WAF Uses Amazon Kinesis Firehose to ingest logs. This allows logs to be passed to any Kinesis Firehose destination, such as Amazon S3, Amazon Redshift or Amazon Elastic Search. To enable logging of requests in your Web ACL, you must first create a Kinesis Data Firehose.
Here is an example WAF log of a request. Note that you receive details on the rule that terminated the evaluation of the request. The log also contains the action taking on that request
{
"timestamp": 1576280412771,
"formatVersion": 1,
"webaclId": "arn:aws:wafv2:ap-southeast-2:EXAMPLE12345:regional/webacl/STMTest/1EXAMPLE-2ARN-3ARN-4ARN-123456EXAMPLE",
"terminatingRuleId": "STMTest_SQLi_XSS",
"terminatingRuleType": "REGULAR",
"action": "BLOCK",
"terminatingRuleMatchDetails": [
{
"conditionType": "SQL_INJECTION",
"location": "HEADER",
"matchedData": ["10", "AND", "1"]
}
],
"httpSourceName": "-",
"httpSourceId": "-",
"ruleGroupList": [],
"rateBasedRuleList": [],
"nonTerminatingMatchingRules": [],
"httpRequest": {
"clientIp": "1.1.1.1",
"country": "AU",
"headers": [
{
"name": "Host",
"value": "localhost:1989"
},
{
"name": "User-Agent",
"value": "curl/7.61.1"
},
{
"name": "Accept",
"value": "*/*"
},
{
"name": "x-stm-test",
"value": "10 AND 1=1"
}
],
"uri": "/foo",
"args": "",
"httpVersion": "HTTP/1.1",
"httpMethod": "GET",
"requestId": "rid"
}
}
Log analysis is key to ensure the effectiveness of WAF Rules, in addition to troubleshooting of individual issues. Logs exported to Amazon Elastic Search Service can be queried. Kibana can be used alongside Amazon Elastic Search to visualise the WAF logs S3 Select can be used to perform SQL queries against individual WAF Log files in S3. Queries can be performed in the console, or using the AWS CLI or SDKs.
For example, the following S3 Select query counts how many requests in the log file were blocked.
SELECT *
FROM S3Object s
WHERE s."action" = 'BLOCK'
/*
Result
{
"count": 18
}
*/
The Juice Shop is growing rapidly. Great work! Now that you have a set of rules, it is becoming more difficult to reason which rule is responsible for blocking a request. It would be helpful to have some logs. To do this, you need to enable logging for your Web ACL to an S3 Bucket.
Your logs contain a sensitive header, named Cookie. You don’t want this to be stored in your logs. You will need configure the redaction of this header in the logs.
Use Logging Web ACL Traffic Information to help you
aws-waf-logs-workshop-. This is to help you find it later.When using a Kinesis Data Firehose to ingest WAF requests, the Firehose name must have the prefix aws-waf-logs-
us-east-1. This is required when capturing logs for CloudFront. Use the S3 bucket from the previous step as your destination.
aws-waf-logs-workshop-. This is required by the WAF serviceCookie (the Juice Shop Cookie) in your logs.curl "$JUICESHOP_URL?username=admin"
curl "${JUICESHOP_URL}?milkshake=banana&favourite-topping=sauce"
curl -H "x-milkshake: chocolate" "${JUICESHOP_URL}"
Cookie field?View the redacted fields for a logging configuration with the get-logging-configuration CLI command
WAF allows you to capture request logs and store them in any Kinesis Data Firehose destination. The logs provide information of the request. The logs also provide the action and rule involved for a request. This information can be invaluable when running a WAF. Use field redaction to avoid logging sensitive information