Skip to main content
Sumo Logic

Collect Logs for AWS WAF

Configure collection of logs for the AWS Web Application Firewall (WAF) App.

This page has instructions for collecting logs for the AWS WAF App.

Configure streaming of AWS WAF logs to S3

In this step. you set up AWS WAF to send log data to an S3 bucket using an Kinesis Data Firehose. In the next step, you'll configure Sumo to collect logs from the bucket.

  1. Enable WAF logging to a Kinesis Stream, as described in AWS help.
  2. Configure an AWS S3 bucket as the destination of the Kinesis Stream, as described in Amazon Kinesis Data Firehose Data Delivery in AWS help.

Configure a Sumo collector and source to receive AWS WAF logs

  1. Configure a Hosted Collector.
  2. To your Hosted Collector, add an AWS S3 Source.
    1. Name. Enter a name to display for the new Source.
    2. Description. Enter an optional description.
    3. S3 Region. Select the Amazon Region for your S3 bucket.
    4. Bucket Name. Enter the exact name of your S3 bucket.
    5. Path Expression. Enter the string that matches the S3 objects you'd like to collect. You can use a wildcard (*) in this string. (DO NOT use a leading forward slash. See Amazon Path Expressions.) The S3 bucket name is not part of the path. Don’t include the bucket name when you are setting the Path Expression.
    6. Source Category. Enter a source category. For example, AWS/WAF.
    7. Access Method. Select the appropriate AWS access control mechanism.
    8. Scan Interval. Use the default of Automatic, or select a scan interval from the pulldown. 
    9. Enable Timestamp Parsing. Select the checkbox.
    10. Time Zone. Click Ignore time zone from log file and instead use, and select "UTC" from the list of time zones.
    11. Timestamp Format. Click Automatically detect the format.
    12. Enable Multiline Processing. Click the checkbox, and select Infer Boundaries.
    13. Click Save.

Sample Log Message

{"webaclId":"360cb717-5a9f-4f2f-ac64-09ab912af591","terminatingRuleId":"1809ecc9-81fd-4dff-99e7-a27421213155","terminatingRuleType":"REGULAR","action":"BLOCK","httpSourceName":"CF","httpSourceId":"i-123","ruleGroupList":[],"rateBasedRuleList":[],"matchingNonTerminatingRules":[],"httpRequest":{"clientIp":"125.5.11.56","country":"US","headers":[{"name":"Host","value":"127.0.0.1:1989"},{"name":"User-Agent","value":"curl/7.53.1"},{"name":"Accept","value":"*/*"}],"uri":"/Lists/b/ref=sva_videos_2?ie=UTF   ","args":"name=10; DROP TABLE members","httpVersion":"HTTP/1.1","httpMethod":"GET","requestId":"distribution_id"},"formatVersion":1,"timestamp":1535493873231}

Query sample 

Client IP Threat Info

_sourceCategory=AWS/WAF {{client_ip}}
| parse "\"httpMethod\":\"*\"," as httpMethod,"\"httpVersion\":\"*\"," as httpVersion,"\"uri\":\"*\"," as uri, "{\"clientIp\":\"*\",\"country\":\"*\"" as clientIp,country, "\"action\":\"*\"" as action, "\"matchingNonTerminatingRules\":[*]" as matchingNonTerminatingRules, "\"rateBasedRuleList\":[*]" as rateBasedRuleList, "\"ruleGroupList\":[*]" as ruleGroupList, "\"httpSourceId\":\"*\"" as httpSourceId, "\"httpSourceName\":\"*\"" as httpSourceName, "\"terminatingRuleType\":\"*\"" as terminatingRuleType, "\"terminatingRuleId\":\"*\"" as terminatingRuleId, "\"webaclId\":\"*\"" as webaclId nodrop
| lookup type, actor, raw, threatlevel as malicious_confidence from sumo://threat/cs on threat=clientip