[Yandex Cloud documentation](../../index.md) > [Yandex Smart Web Security](../index.md) > [Step-by-step guides](index.md) > Configuring logs via Smart Web Security

# Configuring logging via Smart Web Security

{% note info %}

The feature of collecting logs via Smart Web Security is at the [Preview](../../overview/concepts/launch-stages.md) stage. To get access, please contact [support](https://center.yandex.cloud/support).
 
{% endnote %}

To write logs, Smart Web Security integrates with [Cloud Logging](../../logging/index.md) and [Audit Trails](../../audit-trails/index.md). They solve different tasks:

* Cloud Logging: Analyzes HTTP requests and triggered rules in security, WAF, and ARL profiles.
* Audit Trails: Collects Smart Web Security audit events. These are not full Smart Web Security logs but records of security events and actions with resources.

## Audit logs {#audit-events}

There are two types of events in Audit Trails:

* [Management events](../at-ref.md#control-plane-events), which include actions related to Yandex Cloud resource configuration, such as creating or deleting a security profile.
* [Data events](../at-ref.md#data-plane-events), which include actions performed on resources within Yandex Cloud services, e.g., triggering a rule from a WAF profile.

You can log events to a bucket in Object Storage, log group in Cloud Logging, or data stream in Data Streams.

## Logs of HTTP requests and triggered rules {#requests-logging}

There are two logging options available: via Smart Web Security and via the Application Load Balancer L7 load balancer the security profile is connected to. Logging via Smart Web Security provides more analysis options than logging via Application Load Balancer. Logs are written to a log group in Cloud Logging.

Log analysis enables you to configure and monitor Smart Web Security performance:

* Test security rules, WAF, and ARL in **Logging only** (dry run) mode. In this mode, the system does not block user requests but logs rule matches.
* View the number of blocked and allowed requests, evaluate and adjust rule performance.
* View detailed request information and identify false positives.

In some cases, traffic may be blocked during attacks. When this happens, the logs will include the `sws_service_rule` [service rule](../concepts/rules.md#service-rule) label.

## Working with logs {#configure-logging}

To get started with Smart Web Security logs:

1. [Enable and set up logging](#enable-logging).
1. [View and filter logs](#view-logs).

### Enable logging {#enable-logging}

You can enable logging when [creating a security profile](profile-create.md) or later, when editing it.

{% note info %}

To manage [logging](../concepts/logging.md) in a security profile, you need the following roles:

- [smart-web-security.editor](../security/index.md#smart-web-security-editor) for the [folder](../../resource-manager/concepts/resources-hierarchy.md#folder) containing the security profile.
- [logging.writer](../../logging/security/index.md#logging-writer) for the [log group](../../logging/concepts/log-group.md) receiving the logs.

To view logs, you need the [logging.viewer](../../logging/security/index.md#logging-viewer) role for the log group.

{% endnote %}

{% list tabs group=instructions %}

- Cloud Logging {#logging}

  1. In the [management console](https://console.yandex.cloud), select the folder containing the Smart Web Security profile.
  1. Navigate to **Smart Web Security**.
  1. In the left-hand panel, select ![image](../../_assets/smartwebsecurity/profiles.svg) **Security profiles**.
  1. In the row with the security profile you need, click ![ellipsis](../../_assets/console-icons/ellipsis.svg) and select ![pencil](../../_assets/console-icons/pencil.svg) **Edit**.
  1. Enable **Write logs**.
  1. In the **Send logs to** field, select **Cloud Logging**.
  1. Select or create a Cloud Logging [log group](../../logging/concepts/log-group.md) to store your logs.
  1. For logging, you can choose only those requests that triggered:
     * **Base rules**.
     * **Smart Protection** rules.
     * **Web Application Firewall** rules.
     * **Advanced Rate Limiter** rules.
     * All selected rules applied the **DENY and CAPTCHA** action (verdict).
     * All selected rules applied the **ALLOW** action (legitimate requests).

       Usually the number of legitimate requests is much higher than illegitimate ones. To reduce the amount of logs, configure the **How many logs with the ALLOW verdict should not be recorded** parameter: from 1 to 100 %. When setting up rules for the first time, we recommend that you analyze all legitimate requests. Once you make sure the rules are working correctly, you can change the log percentage or disable logging of requests with the **ALLOW** verdict. 
  
  1. Click **Save**.

- Audit Trails {#at}

  You can log Audit Trails events to a bucket in Object Storage, log group in Cloud Logging, data stream in Data Streams, or bus in EventRouter. In this guide, we will set up logging of audit events to a log group.

  1. In the [management console](https://console.yandex.cloud), select the folder containing the Smart Web Security profile.
  1. Navigate to **Audit Trails**.
  1. Click **Create trail**.
  1. Enter a name for the trail, e.g., `trail-sws`.
  1. Under **Destination**, select **Cloud Logging** as the destination object.
  1. Select or create a Cloud Logging [log group](../../logging/concepts/log-group.md) to store Smart Web Security events.
  1. Under **Collecting data events**, enable event collection and select **Smart Web Security**.

      Leave the default values for other settings in this section. The system will log all data events from Smart Web Security in the current folder, ignoring management events.
  
  1. Under **Service account**, create or select an account with the `logging.writer` role.
  1. Click **Create**.

  For other ways to enable event logging, see [Creating a trail to upload audit logs](../../audit-trails/operations/create-trail.md).

