The Waf log to ELK - Githubissues

aws-solutions / aws-waf-security-automations

This solution automatically deploys a single web access control list (web ACL) with a set of AWS WAF rules designed to filter common web-based attacks.

https://aws.amazon.com/solutions/aws-waf-security-automations

Apache License 2.0

837 stars 359 forks source link

The Waf log to ELK #205

Closed kklam201 closed 2 years ago

kklam201 commented 2 years ago

Can i set waf automations log to ELK for weekly security report ?? we want to know block by which rule from which ip to which host

aijunpeng commented 2 years ago

Thanks for the question. Here is a blog about how to analyze waf logs using ElasticSearch: https://aws.amazon.com/blogs/security/how-to-analyze-aws-waf-logs-using-amazon-elasticsearch-service/. You can also build a custom dashboard to view WAF cloudwatch metrics: https://docs.aws.amazon.com/solutions/latest/aws-waf3-security-automations/appendix-e.html

kklam201 commented 2 years ago

Hi aijunpeng i use aws-waf-security-automations that have use Amazon Kinesis Data Firehose delivery stream to that s3 bucket

if i have build custom log to elasticsearch will it influence aws-waf-security-automations other function?(ex: Lambda log parser)

aijunpeng commented 2 years ago

The aws-waf-security-automations solution processes the WAF logs stored in that S3 bucket therefore you shouldn't change it. Instead you can use a lambda to load logs from S3 to ES. Your lambda can be triggered when a WAF log file is inserted into S3.