Skip to main content
Sumo Logic

Collect Logs for AWS Network Firewall

This page provides instructions for collecting logs for the Sumo Logic App for AWS Network Firewall.

This page has instructions for collecting logs for the Sumo Logic App for AWS Network Firewall Logs. Click a link to jump to a topic:

Collection Process Overview

Configuring log collection consists of the following tasks:

1. Enable AWS Network Firewall by logging to S3
2. Enable S3 Ingestion

Step 1: Enable AWS Network Firewall by logging to S3

Please configure the export of logs from the AWS Network Firewall to an Amazon S3 bucket as described in their documentation.

Step 2: Enable S3 Ingestion

Follow steps to create AWS S3 Source.

The following is an example of a path expression that supports ingesting alerts.

Ingesting_Alerts.png

Sample Log Messages

This section provides an example of AWS  Network Firewall Alert and Netflow log messages.

AWS Network Firewall Alert log

{
  "firewall_name": "example-firewall",
  "availability_zone": "us-west-1b",
  "event_timestamp": "1604597216",
  "event": {
    "timestamp": "2020-11-05T17:26:56.075365+0000",
    "flow_id": 1552126922778600,
    "event_type": "alert",
    "src_ip": "10.0.0.227",
    "src_port": 55188,
    "dest_ip": "13.227.75.102",
    "dest_port": 80,
    "proto": "TCP",
    "tx_id": 0,
    "alert": {
      "action": "allowed",
      "signature_id": 5,
      "rev": 0,
      "signature": "Malicious User Agent",
      "category": "",
      "severity": 1
    },
    "http": {
      "hostname": "www.somehackerurl.com",
      "url": "/",
      "http_user_agent": "hacker-tool-user-agent",
      "http_method": "GET",
      "protocol": "HTTP/1.1",
      "length": 0
    },
    "app_proto": "http"
  }
}

AWS Network Firewall Netflow log

{
    "firewall_name": "example-firewall",
    "availability_zone": "us-west-1b",
    "event_timestamp": "1604598416",
    "event": {
        "timestamp": "2020-11-05T17:46:56.003583+0000",
        "flow_id": 554650891867171,
        "event_type": "netflow",
        "src_ip": "209.115.181.113",
        "src_port": 123,
        "dest_ip": "10.0.0.227",
        "dest_port": 60642,
        "proto": "UDP",
        "app_proto": "ntp",
        "netflow": {
            "pkts": 1,
            "bytes": 90,
            "start": "2020-11-05T17:41:54.611363+0000",
            "end": "2020-11-05T17:41:54.675362+0000",
            "age": 0,
            "min_ttl": 43,
          " max_ttl": 238
        }
    }
}

Query Example

This section provides a sample from the Traffic By Application panel on the AWS Network Firewall - Netflow Overview dashboard.

_sourceCategory=aws/vanta/*
| json "firewall_name", "availability_zone", "event" nodrop
| json field=event "event_type", "src_ip", "src_port", "dest_ip", "dest_port", "proto", "app_proto", "netflow" nodrop
| json field=netflow "bytes", "pkts" nodrop
| where event_type="netflow"
| timeslice 15m
| count _timeslice, app_proto
| transpose row _timeslice column app_proto