Collect Logs for AWS Network Firewall
This page provides instructions for collecting logs for the Sumo Logic App for AWS Network Firewall.
This page has instructions for collecting logs for the Sumo Logic App for AWS Network Firewall Logs. Click a link to jump to a topic:
Before you begin
Before you begin you must:
- Enable logging from the AWS Network Firewall to an Amazon S3 bucket as described in the AWS Network Firewall documentation.
- Confirm that logs are being delivered to the S3 bucket.
- Grant Sumo Logic Access to the AWS S3 Bucket
Enable S3 Ingestion
Follow steps to create AWS S3 Source.
The following is an example of a path expression that supports ingesting alerts.
Sample Log Messages
This section provides an example of AWS Network Firewall Alert and Netflow log messages.
AWS Network Firewall Alert log
{ "firewall_name": "example-firewall", "availability_zone": "us-west-1b", "event_timestamp": "1604597216", "event": { "timestamp": "2020-11-05T17:26:56.075365+0000", "flow_id": 1552126922778600, "event_type": "alert", "src_ip": "10.0.0.227", "src_port": 55188, "dest_ip": "13.227.75.102", "dest_port": 80, "proto": "TCP", "tx_id": 0, "alert": { "action": "allowed", "signature_id": 5, "rev": 0, "signature": "Malicious User Agent", "category": "", "severity": 1 }, "http": { "hostname": "www.somehackerurl.com", "url": "/", "http_user_agent": "hacker-tool-user-agent", "http_method": "GET", "protocol": "HTTP/1.1", "length": 0 }, "app_proto": "http" } }
AWS Network Firewall Netflow log
{ "firewall_name": "example-firewall", "availability_zone": "us-west-1b", "event_timestamp": "1604598416", "event": { "timestamp": "2020-11-05T17:46:56.003583+0000", "flow_id": 554650891867171, "event_type": "netflow", "src_ip": "209.115.181.113", "src_port": 123, "dest_ip": "10.0.0.227", "dest_port": 60642, "proto": "UDP", "app_proto": "ntp", "netflow": { "pkts": 1, "bytes": 90, "start": "2020-11-05T17:41:54.611363+0000", "end": "2020-11-05T17:41:54.675362+0000", "age": 0, "min_ttl": 43, " max_ttl": 238 } } }
Query Example
This section provides a sample from the Traffic By Application panel on the AWS Network Firewall - Netflow Overview dashboard.
_sourceCategory=aws/vanta/* | json "firewall_name", "availability_zone", "event" nodrop | json field=event "event_type", "src_ip", "src_port", "dest_ip", "dest_port", "proto", "app_proto", "netflow" nodrop | json field=netflow "bytes", "pkts" nodrop | where event_type="netflow" | timeslice 15m | count _timeslice, app_proto | transpose row _timeslice column app_proto