Configuring logging via Smart Web Security
Note
There are two options for collecting logs: via Smart Web Security and via an L7 Application Load Balancer the security profile is connected to.
This section provides information on logging via Smart Web Security. If you want to learn about collecting logs via an L7 balancer, see Configuring logging via Application Load Balancer.
Analyzing Yandex Smart Web Security logs enables you to:
-
Test security rules, WAF, and ARL in Logging only (dry run) mode.
In this mode, the system does not block user requests but logs rule matches.
-
View the number of blocked and allowed requests, evaluate and adjust rule performance.
-
View detailed request information and identify false positives.
-
Investigate security incidents.
You can set up logging in Yandex Smart Web Security using either Yandex Cloud Logging or Yandex Audit Trails.
-
Cloud Logging: Collects detailed logs on HTTP requests and rule matches from security profiles, WAF, and ARL.
-
Audit Trails: Collects audit logs (events) for WAF and ARL rules and security events.
There are two types of events in Audit Trails:
- Management events, which include actions related to Yandex Cloud resource configuration, such as creating or deleting a security profile.
- Data events, which include actions performed on resources within Yandex Cloud services, e.g., triggering a rule from a WAF profile.
You can log Audit Trails events to a bucket in Object Storage, log group in Cloud Logging, or data stream in Data Streams.
To get started with Smart Web Security logs:
Enable logging
You can enable logging when creating a security profile or later, when editing it:
-
In the management console, select the folder containing the Smart Web Security profile.
-
Select Smart Web Security.
-
In the left-hand panel, select Security profiles.
-
In the row with the security profile you need, click and select Edit.
-
Enable Write logs.
-
In the Send logs to field, select Cloud Logging.
-
Select or create a Cloud Logging log group to store your logs.
-
For logging, you can choose only those requests that triggered:
-
Base rules.
-
Smart Protection rules.
-
Web Application Firewall rules.
-
Advanced Rate Limiter rules.
-
All selected rules applied the DENY and CAPTCHA action (verdict).
-
All selected rules applied the ALLOW action (legitimate requests).
Usually the number of legitimate requests is much higher than illegitimate ones. To reduce the amount of logs, configure the Percent of requests with ALLOW verdict parameter: from 1 to 100 %. When setting up rules for the first time, we recommend that you analyze all legitimate requests. Once you make sure the rules are working correctly, you can change the log percentage or disable logging of requests with the ALLOW verdict.
-
-
Click Save.
You can log Audit Trails events to a bucket in Object Storage, log group in Cloud Logging, or data stream in Data Streams. In this guide, we will set up logging of events to a log group.
-
In the management console, select the folder containing the Smart Web Security profile.
-
Select Audit Trails.
-
Click Create trail.
-
Enter a name for the trail, e.g.,
trail-sws. -
Under Destination, select Cloud Logging as the destination object.
-
Select or create a Cloud Logging log group to store Smart Web Security events.
-
Under Collecting data events, enable event collection and select Smart Web Security.
Leave the default values for other settings in this section. The system will log all data events from Smart Web Security in the current folder, ignoring management events.
-
Under Service account, create or select an account with the
logging.writerrole. -
Click Create.
For other ways to enable event logging, see Creating a trail to upload audit logs.
To make Yandex Smart Web Security deliver its events to Audit Trails:
- In the management console, select the folder containing the Smart Web Security profile.
- Select Smart Web Security.
- In the left-hand panel, select Security profiles.
- In the row with the security profile you need, click and select Edit.
- Enable Write logs.
- In the Send logs to field, select Audit Trails.
- Optionally, select for which rules or verdicts to deliver events:
- Base rules.
- Smart Protection.
- Web Application Firewall.
- Advanced Rate Limiter.
- DENY and CAPTCHA.
- ALLOW.
- Click Create.
This allows configuring event delivery only from specific security profiles or only for specific rules and verdicts.
Viewing logs
-
In the management console, select the folder containing the Smart Web Security profile.
-
Select Smart Web Security.
-
Select Logs.
-
Select a log group if there are several.
-
Select the log display period using one of the following methods:
- Click the interval button, e.g., Last hour, and select one of the options: Last 5 minutes, Last 30 minutes... Last day.
You can also select the required dates in the calendar and specify the time in the From and To fields. - Select a preset period: Now, 5m, 30m, 1h, 1d, 2d, or specify your own value.
- On the timeline, move the period start and end indicators.
- Click the interval button, e.g., Last hour, and select one of the options: Last 5 minutes, Last 30 minutes... Last day.
-
In the Request line, specify the selection parameters:
-
Select the log fields from the drop-down list or start typing the field name.
Fields for filtering are described in Logging.
-
To the right of the request string, click </> and enter your request in text mode using the filter expression language.
You can find examples of queries below.
Note
By default, the following internal fields are selected in the request string:
project,cluster,service, andmessage = *SWS. Do not change these values. -
-
Click Execute query. To view log details, expand it.
Examples of preset log filters
Logs are delivered in JSON format. One log entry is one client request processed by Smart Web Security.
Queries for log filtering are based on the relationship between Smart Web Security profiles and rules. You can view logs for active, running rules, or rules in Logging only (dry run) mode.
Filters for active rules
-
Show requests blocked by basic rules based on specific conditions, e.g., by IP list or region:
module_type = "RULE_CONDITION", meta.matched_rule_verdict = "DENY" -
Show requests which triggered Smart Protection rules with a CAPTCHA challenge:
module_type = "SMART_PROTECTION", meta.matched_rule_verdict = "CAPTCHA" -
Show requests blocked based on the WAF profile, i.e., by the security profile WAF rules:
module_type = "WAF", meta.matched_rule_verdict = "DENY" -
Show requests blocked by the ARL profile rules:
meta.arl_verdict = "DENY" -
Show requests which triggered a specific ARL rule,
arl-rule-1:meta.arl_verdict = "DENY", meta.arl_applied_quota_name = "arl-rule-1"
Filters for rules in logging mode
-
Show requests which triggered Smart Protection rules with a CAPTCHA challenge:
module_type = "SMART_PROTECTION", meta.dry_run_matched_rule_verdict = "CAPTCHA" -
Show requests that exceeded the specific ARL rule,
arl-rule-1:meta.arl_verdict = "DENY", meta.arl_dry_run_exceeded_quota_names = "arl-rule-1"
You can similarly add other conditions to the filters and adjust them to fit your traffic flow.
-
In the management console, select the folder containing the Smart Web Security profile.
-
Select Cloud Logging.
-
Select the log group receiving your Audit Trails events.
-
Select the number of messages per page and the time interval: 1 hour, 3 hours, 1 day, 1 week, 2 weeks.
-
In the Query field, specify you query using the filter expression language and click Run.
Audit Trails logs are written in JSON format. To find a specific event, provide its name in the following format:
yandex.cloud.audit.smartwebsecurity.<event_name>For examples of how to create queries, see Examples of requests for searching events in audit logs.
-
To view log details, expand it.