cloud.aws.waf
Introduction
The tags beginning with cloud.aws.waf
identify events generated by the AWS Web Application Firewall (WAF).Â
Valid tags and data tables
The full tag must have 4 levels. The first 3 are fixed as cloud.aws.waf
. The fourth level identifies the events subtype.
These are the valid tags and corresponding data tables that will receive the parsers' data:
Product / Service | Tags | Data tables |
---|---|---|
AWS Web Application Firewall (WAF) |
|
|
For more information, read more about Devo tags.
How is the data sent to Devo?
Logs generated by AWS WAF service can be sent to AWS CloudWatch Logs, S3, and Kinesis Data Firehose services.
The preferred methods are using the first two services as destinations. In these cases, Devo AWS collector can be used for gathering, properly tagging, and securely forwarding these logs to Devo.
Logs sent to Kinesis Data Firehose can be properly tagged using an AWS Lambda function and forwarded to a Devo HTTP(s) endpoint (as an alternative, a Devo Relay deployed in an EC2 instance can be used for tagging and securely forwarding events using Syslog protocol).
Table structure
These are the fields displayed in this table:
cloud.aws.waf.logs
Field | Type | Field transformation | Source field name | Extra fields |
---|---|---|---|---|
eventdate |
| Â | Â | Â |
hostname |
| Â | Â | Â |
ACCID |
| Â | Â | Â |
ACCID_actual |
| Â | Â | Â |
REGION |
| Â | Â | Â |
timestamp |
| Â | Â | Â |
formatVersion |
| Â | Â | Â |
webaclId |
| Â | Â | Â |
terminatingRuleId |
| Â | Â | Â |
terminatingRuleType |
| Â | Â | Â |
action |
| Â | Â | Â |
terminatingRuleMatchDetails_conditionType_str |
| Â join(terminatingRuleMatchDetails_conditionType, ',') Â | terminatingRuleMatchDetails_conditionType | Â |
terminatingRuleMatchDetails_location_str |
| Â join(terminatingRuleMatchDetails_location, ',') Â | terminatingRuleMatchDetails_location | Â |
terminatingRuleMatchDetails_matchedData_str |
| Â join(terminatingRuleMatchDetails_matchedData, ',') Â | terminatingRuleMatchDetails_matchedData | Â |
httpSourceName |
| Â | Â | Â |
httpSourceId |
| Â | Â | Â |
ruleGroupList_ruleGroupId_str |
| Â Â | ruleGroupList_ruleGroupId | Â |
ruleGroupList_terminatingRule_ruleId_str |
| Â Â | ruleGroupList_terminatingRule_ruleId | Â |
ruleGroupList_terminatingRule_action_str |
| Â Â | ruleGroupList_terminatingRule_action | Â |
ruleGroupList_terminatingRule_ruleMatchDetails_str |
| Â Â | ruleGroupList_terminatingRule_ruleMatchDetails | Â |
ruleGroupList_nonTerminatingMatchingRules_str |
| Â Â | ruleGroupList_nonTerminatingMatchingRules | Â |
ruleGroupList_excludedRules_str |
| Â Â | ruleGroupList_excludedRules | Â |
rateBasedRuleList_rateBasedRuleId_str |
| Â Â | rateBasedRuleList_rateBasedRuleId | Â |
rateBasedRuleList_limitKey_str |
| Â Â | rateBasedRuleList_limitKey | Â |
rateBasedRuleList_maxRateAllowed_str |
| Â Â | rateBasedRuleList_maxRateAllowed | Â |
nonTerminatingMatchingRules_action_str |
| Â Â | nonTerminatingMatchingRules_action | Â |
nonTerminatingMatchingRules_ruleId_str |
| Â Â | nonTerminatingMatchingRules_ruleId | Â |
requestHeadersInserted_name_str |
| Â Â | requestHeadersInserted_name | Â |
requestHeadersInserted_value_str |
| Â Â | requestHeadersInserted_value | Â |
responseCodeSent |
| Â | Â | Â |
httpRequest_clientIp |
| Â | Â | Â |
httpRequest_country |
| Â | Â | Â |
httpRequest_headers_name_str |
| Â Â | httpRequest_headers_name | Â |
httpRequest_headers_value_str |
| Â Â | httpRequest_headers_value | Â |
httpRequest_uri |
| Â | Â | Â |
httpRequest_args |
| Â | Â | Â |
httpRequest_httpVersion |
| Â | Â | Â |
httpRequest_httpMethod |
| Â | Â | Â |
httpRequest_requestId |
| Â | Â | Â |
labels_name_str |
| Â Â | labels_name | Â |
hostchain |
|  |  | ✓ |
tag |
|  |  | ✓ |
rawMessage |
|  |  | ✓ |