nexus/knowledgebase/csd-wiki/ICSD/How-to-export-WAF-logs-for-troubleshooting_688988324.md

How-to-export-WAF-logs-for-troubleshooting_688988324

Introduction

AWS waf is a service that associated with your primary load balancer, which can provide the access control, traffic control, and even you can block the access from specific countries or IP. Since WAF rule is not that mature in ESM, we have to export the logs and send it to RnD for analyze, which is a keep refactoring project

Here is the steps that you can refer to:

• Make sure you have enabled logging metrics for WAF, and logs saved in S3 bucket
• Navigator to cloudwatch → Logs → Logs insight
• Select time range in the top right corner, e.g. Last 1 week
• Select the S3 bucket which you have enabled in Step 1
• Input the search query like(you can customize filter here) and click Run Query:

fields @timestamp, httpRequest.uri as URI, action, @message
| sort @timestamp desc
| filter (action = "BLOCK" or action = "COUNT")

• Wait for completion of the query and click Export Results → Download table(XLSX)
• Zip the downloaded files and send to RnD

Note that you can only export with a maximum of 10 thousand records at a time, so when there are more records, please narrow you time range or adjust your filters

Attachments:

enable_waf.png (image/png)
log_insight.png (image/png)