How do I turn on log filtering in AWS WAF?

Last updated: 2022-07-26

I don't want to log all requests that are analyzed by my web ACL but I do want to log the blocked requests. How can I do this in AWS WAF?

Resolution

Use AWS WAF logs filtering to filter out log entries based on rule actions or labels generated by rules while evaluating requests. Logs filtering helps you to save Amazon Kinesis Data Firehose and storage costs by publishing only the logs that you select. For example, you can log only blocked requests.

To filter AWS WAF logs, you must have activated AWS WAF logging. For instructions about activating AWS WAF logging, see How do I turn on AWS WAF logging and send logs to Amazon CloudWatch, Amazon S3, or Kinesis Data Firehose?

Note: There's no additional charge for using AWS log filtering.

Turn on AWS WAF log filtering

  1. Open the AWS WAF console.
  2. For Region, select the AWS Region where you created your web ACL.
    Note: Select Global if your web ACL is set up for Amazon CloudFront.
  3. Select your web ACL.
  4. Choose Logging and Metrics.
  5. For Filter logs, choose Add filter.
  6. Add one or more filter conditions. Then, select the criteria to either Match all of the filter conditions or Match at least one of the filter conditions.
  7. For Filter conditions, select either Rule Action on request or Request has label.
    For Rule Action, filter based on action taken by rule, such as, Allow, Block, Count, or CAPTCHA.
    For Request has label, filter based on the label added to AWS WAF while evaluating requests.
  8. For Filter behavior, choose either Keep in logs or Drop from logs.
  9. Choose the Default logging behavior.
  10. Choose Save.

Log only blocked requests

To log only the blocked requests by AWS WAF, select the filtering based on Rule Action and action as Block.

The Block action is a terminating action for AWS WAF. AWS WAF log filters check the terminating rule action of the AWS WAF log entry. If the action is Block, then the log entry is filtered and added to the log.

Log the Count requests from a rule group

How the rule in a rule group is set determines whether the logs are filtered or not filtered:

  • When the action for a rule in a rule group is set to Count, the logs for the request matching against this rule don't contain a Count action for this rule. Instead, the AWS WAF logs show this rule under the excludedRules fields, which aren't checked when the AWS WAF logs are filtered for Count action. This means that these requests aren't be filtered by the log filtering for Count action.
  • The request matching against a rule in a rule group where the rule group action is Override to Count is logged. For these requests, the AWS WAF log contains a Count action in the nonTerminatingMatchingRules field that is checked when filtering the Count action in AWS WAF logs.

Note: EXCLUDED_AS_COUNT is a valid action type for log filtering. This option can be configured using the PutLoggingConfiguration API.


Did this article help?


Do you need billing or technical support?