Overview

This article explains how to configure Log and Notification configuration on WAF Config if you are using the old plan and Legacy rule policy.

There are three configurations in this case.

Access log integration (required for ALB and CloudFront)
WAF log integration (optional)
WAF log alert (optional)

After you’ve completed the initial configuration, you can click the [Edit] button on the details page to change or add configurations.

Access logs integration

This configuration will transfer access logs from ALB and CloudFront to WafCharm.

By transferring access logs, WafCharm can aggregate a number of web requests and provide dynamic denylist by rematching signatures to access logs.

If you have more than one resource attached to your web ACL, please add Web Site Configs for each resource.

If you are using CloudFront, please see the [If you are using CloudFront] section first.

Procedure

Click the [Add Web Site Config] button under the [Access log retrieval] tab.
Enter your FQDN into the [target site FQDN] field.
This field is for management purposes only. The value can be optional. Please enter a value that makes it easy for you to manage the configurations.
Enter [S3 Path].
If your CloudFront access logs are outputted to S3://bucket-name/optional-prefix/ , enter the complete S3 path.
If your ALB access logs are outputted to S3://bucket-name/optional-prefix/AWSLogs/aws-account-id/elasticloadbalancing/region/ , enter the complete S3 path.
Select the credential to use under [Credential].
If you want to use the same credential as WAF Config, check [Reuse Credential in Basic Config].
If you want to select a different credential, uncheck [Reuse Credential in Basic Config] and choose the credential from the drop-down menu, or click the [Register new credential] link to add new credential information.
How to configure Credential Store for AWS WAF v2 (new plan/MP ver.)

If you have multiple resources (ALB and CloudFront) attached to your web ACL and want to register multiple Web Site Configs (S3 path to each resource's access logs), click the [Add Web Site Config] button to add another Web Site Config.

If you have accidentally added a Web Site Config, click the garbage can icon at the bottom right corner to delete it.

If you are using CloudFront

There are multiple ways to output access logs in CloudFront. However, WafCharm is only compatible with access logs from the type [S3 Legacy].

When using WafCharm, please select [Amazon S3 (Legacy)] as your logging destination and register the S3 Path of that configuration in Web Site Config.

Please note that you can select other destinations, such as Amazon S3 and CloudWatch Logs, in addition to Amazon S3 (Legacy), in the CloudFront logging setting. Please refrain from registering S3 Path from Amazon S3 because WafCharm is only compatible with access logs from Amazon S3 (Legacy).

In addition, if you are configuring both [Amazon S3] and [Amazon S3 Legacy], please set different paths. If the S3 destination log file path conflicts with another S3 destination, access logs will overwrite one another, and WafCharm may be unable to use the transferred access logs.

Deleting a registered Web Site Config

Open the list of WAF Config.
Click on the target WAF Config.
Click the [Edit] button.
Click the [Log and Notification Configuration] tab.
Click the [Web Site Config: FQDN value] bar.
"FQDN value" is the actual FQDN value you registered when adding a Web Site Config.
Check the [Delete this Web Site Config] checkbox and click the [Add] button.

Limitations and Notes

Web Site Config is required for WAF Config (web ACL) associated with ALB and CloudFront.
Web Site Config is not required for API Gateway because the dynamic denylist feature is unavailable for API Gateway access logs.
If you are using CloudFront, please note the following.
- CloudFront access logs have multiple destinations, but please use [S3 Legacy] with WafCharm because WafCharm is only compatible with Amazon S3 (Legacy).
- Please refrain from outputting access logs from multiple CloudFront distributions to the same S3 path.
- WafCharm is incompatible with CloudFront's real-time logs.

WAF log retrieval

There are two methods of WAF log retrieval: the new method and the old method.

The new method allows users to enable WAF log-related features by opting in with a WAF log retrieval checkbox.

The old method is the same as the one available on the old WafCharm Dashboard, which uses Lambda to transfer WAF logs.

If you are using the Legacy rule policy, you can use both, but it is recommended to switch to the new method.

*Currently, WAF log retrieval is limited to old plan users. If you want to use the new method, please contact the WafCharm support team with details on logging configurations per WAF Config.

Enabling WAF log retrieval is optional. If you want to refrain from configuring this option, do not check the [Enable WAF log retrieval] checkbox under the [WAF log retrieval] tab when adding a WAF Config. In addition, please avoid configuring the old method (Lambda method).

The new method

The new method enables the blocked status on the Dashboard page, the WAF log search feature, the monthly report feature, and the WAF log alert (detection notification) feature.

Currently, WAF log retrieval is limited to old plan users. If you want to use the new method, please contact the WafCharm support team with the information below (details on logging configurations per WAF Config).

Name of the target WAF Config.
Log Output Destination Pattern (Direct S3 Output or Via Data Firehose).
S3 bucket name and the path of the WAF log destination.
- Please go to the directory where your WAF logs are outputted and provide us with the complete path.
- Example:
  - Direct S3 Output: [S3 bucket name]/AWSLogs/[AWS Account ID]/WAFLogs/[Region]/[Web ACL Name]/2024/07/01/02/55/
  - Via Data Firehose: [S3 bucket name]/2024/06/10/07/
S3 bucket's region (e.g.: us-east-1).

Preparations

If you are using the new method, please check the items below before you begin.

