AWS WAF v2Old PlanLegacyUsage
This article explains how to configure Log and Notification configuration on WAF Config if you are using the old plan and Legacy rule policy.
There are three configurations in this case.
After you’ve completed the initial configuration, you can click the [Edit] button on the details page to change or add configurations.
This configuration will transfer access logs from ALB and CloudFront to WafCharm.
By transferring access logs, WafCharm can aggregate a number of web requests and provide dynamic denylist by rematching signatures to access logs.
If you have more than one resource attached to your web ACL, please add Web Site Configs for each resource.
This field is for management purposes only. The value can be optional. Please enter a value that makes it easy for you to manage the configurations.
If your CloudFront access logs are outputted to S3://bucket-name/optional-prefix/
, enter the complete S3 path.
If your ALB access logs are outputted to S3://bucket-name/optional-prefix/AWSLogs/aws-account-id/elasticloadbalancing/region/
, enter the complete S3 path.
If you want to use the same credential as WAF Config, check [Reuse Credential in Basic Config].
If you want to select a different credential, uncheck [Reuse Credential in Basic Config] and choose the credential from the drop-down menu, or click the [Register new credential] link to add new credential information.
How to configure Credential Store for AWS WAF v2 (new plan/MP ver.)
If you have multiple resources (ALB and CloudFront) attached to your web ACL and want to register multiple Web Site Configs (S3 path to each resource's access logs), click the [Add Web Site Config] button to add another Web Site Config.
If you have accidentally added a Web Site Config, click the garbage can icon at the bottom right corner to delete it.
"FQDN value" is the actual FQDN value you registered when adding a Web Site Config.
There are two methods of WAF log retrieval: the new method and the old method.
The new method allows users to enable WAF log-related features by opting in with a WAF log retrieval checkbox.
The old method is the same as the one available on the old WafCharm Dashboard, which uses Lambda to transfer WAF logs.
If you are using the Legacy rule policy, you can use both, but it is recommended to switch to the new method.
*Currently, WAF log retrieval is limited to old plan users. If you want to use the new method, please contact the WafCharm support team with details on logging configurations per WAF Config.
Enabling WAF log retrieval is optional. If you want to refrain from configuring this option, do not check the [Enable WAF log retrieval] checkbox under the [WAF log retrieval] tab when adding a WAF Config. In addition, please avoid configuring the old method (Lambda method).
The new method enables the blocked status on the Dashboard page, the WAF log search feature, the monthly report feature, and the WAF log alert (detection notification) feature.
Currently, WAF log retrieval is limited to old plan users. If you want to use the new method, please contact the WafCharm support team with the information below (details on logging configurations per WAF Config).
If you are using the new method, please check the items below before you begin.
For example, if your WAF logs are outputted to the S3 bucket with the name csc-waftest
, enter csc-waftest
under the [S3 Bucket Name] field.
If you specified a prefix, enter the value specified on the Data Firehose configuration under the [S3 Prefix] field.
If you chose the Amazon Data Firehose option under the AWS WAF logging configuration, please enter the information of the S3 bucket to which Amazon Data Firehose sends WAF logs.
If you are using Amazon Data Firehose, you can specify an S3 bucket prefix. Data Firehose allows users to specify general paths like “waflogs” as well as other custom prefixes like timestamp namespace. Please keep in mind that WafCharm only supports the prefixes listed below.
waflogs/
and firehoselogs/
YYYY/MM/DD/HH
addedwaflogs/YYYY/MM/DD/HH
WafCharm does not support the timestamp namespace listed below. If prefixes like the below are specified, WafCharm cannot download WAF logs even if the WAF log retrieval option is enabled.
waflog/year=!{timestamp:yyyy}/month=!{timestamp:MM}/day=!{timestamp:dd}/hour=!{timestamp:HH}/
waflog/!{timestamp:yyyy}/!{timestamp:MM}/!{timestamp:dd}/!{timestamp:HH}/
Please refer to the article below.
How to configure WAF log integration (old method) for AWS WAF v2
WAF log alert settings are equivalent to the Notification page in the old WafCharm Dashboard.
If you have enabled WAF log integration (new or old method) and WAF log alert, you can receive detection notification emails at the email addresses you have registered.