Skip to main content
Sumo Logic

Collect Logs for AWS Network Firewall

This page provides instructions for collecting logs for the Sumo Logic App for AWS Network Firewall.

This page has instructions for collecting logs for the Sumo Logic App for AWS Network Firewall Logs. Click a link to jump to a topic:

Before you begin

Before you begin you must enable logging from the AWS Network Firewall to an Amazon S3 bucket as described in the AWS Network Firewall documentation.

Enable S3 Ingestion

Follow steps to create AWS S3 Source.

The following is an example of a path expression that supports ingesting alerts.

Ingesting_Alerts.png

Sample Log Messages

This section provides an example of AWS  Network Firewall Alert and Netflow log messages.

AWS Network Firewall Alert log

{
  "firewall_name": "example-firewall",
  "availability_zone": "us-west-1b",
  "event_timestamp": "1604597216",
  "event": {
    "timestamp": "2020-11-05T17:26:56.075365+0000",
    "flow_id": 1552126922778600,
    "event_type": "alert",
    "src_ip": "10.0.0.227",
    "src_port": 55188,
    "dest_ip": "13.227.75.102",
    "dest_port": 80,
    "proto": "TCP",
    "tx_id": 0,
    "alert": {
      "action": "allowed",
      "signature_id": 5,
      "rev": 0,
      "signature": "Malicious User Agent",
      "category": "",
      "severity": 1
    },
    "http": {
      "hostname": "www.somehackerurl.com",
      "url": "/",
      "http_user_agent": "hacker-tool-user-agent",
      "http_method": "GET",
      "protocol": "HTTP/1.1",
      "length": 0
    },
    "app_proto": "http"
  }
}

AWS Network Firewall Netflow log

{
    "firewall_name": "example-firewall",
    "availability_zone": "us-west-1b",
    "event_timestamp": "1604598416",
    "event": {
        "timestamp": "2020-11-05T17:46:56.003583+0000",
        "flow_id": 554650891867171,
        "event_type": "netflow",
        "src_ip": "209.115.181.113",
        "src_port": 123,
        "dest_ip": "10.0.0.227",
        "dest_port": 60642,
        "proto": "UDP",
        "app_proto": "ntp",
        "netflow": {
            "pkts": 1,
            "bytes": 90,
            "start": "2020-11-05T17:41:54.611363+0000",
            "end": "2020-11-05T17:41:54.675362+0000",
            "age": 0,
            "min_ttl": 43,
          " max_ttl": 238
        }
    }
}

Query Example

This section provides a sample from the Traffic By Application panel on the AWS Network Firewall - Netflow Overview dashboard.

_sourceCategory=aws/vanta/*
| json "firewall_name", "availability_zone", "event" nodrop
| json field=event "event_type", "src_ip", "src_port", "dest_ip", "dest_port", "proto", "app_proto", "netflow" nodrop
| json field=netflow "bytes", "pkts" nodrop
| where event_type="netflow"
| timeslice 15m
| count _timeslice, app_proto
| transpose row _timeslice column app_proto