How Long Are CFW Logs Stored by Default? What Is the Maximum Storage Capacity?
CFW stores logs from the last 7 days free of charge by default, with a maximum storage capacity of 50 GB.
After you enable the Log Analysis service, CFW stores logs from the last 6 months by default. The storage capacity starts at 1000 GB and can be expanded up to 300 TB.
What Happens When Log Storage Exceeds the Package Time or Capacity Limit?
When you use the default 50 GB log storage capacity, logs retained for more than 7 days or exceeding the 50 GB limit are automatically overwritten.
After you enable the Log Analysis service, logs retained for more than 6 months are purged.
After you enable the Log Analysis service, if the log storage reaches the purchased capacity limit, the system overwrites the oldest logs in chronological order to store new logs. If the log storage continuously exceeds the purchased capacity and the total amount of rolled logs reaches nine times the purchased capacity, the system stops storing new logs.
Note:
For example, if you purchase 1000 GB of log storage and the storage continuously exceeds the purchased capacity, the system stops recording new logs after the total amount reaches 10000 GB.
What Is the Relationship Between Log Auditing and Analysis and CLS?
Log Auditing is currently built into CFW and is unrelated to CLS. Firewall logs can be shipped to facilitate user analysis.
What Traffic Is Recorded in Access Control Logs, Intrusion Defense Logs, and Traffic Logs?
Access Control logs record traffic that hits Access Control rules.
Intrusion Defense logs record traffic that hits Intrusion Defense rules.
Traffic logs record permitted traffic.
Can Firewall Logs Be Archived?
Yes, logs can be exported and shipped using the log shipping feature to the customer's Kafka.
How to Download Logs
You can use the log shipping feature to ship logs for analysis, provided that you purchase a Tencent Cloud CKafka instance. For configuration, refer to Log Analysis.
Alternatively, log in to the CFW console, click Log Auditing > Traffic Logs in the left-side operation bar to go to the Traffic Logs page, and then click
in the upper-right corner to download logs.
Note:
Based on the current search criteria, up to 60,000 logs can be exported.
How Long Does It Take for Log Shipping to Succeed?
Log shipping takes about one minute, so related log updates will have a slight delay.
Do Shipped Logs Have tags to Identify Log Types?
Logs do not contain tags that identify log types. We recommend that you select different topics when you ship logs to distinguish between different logs.
Why Are Observation-Type Logs Still Present When Interception Mode Is Enabled?
Virtual patches are used for automatic blocking, while basic rules currently do not support automatic blocking. If an intrusion contains vulnerability exploits and hits a virtual patch, it will be automatically blocked. Therefore, basic rules are still in observation mode. Future versions are expected to support automatic blocking for high-confidence basic rules and permanent blocking.
Does Traffic Logging Record IP address Traffic Logs Blocked by Access Control or Intrusion Defense Rules?
Traffic logs do not record IP address traffic blocked by Access Control rules or Intrusion Defense, but only record permitted traffic.
Are Logs Generated for Blocked Attacks?
Access Control rules: In Block mode, access data is intercepted, rule hit counts are recorded, and Access Control logs are recorded, but traffic logs are not recorded.
Intrusion Detection: When an intrusion detection policy is hit, an intrusion detection event is generated. You can view specific blocking logs through Log Analysis.
How to Determine Whether Access/Attack in Shipped Logs Is Blocked or Allowed
The strategy field in the logs indicates whether the access was blocked or observed.
Note:
Traffic logs do not contain a strategy field value.
Can a Purchased CKafka Not Be Selected as the Supporting Environment for Log Shipping?
Add an access method to your CKafka instance and configure it to use a public network domain name for access. The support environment access method is not yet available. For details, refer to the Lnstance List.
