How do I turn on log filtering in AWS WAF?

3 minute read

I don't want to log all requests that are analyzed by my web ACL but I do want to log the blocked requests. How can I do this in AWS WAF?

Resolution

Use AWS WAF logs filtering to filter out log entries based on rule actions or labels generated by rules while evaluating requests. Logs filtering helps you to save Amazon Kinesis Data Firehose and storage costs by publishing only the logs that you select. For example, you can log only blocked requests.

To filter AWS WAF logs, you must have activated AWS WAF logging. For instructions about activating AWS WAF logging, see How do I turn on AWS WAF logging and send logs to Amazon CloudWatch, Amazon S3, or Kinesis Data Firehose?

Note: There's no additional charge for using AWS log filtering.

Turn on AWS WAF log filtering

Open the AWS WAF console.
For Region, select the AWS Region where you created your web ACL.
Note: Select Global if your web ACL is set up for Amazon CloudFront.
Select your web ACL.
Choose Logging and Metrics.
For Filter logs, choose Add filter.
Add one or more filter conditions. Then, select the criteria to either Match all of the filter conditions or Match at least one of the filter conditions.
For Filter conditions, select either Rule Action on request or Request has label.
For Rule Action, filter based on action taken by rule, such as, Allow, Block, Count, or CAPTCHA.
For Request has label, filter based on the label added to AWS WAF while evaluating requests.
For Filter behavior, choose either Keep in logs or Drop from logs.
Choose the Default logging behavior.
Choose Save.

Log only blocked requests

To log only the blocked requests by AWS WAF, select the filtering based on Rule Action and action as Block.

The Block action is a terminating action for AWS WAF. AWS WAF log filters check the terminating rule action of the AWS WAF log entry. If the action is Block, then the log entry is filtered and added to the log.

Log the Count requests from a rule group

How the rule in a rule group is set determines whether the logs are filtered or not filtered:

When the action for a rule in a rule group is set to Count, the logs for the request matching against this rule don't contain a Count action for this rule. Instead, the AWS WAF logs show this rule under the excludedRules fields, which aren't checked when the AWS WAF logs are filtered for Count action. This means that these requests aren't be filtered by the log filtering for Count action.
The request matching against a rule in a rule group where the rule group action is Override to Count is logged. For these requests, the AWS WAF log contains a Count action in the nonTerminatingMatchingRules field that is checked when filtering the Count action in AWS WAF logs.

Note: EXCLUDED_AS_COUNT is a valid action type for log filtering. This option can be configured using the PutLoggingConfiguration API.

Topics

Security, Identity, & Compliance

Relevant content

Does AWS WAF detects and Logs HTTP Flood logs?
Accepted Answer
rePost-User-4631519
asked a year ago
aws log insight query filter by filed
rePost-User-2738569
asked 6 months ago
WAF Log Filters Not Dropping Specified Requests
AWS-User-8005909
asked 2 years ago
AWS WAF Rule Configuration to differentiate related requests to "body size" in the logs
Sena S
asked 4 hours ago
Subscription filter on comma-delimited (CSV) log
asdhksajd
asked 4 years ago
How are the metrics and logs formatted for the count rule action in AWS WAF?
AWS OFFICIALUpdated 2 years ago
What are my options to analyze AWS WAF logs stored in CloudWatch or Amazon S3?
AWS OFFICIALUpdated 2 years ago
How do I turn on AWS WAF logging and send logs to CloudWatch, Amazon S3, or Kinesis Data Firehose?
AWS OFFICIALUpdated 2 years ago
How do I allow requests from a bot blocked by AWS WAF Bot Control managed rule group?
AWS OFFICIALUpdated 2 years ago
How to view consolidated log from multiple log streams generated from an AWS Mainframe Modernization application?
EXPERT
Souma Suvra Ghosh
published 3 months ago