.

Parameter	Subscription WAF instance (Advanced, Enterprise, Ultimate, and Exclusive editions)	Pay-as-you-go WAF instance
Storage period
Custom field configuration
Log type

Prerequisites

Before you begin, ensure that you have:

The Log Service for WAF feature enabled. For setup instructions, see Get started with the Simple Log Service for WAF feature

Modify log settings

Log on to the WAF console. In the top navigation bar, select the resource group and the region where your WAF instance is deployed (Chinese Mainland or Outside Chinese Mainland).
In the left-side navigation pane, choose Log Management > Log Service.
In the upper-right corner of the Log Service page, click Log Settings.
Configure the parameters in the following table, then click Save.

Parameter	Description
Storage Period	The number of days to retain logs. Default value: 180. Valid values: 15–360. For a subscription WAF instance, the default storage period is 180 days. You can set the value to an integer from 15 to 360. For a pay-as-you-go WAF instance, the default storage period is 7 days and cannot be changed. To change this, you must convert the instance to the subscription billing method. For more information about how to switch between billing methods, see Switch between billing methods.
Custom Field Configuration	The log fields included in WAF logs. Fields are divided into two categories: Required Fields (always included, cannot be modified) and Optional Fields (added based on your analysis needs). To add an optional field, select it in the Available Fields section and click the right arrow to move it to the Selected Fields section. For the full list of supported fields, see Log fields supported by WAF.
Log Type	The type of requests to log. See Choose a log type below.

Choose a log type

Log type	What gets logged	When to use
Full Logs	All requests — both allowed and blocked	Use when you need complete traffic visibility for security analysis, rule tuning, or compliance audits
Block Logs	Only blocked requests	Use when storage is a concern and your primary goal is reviewing WAF enforcement actions

Full Logs give you the complete picture of traffic reaching your WAF, which is useful for tuning protection rules and investigating false positives. Block Logs reduce storage consumption while keeping the records most relevant to active threats.

What happens after you save

After you save the settings, the Log Service for WAF feature stores logs according to the configuration. To query and analyze the stored logs, go to Log Management > Log Service in the WAF console and use the log query interface.