How do I sanitize AWS WAF logging?
I want to log blocked requests in AWS WAF. However, I don't want to log all the requests that are analyzed by my web access control list (web ACL).
Short description
With AWS WAF log filtering, you can filter logged web requests to keep only the information that you want to analyze. You can specify whether web requests are logged or discarded from log after the inspection. This saves on log delivery and storage costs because AWS WAF only publishes the logs that you require.
To filter AWS WAF logs, first turn on AWS WAF logging.
To sanitize your logs, implement field redaction and log filtering.
Field redaction: Redact parts of the request that you want to keep out of the logs. You can omit the following fields from your log records: URI path, Query string, Single header, and HTTP method. Redacted fields appear as REDACTED in the logs.
Log filtering: Specify filter conditions to filter out log entries based on rule actions or labels generated by rules during evaluation. To filter AWS WAF logs for all requests that contain a label, you include all labels that use a fully qualified label name. Use the following format: awswaf:account_number:webacl:webacl_name:namespace:label name.
Note: There's no additional charge for you to use AWS log filtering. However, charges do apply for logging destinations. This includes Amazon CloudWatch, Amazon Simple Storage Service (Amazon S3) buckets, and Amazon Data Firehose delivery streams.
Use the AWS WAF console to turn on AWS WAF log filtering
- Open the AWS WAF console.
- For Region, select the AWS Region where you created your web ACL.**
Note:** If your web ACL is set up for Amazon CloudFront, then select Global. - Select your web ACL.
- Choose Logging and Metrics.
- Under Logging, choose Edit.
- For Redacted Fields, select the fields that you want to omit from the logs.
Note: Specify custom headers if you want to redact a single header field. - For Filter logs, choose Add filter.
- Add one or more filter conditions. Then, select the criteria to either Match all of the filter conditions or Match at least one of the filter conditions.
- For Filter conditions, select either Rule Action on request or Request has label.
For Rule Action, select a rule action for AWS WAF logs to filter by. For example: Allow, Block, Count, CAPTCHA, or Challenge.
For Request has label, enter the label added to AWS WAF while evaluating requests. - For Filter behavior, choose either Keep in logs or Drop from logs.
- Select the default logging behavior.
- Choose Save.
Use AWS Command Line Interface (AWS CLI) to turn on AWS WAF log filtering
Note: If you receive errors when you run AWS CLI commands, then see Troubleshoot AWS CLI errors. Also, make sure that you're using the most recent AWS CLI version.
- To get your current logging configuration, run get-logging-configuration:
Note: Replace region with your web ACL's AWS Region, resource-arn with your web ACL's Amazon Resource Name (ARN), and webacl_name your web ACL's name.aws wafv2 get-logging-configuration --region region--resource-arn arn:aws:wafv2:region:account_number:regional/webacl/webacl_name/webacl_id > waf.json
- Open the logging configuration file and then add the following JSON filters:
Note: Replace the filters and filter actions with your required filters."LoggingFilter": { "DefaultBehavior": "string", "Filters": [ { "Behavior": "string", "Conditions": [ { "ActionCondition": { "Action": "string" }, "LabelNameCondition": { "LabelName": "string" } } ], "Requirement": "string" } ] }
- To update your logging configuration, run put-logging-configuration:
Note: Replace region with your web ACL's Region.aws wafv2 put-logging-configuration --region region --cli-input-json file://waf.json
Log only blocked requests
To log only the requests blocked by AWS WAF, select filtering based on Rule Action and then set the action to Block. Block is a terminating action in AWS WAF. AWS WAF log filters check the terminating rule action of AWS WAF log entries. If the action is Block, then the AWS WAF log filters add the entry to the log.
Log the Count requests from a rule group
The way a rule in a rule group is set determines whether the logs filter count requests.
The action for a rule in a rule group is set to Count: Logs for the request matching against this rule don't contain a Count action. Instead, the AWS WAF logs show this rule under the excludedRules field. AWS WAF doesn't check this field the AWS WAF logs are filtered for Count. This means that these requests won't be filtered by the log filtering for the Count action.
A rule with the non-terminating action Count is inspected along with a terminating rule action such as Allow or Block: AWS WAF logs include these requests in logs filtered by the Count action.
The action for a rule in a rule group is set to Override to Count: For these requests, the AWS WAF log contains a Count action in the nonTerminatingMatchingRules field. AWS WAF log filters check this field, so the rule is filtered by the Count action.
Note: EXCLUDED_AS_COUNT is a valid action type for log filtering. Run the put-logging-configuration command to configure this action.
Related information
Relevant content
- asked 2 years agolg...
- asked 5 months agolg...
- asked 3 years agolg...
- Accepted Answerasked a year agolg...
- asked 3 years agolg...
- AWS OFFICIALUpdated 4 months ago
- AWS OFFICIALUpdated 9 days ago
- AWS OFFICIALUpdated 3 years ago
- AWS OFFICIALUpdated 3 months ago