Waf Charm

Blog

AWS WAF

You Can Now Choose Between CloudWatch Logs and S3 as the Output Destination for AWS WAF Logs

Table of Contents

  1. 1. Introduction
  2. 2. Setting up CloudWatch Logs
  3. 3. Configuration for S3
  4. 4. WafCharm's support status
  5. 5. Conclusion
  6. 1. Introduction

    On November 15, 2021, PTD, there was an update to the AWS WAF that allows direct log output to CloudWatch Logs or S3.

    Previously, you could only choose to output logs using Kinesis DataFirehose.
    Kinesis DataFirehose is able to load streaming data into data stores and analysis tools in near real-time.

    https://www.wafcharm.com/blog/aws-waf-full-log-s3-output-jp/

    Many of our WafCharm customers may have configured it to use WafCharm's "reporting/notification" feature.

    In this article, I will explain how to configure other than Kinesis DataFirehose and how it is supported by Wafcharm.

    2. Setting up CloudWatch Logs

    Open the Web ACL you want to configure and select "Logging and metrics".

    Select "Enable" for the Logging item.

    Select CloudWatch Logs log group and select "Create new".

    When the CloudWatch log group creation screen appears, enter the log group name.
    There is a restriction on the log group name, and it must start with "aws-waf-logs-".

    Return to the Edit Logging screen, select the log group you created, and save it to complete the configuration.

    You can also run a query in CloudWatch Log Insights to view the results.

    I was able to confirm that the logs were retrieved from the search results.

    3. Setting up S3

    Open the Web ACL you want to configure and select "Logging and metrics".

    Select "Enable" for the Logging item.

    Select the S3 bucket and select "Create new".

    A screen for creating a bucket will appear, and enter a bucket name.
    There is a restriction on the bucket name, and it must start with "aws-waf-logs-".

    Return to the logging edit screen, select the bucket you created, and save it to complete the configuration.

    Looking at the S3 bucket, we can see that the output is being generated every 5 minutes.

    4. WafCharm's support status

    In WafCharm, when using the "Report/Notification" function, the WAF logs are output using Kinesis DataFirehose. Please wait for direct log storing to S3. We are planning to support this feature.

    5. Conclusion

    We think this is a great option for those who did not need real-time confirmation as much as using Kinesis DataFirehose. It is also possible to link to email and chat tools via CloudWatch, so We think it has become easier and more flexible to use logs.