Open sbe-arg opened 6 months ago
Thank you for the suggestion. Currently querying CloudWatch logs is not in the scope of the solution as the main purpose of the log analysis feature is to automate detection and blocking of malicious IPs via a built-in Lambda or Athena log parser against logs in S3, instead of providing a way to query logs. If I missed anything, feel free to provide details and how you want to customize the solution for your use case.
@aijunpeng I'm referring to this setting AWS::WAFv2::WebACLLoggingConfiguration
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-wafv2-loggingconfiguration.html wich is a critical part of ACL setups
What do you want to do with CW logs? Run custom queries against them?
Debug acl blocks in an easier way than athena queries
I would need more details about debugging acl blocks in an easier way. Currently in the WAF solution, Athena queries are already implemented and customers don't need to write their own queries.
I forgot about this issue until I had to set this up again for another client. Also as of 4.0.3 there is no way to set the redacted fields for s3 logs, leading to a drift.
It needs to support more log sources not just s3, at least cloudwatch with a desired log-group expiration for compliance or passing the log-group name at setup time, if the log-group is created by the toolset, default X days expiration and overwrite with other INT value.
firehose is very flow specific can probably be left out
My client uses cloudwatch insights to query quickly the waf logs.
Thank you for providing more information. I understand you want to add CloudWatch log group as a log source. We can add your request to our backlog for evaluation. Meanwhile I'd like to clarify a couple of things:
Yes cloudwatch as option for log source
would be great to have a way to setup traffic logs destination to be cloudwatch or kinesis as currently only s3 destination is supported, it is okay but is not always the intended source specially for quick testing waf acls is easier to query logs on cloudwatch than athena