| Table of Contents | ||||
|---|---|---|---|---|
|
Introduction
The tags beginning with cloud.aws.waf identify events generated by the Amazon AWS Web Application Firewall (WAF service).
Valid tags and data tables
The full tag can must have 4 to 6 levels. The first two 3 are fixed ascloud.aws. The third waf. The fourth level identifies the type of events sent, and the fourth, fifth and sixth levels indicate the event subtype.
...
Technology
...
Brand
...
Type
...
Subtype 1
...
Subtype 2
...
Subtype 3
...
cloud
...
aws
...
waf
...
logs
...
<accountId>
...
These are the valid tags and corresponding data tables that will receive the parsers' data:
Product / Service | Tags | Data |
|---|
tables | |
|---|---|
AWS Web Application Firewall (WAF) |
|
|
For more information, read more about Devo tags.
How is the data sent to Devo?
Logs generated by AWS WAF service can be sent to AWS CloudWatch Logs, S3, and Kinesis Data Firehose services.
The preferred methods are using the first two services as destinations. In these cases, Devo AWS collector can be used for gathering, properly tagging, and securely forwarding these logs to Devo.
Logs sent to Kinesis Data Firehose can be properly tagged using an AWS Lambda function and forwarded to a Devo HTTP(s) endpoint (as an alternative, a Devo Relay deployed in an EC2 instance can be used for tagging and securely forwarding events using Syslog protocol).Send the logs using an AWS SQS collector.
Table structure
These are the fields displayed in this table:
cloud.aws.waf.logs
Field | Type | Field transformation | Source field name | Extra fields | ||
|---|---|---|---|---|---|---|
eventdate |
| |||||
hostname |
| |||||
ACCID |
| |||||
ACCID_actual |
| |||||
REGION |
| |||||
timestamp |
| |||||
formatVersion |
| |||||
webaclId |
| |||||
terminatingRuleId |
| |||||
terminatingRuleType |
| |||||
action |
| |||||
terminatingRuleMatchDetails_conditionType_str |
|
| terminatingRuleMatchDetails_conditionType | |||
terminatingRuleMatchDetails_location_str |
|
| terminatingRuleMatchDetails_location | |||
terminatingRuleMatchDetails_matchedData_str |
|
| terminatingRuleMatchDetails_matchedData | |||
httpSourceName |
| |||||
httpSourceId |
| |||||
ruleGroupList_ruleGroupId_str |
|
| ruleGroupList_ruleGroupId | |||
ruleGroupList_terminatingRule_ruleId_str |
|
| ruleGroupList_terminatingRule_ruleId | |||
ruleGroupList_terminatingRule_action_str |
|
| ruleGroupList_terminatingRule_action | |||
ruleGroupList_terminatingRule_ruleMatchDetails_str |
|
| ruleGroupList_terminatingRule_ruleMatchDetails | |||
ruleGroupList_nonTerminatingMatchingRules_str |
|
| ruleGroupList_nonTerminatingMatchingRules | |||
ruleGroupList_excludedRules_str |
|
| ruleGroupList_excludedRules | |||
rateBasedRuleList_rateBasedRuleId_str |
|
| rateBasedRuleList_rateBasedRuleId | |||
rateBasedRuleList_limitKey_str |
|
| rateBasedRuleList_limitKey | |||
rateBasedRuleList_maxRateAllowed_str |
|
| rateBasedRuleList_maxRateAllowed | |||
nonTerminatingMatchingRules_action_str |
|
| nonTerminatingMatchingRules_action | |||
nonTerminatingMatchingRules_ruleId_str |
|
| nonTerminatingMatchingRules_ruleId | |||
requestHeadersInserted_name_str |
|
| requestHeadersInserted_name | |||
requestHeadersInserted_value_str |
|
| requestHeadersInserted_value | |||
responseCodeSent |
| |||||
httpRequest_clientIp |
| |||||
httpRequest_country |
| |||||
httpRequest_headers_name_str |
|
| httpRequest_headers_name | |||
httpRequest_headers_value_str |
|
| httpRequest_headers_value | |||
httpRequest_uri |
| |||||
httpRequest_args |
| |||||
httpRequest_httpVersion |
| |||||
httpRequest_httpMethod |
| |||||
httpRequest_requestId |
| |||||
labels_name_str |
|
| labels_name | |||
hostchain |
| ✓ | ||||
tag |
| ✓ | ||||
rawMessage |
| ✓ |