Loading...
Back

How to configure WAF log integration (new method) for AWS WAF v2 Advanced

AWS WAF v2New PlanAdvancedUsage

Overview

There are two methods of WAF log integration: the new method and the old method. The new method allows users to enable WAF log-related features by opting in with a WAF log retrieval checkbox. Only the new method is available for advanced rules policy.

This article describes the procedure to enable WAF log retrieval with the new method for AWS WAF v2.

Preparations

If you are using the new method, please check the items below before you begin.

  • Logging is enabled on the target web ACL, and WAF logs are directly outputted to S3 buckets.
    • Please see the Enabling logging for a web ACL page on the AWS document on enabling WAF logs.
    • Please output WAF logs to the S3 bucket if you are using the Advanced rule policy.
    • The logging options listed below are not supported.
      • Amazon Data Firehose
      • CloudWatch Logs
  • Redact any fields that contain personal information on WAF logs
  • Please refer to the AWS documents on field redaction for more information.

Notes

  • You are required to determine if your WAF logs contain any personal information and which fields to redact.
  • The redacted fields will not contain meaningful data, so the redacted information cannot be used in the features below.
    • Dynamic denylist (signature re-matching) feature
      • Redacted data cannot be used when rematching the WAF logs to WafCharm's signatures and will not be inspected.
    • Blocked status on the Dashboard page and WAF log search feature
      • Redacted data will not be shown on the blocked status and cannot be searched.
      • Example: If the URI is redacted, the dynamic denylist feature cannot inspect it even if it contains suspicious information. In addition, the blocked status on the Dashboard page and the WAF log search feature cannot use URIs to show or search the data.
  • If you change the Logging settings of your web ACL on the AWS management console, please click the [Reapply] button on the WAF Config.

Configuring the WAF log retrieval option on the Advanced rule policy

  1. Under the [WAF log retrieval] tab in [Log and Notification configuration], check the [Enable WAF log retrieval] checkbox.
  2. Ensure that the WAF logs are outputted to S3 buckets and that all the necessary data is redacted. Check each checkbox under the message [Read and check the following notes before enabling the feature].

After you register the WAF Config, you will see the S3 bucket path from which the WAF logs are retrieved next to the [S3 Bucket] under the [Log and Notification configuration] tab on the WAF Config's details page. Please make sure the displayed value is as expected.

As stated above, if you change the Logging settings of your web ACL on the AWS management console, you must click the [Reapply] button on the WAF Config. If the S3 bucket to output WAF logs configured on the AWS management console differs from the S3 bucket's path displayed on the WAF Config's details page on the WafCharm Console, please click the [Reapply] button.

Configuring WAF log alert

  1. Click the [WAF log alert] tab on the [Log and Notification configuration] page.
  2. Click the [Use WAF log alerts] checkbox.
  3. Enter the email addresses to receive the notification emails.

If WAF log retrieval is not enabled, the [Use WAF log alerts] checkbox will be disabled. If you cannot click on the [Use WAF log alerts] checkbox, please enable WAF log retrieval first.