| Table of Contents | ||||
|---|---|---|---|---|
|
Introduction
The tags beginning with cloud.aws.waf identify events generated by the Amazon AWS Web Application Firewall (WAF service).
Valid tags and data tables
The full tag can must have 4 to 6 levels. The first two 3 are fixed ascloud.aws.waf. The third The fourth level identifies the type of events sent, and the fourth, fifth and sixth levels indicate the event subtype.
...
Technology
...
Brand
...
Type
...
...
Subtype 2
...
Subtype 3
...
cloud
...
aws
...
waf
...
logs
...
<accountId>
...
<region>
These are the valid tags and corresponding data tables that will receive the parsers' data:
Product / Service | Tags | Data |
|---|
tables | |
|---|---|
AWS Web Application Firewall (WAF) |
|
|
For more information, read more about Devo tags.
How is the data sent to Devo?
Logs generated by AWS WAF service can be sent to AWS CloudWatch Logs, S3, and Kinesis Data Firehose services.
...
Logs sent to Kinesis Data Firehose can be properly tagged using an AWS Lambda function and forwarded to a Devo HTTP(s) endpoint (as an alternative, a Devo Relay deployed in an EC2 instance can be used for tagging and securely forwarding events using Syslog protocol).
Table structure
These are the fields displayed in this table:
cloud.aws.waf.logs
Field | Type | Field transformation | Source field name | Extra fields | ||
|---|---|---|---|---|---|---|
ACCID |
| |||||
action |
| |||||
eventdate |
| |||||
formatVersion |
| |||||
hostchain |
| |||||
hostname |
| ✓ | ||||
httpRequest_args |
| |||||
httpRequest_clientIp |
| |||||
httpRequest_country |
| |||||
httpRequest_headers_name_str |
|
| httpRequest_headers_name | |||
httpRequest_headers_value_str |
|
| httpRequest_headers_value | |||
httpRequest_httpMethod |
| |||||
httpRequest_httpVersion |
| |||||
httpRequest_requestId |
| |||||
httpRequest_uri |
| |||||
httpSourceId |
| |||||
httpSourceName |
| |||||
labels_name_str |
|
| labels_name | |||
nonTerminatingMatchingRules_action_str |
|
| nonTerminatingMatchingRules_action | |||
nonTerminatingMatchingRules_ruleId_str |
|
| nonTerminatingMatchingRules_ruleId | |||
rateBasedRuleList_limitKey_str |
|
| rateBasedRuleList_limitKey | |||
rateBasedRuleList_maxRateAllowed_str |
|
| rateBasedRuleList_maxRateAllowed | |||
rateBasedRuleList_rateBasedRuleId_str |
|
| rateBasedRuleList_rateBasedRuleId | |||
rawMessage |
| |||||
REGION |
| |||||
requestHeadersInserted_name_str |
|
| requestHeadersInserted_name | |||
requestHeadersInserted_value_str |
|
| requestHeadersInserted_value | |||
responseCodeSent |
| |||||
ruleGroupList_excludedRules_str |
|
| ruleGroupList_excludedRules | |||
ruleGroupList_nonTerminatingMatchingRules_str |
|
| ruleGroupList_nonTerminatingMatchingRules | |||
ruleGroupList_ruleGroupId_str |
|
| ruleGroupList_ruleGroupId | |||
ruleGroupList_terminatingRule_action_str |
|
| ruleGroupList_terminatingRule_action | |||
ruleGroupList_terminatingRule_ruleId_str |
|
| ruleGroupList_terminatingRule_ruleId | |||
ruleGroupList_terminatingRule_ruleMatchDetails_str |
|
| ruleGroupList_terminatingRule_ruleMatchDetails | |||
tag |
| ✓ | ||||
terminatingRuleId |
| |||||
terminatingRuleMatchDetails_conditionType_str |
|
| terminatingRuleMatchDetails_conditionType | |||
terminatingRuleMatchDetails_location_str |
|
| terminatingRuleMatchDetails_location | |||
terminatingRuleMatchDetails_matchedData_str |
|
| terminatingRuleMatchDetails_matchedData | |||
terminatingRuleType |
| |||||
timestamp |
| |||||
webaclId |
|