AWS Web Application Firewall (WAF) logs
The AWS Web Application Firewall (WAF) Matano managed log source lets you ingest your AWS WAF protected traffic logs directly into Matano.
WAF traffic logs provide detailed information about traffic that is analyzed by your web access control lists (ACLs). The AWS WAF managed log source supports AWS WAF but not AWS WAF Classic.
Usage
Use the managed log source by specifying the managed.type
property in your log_source
as AWS_WAF
.
name: "aws_waf"
managed:
type: "AWS_WAF"
Tables
The AWS WAF managed log source supports a single table containing WAF traffic logs.
Ingest
S3
AWS WAF logging must be enabled on your Web ACL and configured to deliver to the desired S3 Bucket ARN. For more on configuring a Web ACL to deliver traffic logs, see the relevant AWS documentation:
You can provide the S3 bucket you are using for delivery to Matano by using the ingest.s3_source
configuration in your log_source.yml
(Bring your own bucket).
Schema
AWS WAF log data is normalized to ECS fields. Custom fields are normalized into the aws.waf
field. You can view the complete mapping to see the full schema.