The WAF Log Retention Period feature allows WAF logs viewable in certain parts of the WafCharm Console to be stored based on a specified number of days, when WAF log integration is enabled using the new method.

The number of WAF logs that can be viewed in certain parts of the WafCharm Console is fixed for each WafCharm account and limited according to your subscribed plan. By using this feature, the limitation shifts from a log-count limit to a day-based limit, allowing you to view all WAF logs within the specified period regardless of the number of logs.

The names and differences of each restriction type are as follows:

Fixed Mode / Fixed
This mode restricts the number of WAF logs that can be viewed across the entire WafCharm account, based on your subscribed plan. The log count limits are as follows:
- New Plan
  - Trial: 10,000 logs
  - Business / Enterprise / AWS Marketplace version: 1,000,000 logs
- Old Plan
  - Trial / Entry: 10,000 logs
  - Business: 100,000 logs
  - Enterprise: 1,000,000 logs
Expanded Mode / Expanded
This day-based mode is provided through the WAF Log Storage expansion feature. There is no restriction on the number of logs, but there is a retention-period limit. You can choose a retention period between 1 and 730 days, and the number of days is configured per WAF Config.

Each mode applies at the WafCharm account level. Even if you have multiple WAF Configs, you cannot switch between Fixed Mode and Expanded Mode for individual WAF Configs.

Notes and Additional Information

This option is available only when you are on the new plan and have enabled WAF log integration (new method) using AWS WAF v2. It is not available on the old plan or the Trial plan.
The WAF Log Storage Format is managed at the WafCharm account level. You cannot switch between Fixed Mode and Expanded Mode per WAF Config. However, the retention period (number of days) can be configured individually for each WAF Config.
By default, Fixed Mode is applied. It will not automatically switch to Expanded Mode, and you must switch it manually. After switching to Expanded Mode, you cannot revert back to Fixed Mode.
In Expanded Mode, additional usage fees will be charged per WafCharm account based on the retention period and the number of stored WAF logs, following a pay-as-you-go pricing model. For more information about additional fees, the WafCharm AWS Marketplace version pricing table.
The retention period can only be specified in days. Other units, such as one month or one year, are not supported.
The retention period can be set between 1 and 730 days. Any duration beyond 730 days is not supported, and the upper limit cannot be changed.
The retention period uses a day-based rollover method.
Example: If you set the retention period to 30 days on October 10, WAF logs from October 10 through November 8 will be retained. Starting November 9, logs from October 10 will no longer be retained.
WAF logs are not retrieved retroactively. When you change the retention period, logs will be retained based on the newly specified number of days starting from the date of the change.
The available settings differ between the Advanced Rule policy and the Legacy Rule policy. For details, refer to the configuration steps below.
For Detection Status on the Dashboard, up to 1,000,000 WAF logs from the past 24 hours are aggregated, regardless of the retention period.
If the [Update WAF Log Storage Format] button is not displayed, please contact your sales representative.

How to Configure

The WAF Log Retention Period can be configured only when the WAF Log Storage Format is set to Expanded Mode and WAF log integration is enabled for the target WAF Config. For instructions on configuring WAF log integration, see the help pages below.

The WAF Log Storage Format (Fixed or Expanded Mode) is applied at the WafCharm account level. However, the WAF Log Retention Period (days) is configured per WAF Config. The available settings differ depending on the Rule policy. For details, refer to the configuration steps for each policy.

Switching the WAF Log Storage Format from Fixed Mode to Expanded Mode

If Fixed Mode is applied to your WafCharm account, you must follow the steps below to switch to Expanded Mode.

Open the Account page.
Navigate to the [Plan] section.
If the [WAF Log Storage Format] field shows [Fixed Mode (stores up to 1,000,000 logs)], Fixed Mode is currently applied.
Click the [Update WAF Log Storage Format] button in the [WAF Log Storage Format] section.
Review the information shown in the [Update WAF Log Storage Format] popup.
Under [Retention Period Applied to All WAF Configs], select the number of days.
At this stage, only 1, 7, 14, or 30 days can be selected. The value you choose here will be applied to all existing WAF Configs. If you wish to use a different number of days, follow the steps below to change the retention period for each WAF Config after switching to Expanded Mode.
Select the checkbox for [I agree to the changes and fees for the WAF log storage format].
Click the [Update WAF Log Storage Format] button.

