Configuring logging
Analyzing Yandex Smart Web Security logs enables you to:
-
Test security rules, WAF, and ARL in Logging only (dry run) mode.
In this mode, user requests are not blocked, but information about triggered rules is logged.
-
View the number of blocked and allowed requests, evaluate and adjust rule performance.
-
View detailed request information and and identify false positives.
-
Investigate security incidents.
You can set up logging in Yandex Smart Web Security using either Yandex Cloud Logging or Yandex Audit Trails.
-
Cloud Logging: Collects basic logs for traffic and triggered security profile, WAF, and ARL rules.
Smart Web Security logs are transferred through an L7 load balancer connected to a security profile and are written to a log group.
-
Audit Trails: Collects more detailed audit logs (events) for WAF and ARL rules.
In Audit Trails, events are delivered directly from Smart Web Security without using an L7 load balancer. There are two types of events in Audit Trails:
- Management events, which include actions related to Yandex Cloud resource configuration, e.g., creating or deleting a security profile.
- Data events, i.e., actions taken with resources within Yandex Cloud services, such as triggering a WAF profile rule.
You can log Audit Trails events to a bucket in Object Storage, log group in Cloud Logging, or data stream in Data Streams.
To get started with Smart Web Security logs:
Enable logging
- In the management console, select the folder containing the Smart Web Security profile.
- Select Application Load Balancer.
- Select the load balancer with a linked security profile from the list.
- Click and select Edit.
- Under Log settings:
- Click Save.
For other methods of how to enable logging, see Setting up L7 load balancer logging.
You can log Audit Trails events to a bucket in Object Storage, log group in Cloud Logging, or data stream in Data Streams. In this guide, we will set up logging events to a log group.
-
In the management console, select the folder containing the Smart Web Security profile.
-
Select Audit Trails.
-
Click Create trail.
-
Enter a name for the trail, e.g.,
trail-sws. -
Under Destination, select the Cloud Logging destination object.
-
Select or create a Cloud Logging log group to store Smart Web Security events.
-
Under Collecting data events, enable collecting events and select Smart Web Security.
Leave the default values for other settings in this section. All data events from Smart Web Security in the current folder will be logged. Management events will not be logged.
-
Under Service account, create or select an account with the
logging.writerrole. -
Click Create.
For other methods of how to enable event logging, see Creating a trail to upload audit logs.
Viewing logs
-
In the management console, select the folder containing the Smart Web Security profile.
-
Select Application Load Balancer.
-
Go to the Logs section.
-
Select the number of messages per page and the period: 1 hour, 3 hours, 1 day, 1 week, 2 weeks.
-
In the Request row, specify you request using the filter expression language and click Run.
You can find examples of requests below.
-
To view log details, expand it.
For other methods of how to view logs, see Viewing L7 load balancer logs and Reading records.
Examples of preset log filters
Logs are provided in JSON format. A single log entry represents one client request to the L7 load balancer.
Requests for log filtering are based on the relationship between Smart Web Security profiles and rules. You can view logs for active, running rules, or rules in Logging only (dry run) mode.
Filters for active rules
- Show requests blocked by basic rules with specific conditions, such as an IP list or region:
json_payload.smartwebsecurity.matched_rule.rule_type = RULE_CONDITION and json_payload.smartwebsecurity.matched_rule.verdict = DENY - Show requests which triggered Smart Protection rules with a CAPTCHA challenge:
json_payload.smartwebsecurity.matched_rule.rule_type = SMART_PROTECTION and json_payload.smartwebsecurity.matched_rule.verdict = CAPTCHA - Show requests blocked based on the WAF profile, i.e., by the security profile WAF rules:
json_payload.smartwebsecurity.matched_rule.rule_type = WAF and json_payload.smartwebsecurity.matched_rule.verdict = DENY - Show requests blocked by the ARL profile rules:
json_payload.smartwebsecurity.advanced_rate_limiter.verdict = DENY
Filters for rules in logging mode
-
Show requests which triggered Smart Protection rules with a CAPTCHA challenge:
json_payload.smartwebsecurity.dry_run_matched_rule.rule_type = SMART_PROTECTION and json_payload.smartwebsecurity.dry_run_matched_rule.verdict = CAPTCHA -
Show requests which triggered a specific ARL rule,
arl-rule-1:json_payload.smartwebsecurity.advanced_rate_limiter.verdict = DENY and json_payload.smartwebsecurity.advanced_rate_limiter.applied_quota_name = "arl-rule-1"
You can similarly add other conditions to the filters and adjust them for your traffic flow as appropriate.
-
In the management console, select the folder containing the Smart Web Security profile.
-
Select Cloud Logging.
-
Select the log group to which the Audit Trails events are sent.
-
Select the number of messages per page and the period: 1 hour, 3 hours, 1 day, 1 week, 2 weeks.
-
In the Request row, specify you request using the filter expression language and click Run.
Audit Trails logs are written in JSON format. To find a specific event, specify its name in the following format:
yandex.cloud.audit.smartwebsecurity.<event_name>For examples of how to create requests, see Examples of requests for searching events in audit logs.
-
To view log details, expand it.