Logging network traffic from AWS Network Firewall - AWS Network Firewall

Logging network traffic from AWS Network Firewall

You can configure AWS Network Firewall logging for your firewall's stateful engine. Logging gives you detailed information about network traffic, including the time that the stateful engine received a packet, detailed information about the packet, and any stateful rule action taken against the packet. The logs are published to the log destination that you've configured, where you can retrieve and view them.

Note

Firewall logging is only available for traffic that you forward to the stateful rules engine. You forward traffic to the stateful engine through stateless rule actions and stateless default actions in the firewall policy. For information about these actions settings, see Stateless default actions in your firewall policy and Defining rule actions in AWS Network Firewall.

Metrics provide some higher-level information for both stateless and stateful engine types. For more information, see AWS Network Firewall metrics in Amazon CloudWatch.

You can record flow logs and alert logs from your Network Firewall stateful engine.

  • Flow logs are standard network traffic flow logs. Each flow log record captures the network flow for a specific standard stateless rule group.

  • Alert logs report traffic that matches your stateful rules that have an action that sends an alert. A stateful rule sends alerts for the rule actions DROP, ALERT, and REJECT.

You can use the same or different logging destination for each log type. You enable logging for a firewall after you create it. For information about how to do this, see Updating a firewall's logging configuration.

Contents of a firewall log

The Network Firewall logs contain the following information:

  • firewall_name – The name of the firewall that's associated with the log entry.

  • availability_zone – The Availability Zone of the firewall endpoint that generated the log entry.

  • event_timestamp – The time that the log was created, written in epoch seconds at Coordinated Universal Time (UTC).

  • event – Detailed information about the event. This information includes the event timestamp converted to human readable format, event type, network packet details, and, if applicable, details about the stateful rule that the packet matched against. All events are controlled by Suricata, the open source threat detection engine that the stateful rules engine runs on. Suricata writes the event information in the Suricata EVE JSON output format, with the exception of the AWS managed tls_inspected attribute.

    • The engine writes flow log events using the EVE output type netflow. The log type netflow logs uni-directional flows, so each event represents traffic going in a single direction.

    • The engine writes the alert log events using the EVE output type alert.

    • If the firewall that's associated with the log uses TLS inspection and the firewall's traffic uses SSL/TLS, Network Firewall adds the custom field "tls_inspected": true to the log. If your firewall doesn't use TLS inspection, Network Firewall omits this field.

    For detailed information about these Suricata events, see EVE JSON Output in the Suricata User Guide.

The following shows an example alert log entry for Network Firewall:

{"firewall_name":"test-firewall","availability_zone":"us-east-1b","event_timestamp":"1602627001","event":{"timestamp":"2020-10-13T22:10:01.006481+0000","flow_id":1582438383425873,"event_type":"alert","src_ip":"203.0.113.4","src_port":55555,"dest_ip":"192.0.2.16","dest_port":111,"proto":"TCP","alert":{"action":"allowed","signature_id":5,"rev":0,"signature":"test_tcp","category":"","severity":1}}}

Firewall log delivery

A log file or log stream generally contains information about the requests that your firewall received during a given time period. The timing of Network Firewall log delivery varies by location type, averaging 3-6 minutes for Amazon CloudWatch Logs and Amazon Data Firehose and 8-12 minutes for Amazon Simple Storage Service buckets. In some cases, logs may take longer than these averages. When log entries are delayed, Network Firewall saves them and then logs them according to the date and time of the period in which the requests occurred, not the date and time when the logs are delivered.

Note

If your firewall doesn't filter traffic for a period of time, you don't receive logs for that period.

When creating a log file or stream, Network Firewall consolidates information for your firewall from all the endpoints that received traffic during the time period that the log covers.

Permissions to configure firewall logging

You must have the following permissions to make any changes to your firewall logging configuration. These settings are included in the permissions requirements for each logging configuration type, under AWS Network Firewall logging destinations.

{ "Action": [ "logs:CreateLogDelivery", "logs:GetLogDelivery", "logs:UpdateLogDelivery", "logs:DeleteLogDelivery", "logs:ListLogDeliveries" ], "Resource": [ "*" ], "Effect": "Allow", "Sid": "FirewallLogging" }

The permissions required for logging configuration are in addition to the standard permissions required to use the Network Firewall API. For information about the standard permissions that are required to use Network Firewall, see Managing access using policies.

Pricing for firewall logging

You are charged for Amazon CloudWatch vended logs, on top of the basic charges for using Network Firewall. Vended logs are specific AWS service logs published by AWS on your behalf at volume discount pricing. Your logging costs can vary depending on factors such as the destination type that you choose and the amount of data that you log. For example, flow logging sends logs for all of the network traffic that reaches your firewall's stateful rules, but alert logging sends logs only for network traffic that your stateful rules drop or explicitly alert on. For information on CloudWatch vended log pricing, see Logs on the Amazon CloudWatch pricing page.