Discuss with expertTry it for free
© 2026 Direct Cursus Technology L.L.C.

Configuring logging via Application Load Balancer

Written by
Updated at May 15, 2026

To write logs, Smart Web Security integrates with Cloud Logging and Audit Trails. They solve different tasks:

  • Cloud Logging: Analyzes HTTP requests and triggered rules in security, WAF, and ARL profiles.
  • Audit Trails: Collects Smart Web Security audit events. These are not full Smart Web Security logs but records of security events and actions with resources.

Audit logs

There are two types of events in Audit Trails:

  • Management events, which include actions related to Yandex Cloud resource configuration, such as creating or deleting a security profile.
  • Data events, which include actions performed on resources within Yandex Cloud services, e.g., triggering a rule from a WAF profile.

You can log events to a bucket in Object Storage, log group in Cloud Logging, or data stream in Data Streams.

Logs of HTTP requests and triggered rules

There are two logging options available: via Smart Web Security and via the Application Load Balancer L7 load balancer the security profile is connected to. Logging via Smart Web Security provides more analysis options than logging via Application Load Balancer. Logs are written to a log group in Cloud Logging.

Log analysis enables you to configure and monitor Smart Web Security performance:

  • Test security rules, WAF, and ARL in Logging only (dry run) mode. In this mode, the system does not block user requests but logs rule matches.
  • View the number of blocked and allowed requests, evaluate and adjust rule performance.
  • View detailed request information and identify false positives.

Working with logs

To get started with Smart Web Security logs:

  1. Enable and set up logging.
  2. View and filter logs.

Enable logging

Note

To manage logging in the L7 load balancer, you need the following roles:

To view logs, you need the logging.viewer role for the log group.

  1. In the management console, select the folder containing the Smart Web Security profile.
  2. Go to Application Load Balancer.
  3. In the list, select the load balancer linked to the security profile.
  4. Click and select Edit.
  5. Under Log settings:
    1. Enable Write logs.
    2. Select or create a Cloud Logging log group to store your load balancer logs.
    3. Click Add discard rule and configure its settings.
  6. Click Save.

For other ways to enable logging, see Setting up L7 load balancer logging.

You can log Audit Trails events to a bucket in Object Storage, log group in Cloud Logging, data stream in Data Streams, or bus in EventRouter. In this guide, we will set up logging of audit events to a log group.

  1. In the management console, select the folder containing the Smart Web Security profile.

  2. Go to Audit Trails.

  3. Click Create trail.

  4. Enter a name for the trail, e.g., trail-sws.

  5. Under Destination, select Cloud Logging as the destination object.

  6. Select or create a Cloud Logging log group to store Smart Web Security events.

  7. Under Collecting data events, enable event collection and select Smart Web Security.

    For the rest of the settings in this section, leave the default values. The system will log all data events from Smart Web Security in the current folder, ignoring management events.

  8. Under Service account, create or select an account with the logging.writer role.

  9. Click Create.

For other ways to enable event logging, see Creating a trail to upload audit logs.

Viewing logs

  1. In the management console, select the folder containing the Smart Web Security profile.

  2. Go to Application Load Balancer.

  3. Select Logs.

  4. Select the number of messages per page and the time interval: 1 hour, 3 hours, 1 day, 1 week, 2 weeks.

  5. In the Query row, specify you query using the filter expression language and click Run.

    You can find examples of queries below.

  6. To view log details, expand it.

For other ways to view logs, see Viewing L7 load balancer logs and Reading records.

Examples of preset log filters

Logs are delivered in JSON format. A single log entry maps to a single client request to the L7 load balancer.

Requests for log filtering are based on the relationship between Smart Web Security profiles and rules. You can view logs for active, running rules, or rules in Logging only (dry run) mode.

Filters for active rules

  • Show requests blocked by basic rules based on specific conditions, e.g., by IP list or region:

    json_payload.smartwebsecurity.matched_rule.rule_type = RULE_CONDITION and json_payload.smartwebsecurity.matched_rule.verdict = DENY

  • Show requests that have triggered the Smart Protection rules with a CAPTCHA challenge:

    json_payload.smartwebsecurity.matched_rule.rule_type = SMART_PROTECTION and json_payload.smartwebsecurity.matched_rule.verdict = CAPTCHA

  • Show requests blocked based on the WAF profile, i.e., by the security profile WAF rules:

    json_payload.smartwebsecurity.matched_rule.rule_type = WAF and json_payload.smartwebsecurity.matched_rule.verdict = DENY

  • Show requests blocked by the ARL profile rules:

    json_payload.smartwebsecurity.advanced_rate_limiter.verdict = DENY

  • Show requests which triggered a specific ARL rule, arl-rule-1:

    json_payload.smartwebsecurity.advanced_rate_limiter.verdict = DENY and json_payload.smartwebsecurity.advanced_rate_limiter.applied_quota_name = "arl-rule-1"

You can similarly add other conditions to the filters and adjust them to fit your traffic flow.

Filters for rules in logging mode

  • Show requests that have triggered the Smart Protection rules with a CAPTCHA challenge:

    json_payload.smartwebsecurity.dry_run_matched_rule.rule_type = SMART_PROTECTION and json_payload.smartwebsecurity.dry_run_matched_rule.verdict = CAPTCHA

  • View requests that have triggered the ARL rules (limits on requests).

    For the Logging only mode, you cannot use a request filtered by the DENY verdict, because this mode does not block requests. The rule verdict will be ALLOW even after the limit is exceeded. To debug the rules, use the dry_run_exceeded_quota_names parameter. This parameter shows which ARL rules were triggered by the request. If this parameter contains no rules, no limits were exceeded.

    Here is an example of a log fragment with the dry_run_exceeded_quota_names parameter:

    "smartwebsecurity": {
  "advanced_rate_limiter": {
    "applied_quota_name": "",
    "dry_run_exceeded_quota_names": [
      "<rule_name_1>",
      "<rule_name_2>"
    ],
    "profile_id": "<profile_id>",
    "verdict": "ALLOW"
  },

In this fragment, limits were exceeded for the <rule_name_1> and <rule_name_2> rules in the <profile_id> profile.

  1. In the management console, select the folder containing the Smart Web Security profile.

  2. Go to Cloud Logging.

  3. Select the log group receiving your Audit Trails events.

  4. Select the number of messages per page and the time interval: 1 hour, 3 hours, 1 day, 1 week, 2 weeks.

  5. In the Query field, specify you query using the filter expression language and click Run.

    Audit Trails logs are written in JSON format. To find a specific event, provide its name in the following format:

    yandex.cloud.audit.smartwebsecurity.<event_name>

    For examples of how to create queries, see Examples of requests for searching events in audit logs.

  6. To view log details, expand it.

Previous
Configuring logs via Smart Web Security
Next
Migrating to WAF with support for Yandex rules