Logging is enabled on the target web ACL, and WAF logs are outputted with either of the options below.
- S3 bucket
- Amazon Data Firehose
- Please keep in mind that WAF log retrieval does not support WAF logs outputted via CloudWatch Logs.
Redact any fields that contain personal information on WAF logs
- Please refer to the AWS documents on field redaction for more information.

Notes

You are required to determine if your WAF logs contain any personal information and which fields to redact.
The redacted fields will not contain meaningful data, so the redacted information cannot be used in the features below.
- Blocked status on the Dashboard page and WAF log search feature
  - Redacted data will not be shown on the blocked status and cannot be searched.
  - Example: If the URI is redacted, the dynamic denylist feature cannot inspect it even if it contains suspicious information. In addition, the blocked status on the Dashboard page and the WAF log search feature cannot use URIs to show or search the data.
If you change the Logging settings of your web ACL on the AWS management console, please click the [Reapply] button on the WAF Config.

How to setup

Under the [WAF log retrieval] tab in [Log and Notification configuration], check the [Enable WAF log retrieval] checkbox.
Ensure that all the necessary data is redacted. Check each checkbox under the message [Read and check the following notes before enabling the feature].
Enter the S3 bucket name and prefix.
For example, if your WAF logs are outputted to the S3 bucket with the name csc-waftest , enter csc-waftest under the [S3 Bucket Name] field.
If WAF logs are outputted directly to your S3 bucket, [S3 Prefix] can be left as-is (empty) in most cases. If you used CLI to create your S3 bucket and added a prefix, please enter the prefix value.
If you are using Data Firehose, please enter information about your Amazon S3 destination.
In addition, please enter the complete path to the destination of your WAF logs in the [S3 Prefix] field for Data Firehose. For the dates and time (hour), please replace the numbers with YYYY, MM, DD, and HH. For more details on specifying the S3 prefix, refer to the Notes on using Amazon Data Firehose below.
Select the S3 Region and Credential to use.

Notes on using Amazon Data Firehose

If you are using Data Firehose, please enter the complete path to the destination of your WAF logs in the [S3 Prefix] field. For the dates and time (hour), please replace the numbers with YYYY, MM, DD, and HH.
- Below are examples of what to enter in the [S3 Prefix] field:
  - If the S3 bucket prefix in the Destination settings on Data Firehose is set to waflog/:
    - Value to enter in the [S3 Prefix] field: waflog/YYYY/MM/DD/HH
  - If the S3 bucket prefix in the Destination settings on Data Firehose is set to waflog/!{timestamp:yyyy}/!{timestamp:MM}/!{timestamp:dd}/!{timestamp:HH}:
    - Value to enter in the [S3 Prefix] field: waflog/YYYY/MM/DD/HH
  - If the S3 bucket prefix in the Destination settings on Data Firehose is set to waflog/year=!{timestamp:yyyy}/month=!{timestamp:MM}/day=!{timestamp:dd}/hour=!{timestamp:HH}/:
    - Value to enter in the [S3 Prefix] field: waflog/year=YYYY/month=MM/day=DD/hour=HH
  - If the S3 bucket prefix in the Destination settings on Data Firehose is set to none (S3 bucket prefix is not specified):
    - Value to enter in the [S3 Prefix] field: YYYY/MM/DD/HH
Make sure to compress your WAF log file as GZIP.

The old method

Please refer to the article below.

How to configure WAF log integration (old method) for AWS WAF v2

Notes

You can enable both new and old methods, but the notification emails will duplicate because the same WAF logs are sent to WafCharm (i.e., two notification emails are sent for a single WAF log). If you want to refrain from receiving duplicate notifications, please choose one of the two methods.

WAF log alert

WAF log alert settings are equivalent to the Notification page in the old WafCharm Dashboard.

If you have enabled WAF log integration (new or old method) and WAF log alert, you can receive detection notification emails at the email addresses you have registered.

WafCharm Email Notification
- This is an option to switch the notification detection between ON and OFF. If you choose ON, notifications are sent via email when there are detected (count or block) WAF logs. If you choose OFF, notifications will not be sent even if you have WAF log retrieval enabled.
Managed Rule Email Notification
- This feature is only available if you use our Managed Rule with WafCharm for AWS WAF Classic.
- This feature is not available for AWS WAF v2, so choose OFF.

Notes

Each email (log file) contains details of a maximum of 10 detections.
The notification interval depends on the WAF log output interval.
- For the S3 bucket option, the interval is 5 minutes.
- For the Amazon Data Firehose option, it depends on the values specified in the buffer interval and buffer size.
If you have registered WAF Configs (web ACLs) for different AWS WAF versions (Classic or v2) on WafCharm and wish to use this feature for both WAF Configs, please do not use the same Lambda.
- The index.mjs used by Lambda is different for AWS WAF Classic and AWS WAF v2. If you use the wrong version, the WAF log transfer will fail.

How to configure access logs/WAF log integration for AWS WAF v2 Legacy

Overview

Access logs integration

Procedure

If you are using CloudFront

Deleting a registered Web Site Config

Limitations and Notes

WAF log retrieval

The new method

Preparations

Notes

How to setup

Notes on using Amazon Data Firehose

The old method

Notes

WAF log alert

Notes