  To make Yandex Smart Web Security deliver its events to Audit Trails:

  1. In the [management console](https://console.yandex.cloud), select the folder containing the Smart Web Security profile.
  1. Navigate to **Smart Web Security**.
  1. In the left-hand panel, select ![image](../../_assets/smartwebsecurity/profiles.svg) **Security profiles**.
  1. In the row with the security profile you need, click ![ellipsis](../../_assets/console-icons/ellipsis.svg) and select ![pencil](../../_assets/console-icons/pencil.svg) **Edit**.
  1. Enable **Write logs**.
  1. In the **Send logs to** field, select **Audit Trails**.
  1. Optionally, select for which rules or verdicts to deliver events:
     * **Base rules**.
     * **Smart Protection**.
     * **Web Application Firewall**.
     * **Advanced Rate Limiter**.
     * **DENY and CAPTCHA**.
     * **ALLOW**.
  1. Click **Create**.

  This allows configuring event delivery only from specific security profiles or only for specific rules and verdicts.

{% endlist %}

### Viewing logs {#view-logs}

{% list tabs group=instructions %}

- Cloud Logging {#logging}

  1. In the [management console](https://console.yandex.cloud), select the folder containing the Smart Web Security profile.
  1. Navigate to **Smart Web Security**.
  1. Select **Logs**.
  1. Select a log group if there are several.
  
  1. Select the log display period using one of the following methods:
     
     * Click the interval button, e.g., **Last hour**, and select one of the options: **Last 5 minutes**, **Last 30 minutes**... **Last day**.
        You can also select the required dates in the calendar and specify the time in the **From** and **To** fields.
     * Select a preset period: **Now**, **5m**, **30m**, **1h**, **1d**, **2d**, or specify your own value.
     * On the timeline, move the period start and end indicators.
  
  1. In the **Request** line, specify the selection parameters:
     
     * Select the log fields from the drop-down list or start typing the field name.

       Fields for filtering are described in [Logging](../concepts/logging.md).
  
     * To the right of the request string, click **</>** and enter your request in text mode using the [filter expression language](../../logging/concepts/filter.md).

       You can find examples of queries below.

     {% note info %}

     By default, the following internal fields are selected in the request string: `project`, `cluster`, `service`, and `message = *SWS`. Do not change these values.

     {% endnote %}

  1. Click **Execute query**. To view log details, expand it.

  ## Examples of preset log filters {#filtration}

  Logs are delivered in JSON format. One log entry is one client request processed by Smart Web Security.

  Queries for log filtering are based on the relationship between [Smart Web Security](../concepts/profiles.md#profile-rules-schema) profiles and rules. You can view logs for active, running rules, or rules in **Logging only** (dry run) mode.

  ### Filters for active rules {#active-rule-filters}

  * Show requests blocked by basic rules based on specific [conditions](../concepts/conditions.md), e.g., by IP list or region:
    ```
    module_type = "RULE_CONDITION", meta.matched_rule_verdict = "DENY"
    ```
  * Show requests that have triggered the [Smart Protection](../concepts/rules.md##smart-protection-rules) rules with a CAPTCHA challenge:
    ```
    module_type = "SMART_PROTECTION", meta.matched_rule_verdict = "CAPTCHA"
    ```
  * Show requests blocked based on the [WAF](../concepts/waf.md) profile, i.e., by the security profile WAF rules:
    ```
    module_type = "WAF", meta.matched_rule_verdict = "DENY"
    ```
  * Show requests blocked by the [ARL](../concepts/arl.md) profile rules:
    ```
    meta.arl_verdict = "DENY"
    ```

  * Show requests which triggered a specific ARL rule, `arl-rule-1`:
    ```
    meta.arl_verdict = "DENY", meta.arl_applied_quota_name = "arl-rule-1"
    ```

  ### Filters for rules in logging mode {#dry-run-filters}

  * Show requests that have triggered the [Smart Protection](../concepts/rules.md#smart-protection-rules) rules with a CAPTCHA challenge:
    ```
    module_type = "SMART_PROTECTION", meta.dry_run_matched_rule_verdict = "CAPTCHA"
    ```

  * Show requests that exceeded the specific ARL rule, `arl-rule-1`:
    ```
    meta.arl_verdict = "DENY", meta.arl_dry_run_exceeded_quota_names = "arl-rule-1"
    ```

  You can similarly add other conditions to the filters and adjust them to fit your traffic flow.

- Audit Trails {#at}

  1. In the [management console](https://console.yandex.cloud), select the folder containing the Smart Web Security profile.
  1. Navigate to **Cloud Logging**.
  1. Select the log group receiving your Audit Trails events.
  1. Select the number of messages per page and the time interval: 1 hour, 3 hours, 1 day, 1 week, 2 weeks.
  1. In the **Query** field, specify you query using the [filter expression language](../../logging/concepts/filter.md) and click **Run**.

     Audit Trails events are written in JSON format. To find a specific [event](../at-ref.md#data-plane-events), provide its name in the following format:

     ```
     yandex.cloud.audit.smartwebsecurity.<event_name>
     ```

     For examples of how to create queries, see [Examples of requests for searching events in audit logs](../../audit-trails/tutorials/search-events-audit-logs/examples.md).

  1. To view log details, expand it.

{% endlist %}