After completing the steps above, the storage format will switch to Expanded Mode. You cannot revert back to Fixed Mode once the mode has been changed.

About Fee Forecasts

In Expanded Mode, additional usage fees are charged based on the retention period and the number of stored WAF logs. When you change the WAF Log Storage Format in the [Update WAF Log Storage Format] popup, a fee forecast is generated using the number of days you select under [Retention Period Applied to All WAF Configs] and the estimated number of web requests available at that time.

Please use this information as a reference when selecting a retention period.

Notes on Fee Forecasts

This section is displayed only when you change the WAF Log Storage Format.
The forecasted amount reflects the estimated fee at that point in time. It does not represent the actual billed amount.
For details about usage fees, see WafCharm AWS Marketplace version pricing table.
The [Retention Period Applied to All WAF Configs] field allows selection only from 1, 7, 14, or 30 days. Other values cannot be selected, and fee forecasts cannot be generated for them.
For reference, the fee forecast uses the total number of web requests from the WAF Configs that have WAF log integration (new method) enabled. This may not match the actual number of stored WAF logs. If web request counts have not been aggregated or if no WAF Configs have WAF log integration (new method) enabled, the total number of web requests may be zero.
Even when web request counts are aggregated, the forecasted fee will be zero if the usage falls within the free tier.

Selecting the Retention Period with the Advanced Rule Policy

When creating a WAF Config or editing it from the [Log and Notification Configuration] tab, specify the number of days under [WAF Log Retention Period]. You can select between 1 and 60 days from the dropdown menu. If you want to retain logs for 61 days or more, select [More than 61 days] and specify the number of days. The retention period can be set between 1 and 730 days.

The [Do not store WAF logs] option allows you to enable or disable certain features that rely on WAF log integration. If this option is selected, WAF log storage is disabled and the following features will no longer be available. If the option is not selected, WAF log storage remains enabled and the following features are also available.

Detection Status on the Dashboard
WAF Log Search
Bot Dashboard (when the Log Intelligence option is enabled)

Disabling WAF log storage also prevents any pay-as-you-go charges associated with [Expanded Mode].

Other features remain available even when WAF log storage is disabled. For example, Monthly Reports and WAF Log Alerts (detection notifications) continue to function.

Selecting the Retention Period with the Legacy Rule Policy

The [Do not store WAF logs] option is not available.

About WAF Log Storage Fee Estimate for This WAF Config

In Expanded Mode, additional usage fees are charged based on the retention period and the number of stored WAF logs. This feature allows you to estimate those fees for each WAF Config.

The estimate is calculated using the number of days specified in WAF Log Retention Period on the screen and the value entered in Expected Daily Requests. Adjust the Expected Daily Requests as needed based on your environment.

Notes on WAF Log Storage Fee Estimate for This WAF Config

This section is displayed on the WAF Log Retrieval Configuration screen.
The forecasted amount reflects the estimated fee at that point in time. It does not represent the actual billed amount.
This estimate applies only to the WAF Config currently being configured, not to the WafCharm account as a whole.
For details about usage fees, see WafCharm AWS Marketplace version pricing table.
For reference, the fee forecast uses the number of web requests for the WAF Config you are configuring. This may not match the actual number of stored WAF logs. If web request counts have not been aggregated, or if the WAF Config is newly created and no data has been collected yet, the web request count may be zero.
Even when web request counts are aggregated, the forecasted fee will be zero if the usage falls within the free tier.

Changing the Retention Period in an existing WAF Log Retrieval Configuration

First, make sure that you have completed the steps in Switching the WAF Log Storage Format from Fixed Mode to Expanded Mode and that Expanded Mode is applied to the relevant WafCharm account.

Once Expanded Mode is applied, you can change the WAF log retention period for each WAF Config by editing it from the [Log and Notification Configuration] tab.

About WAF Log Retention Period