hvital
commented
5 years ago Good point @pedros007 .
I included this to the solution roadmap and we'll post an update to this thread once we have more information.
Closed pedros007 closed 1 year ago
hvital
commented
5 years ago Good point @pedros007 .
I included this to the solution roadmap and we'll post an update to this thread once we have more information.
brandonburkett
commented
4 years ago Any update on this one? I setup a new Elastic Beanstalk app for a blue / green and had to hunt to find that prefixes were not supported? My hope was to consolidate s3 buckets (EX: all ALB logs into one with prefixes) but doesn't seem to work with WAF :(
aijunpeng
commented
4 years ago At this time we don't plan to introduce use defined prefix. The default prefix "AWSLogs" is used and all ALB logs should be written to an s3 bucket with "AWSLogs" as the prefix for the WAF solution to work. We will evaluate this request in the future when things change.
EthanGao-oss
commented
2 years ago At this time we don't plan to introduce use defined prefix. The default prefix "AWSLogs" is used and all ALB logs should be written to an s3 bucket with "AWSLogs" as the prefix for the WAF solution to work. We will evaluate this request in the future when things change. Hi aijun, as by https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-access-logs.html#access-log-entry-format, access logs from multiple LBs can be placed in one S3 bucket by adding a custom prefix as "bucket[/prefix]/AWSLogs/aws-account-id/elasticloadbalancing...", in our case we place all LB access logs in one s3 bucket. please consider supporting Prefix parameter for AppAccessLogBucket.
aijunpeng
commented
2 years ago Thanks for the suggestion. We will add this to our roadmap and evaluate it for future releases.
aijunpeng
commented
1 year ago This issue has been addressed in version >= 4.0.0.
Are there plans to extend the template to support user-defined prefix for ALB logs?
An ALB provides options to log to a user-defined bucket & prefix (See access_logs.s3.bucket and access_logs.s3.prefix). I have one bucket with many different types of logs, while the ALB-specific logs live in a particular prefix.
The Scanner/Probe & Flood protection from this template can scan logs in a bucket. However, there is no option to search for
AWSLogsin a particular prefix. Furthermore, the Lambda will scan everygzfile in a bucket:https://github.com/awslabs/aws-waf-security-automations/blob/e504013c87bde6d6af434097f0c1147a4c1f86c0/source/custom-resource/custom-resource.py#L80-L83
It seems there are a few other spots in the Athena template where a prefix is defined, but it's hard-coded to
AWSLogs:https://github.com/awslabs/aws-waf-security-automations/blob/e504013c87bde6d6af434097f0c1147a4c1f86c0/deployment/aws-waf-security-automations-firehose-athena.template#L142