Logging network traffic from AWS Network Firewall
You can configure AWS Network Firewall logging for your firewall's stateful engine. Logging gives you detailed information about network traffic, including the time that the stateful engine received a packet, detailed information about the packet, and any stateful rule action taken against the packet. The logs are published to the log destination that you've configured, where you can retrieve and view them.
Note
Firewall logging is only available for traffic that you forward to the stateful rules engine. You forward traffic to the stateful engine through stateless rule actions and stateless default actions in the firewall policy. For information about these actions settings, see Stateless default actions in your firewall policy and Defining rule actions in AWS Network Firewall.
Metrics provide some higher-level information for both stateless and stateful engine types. For more information, see AWS Network Firewall metrics in Amazon CloudWatch.
You can record flow logs and alert logs from your Network Firewall stateful engine.
-
Flow logs are standard network traffic flow logs. Each flow log record captures the network flow for a specific standard stateless rule group.
-
Alert logs report traffic that matches your stateful rules that have an action that sends an alert. A stateful rule sends alerts for the rule actions
DROP,ALERT, andREJECT.
You can use the same or different logging destination for each log type. You enable logging for a firewall after you create it. For information about how to do this, see Updating a firewall's logging configuration.
Contents of a firewall log
The Network Firewall logs contain the following information:
-
firewall_name – The name of the firewall that's associated with the log entry.
-
availability_zone – The Availability Zone of the firewall endpoint that generated the log entry.
-
event_timestamp – The time that the log was created, written in epoch seconds at Coordinated Universal Time (UTC).
-
event – Detailed information about the event. This information includes the event timestamp converted to human readable format, event type, network packet details, and, if applicable, details about the stateful rule that the packet matched against. All events are controlled by Suricata, the open source threat detection engine that the stateful rules engine runs on. Suricata writes the event information in the Suricata EVE JSON output format, with the exception of the AWS managed
tls_inspectedattribute.-
The engine writes flow log events using the EVE output type
netflow. The log typenetflowlogs uni-directional flows, so each event represents traffic going in a single direction. -
The engine writes the alert log events using the EVE output type
alert. -
If the firewall that's associated with the log uses TLS inspection and the firewall's traffic uses SSL/TLS, Network Firewall adds the custom field
"tls_inspected": trueto the log. If your firewall doesn't use TLS inspection, Network Firewall omits this field.
For detailed information about these Suricata events, see EVE JSON Output
in the Suricata User Guide . -
The following shows an example alert log entry for Network Firewall:
{"firewall_name":"test-firewall","availability_zone":"us-east-1b","event_timestamp":"1602627001","event":{"timestamp":"2020-10-13T22:10:01.006481+0000","flow_id":1582438383425873,"event_type":"alert","src_ip":"203.0.113.4","src_port":55555,"dest_ip":"192.0.2.16","dest_port":111,"proto":"TCP","alert":{"action":"allowed","signature_id":5,"rev":0,"signature":"test_tcp","category":"","severity":1}}}
Firewall log delivery
A log file or log stream generally contains information about the requests that your firewall received during a given time period. The timing of Network Firewall log delivery varies by location type, averaging 3-6 minutes for Amazon CloudWatch Logs and Amazon Kinesis Data Firehose and 8-12 minutes for Amazon Simple Storage Service buckets. In some cases, logs may take longer than these averages. When log entries are delayed, Network Firewall saves them and then logs them according to the date and time of the period in which the requests occurred, not the date and time when the logs are delivered.
Note
If your firewall doesn't filter traffic for a period of time, you don't receive logs for that period.
When creating a log file or stream, Network Firewall consolidates information for your firewall from all the endpoints that received traffic during the time period that the log covers.
Permissions to configure firewall logging
You must have the following permissions to make any changes to your firewall logging configuration. These settings are included in the permissions requirements for each logging configuration type, under AWS Network Firewall logging destinations.
{ "Action": [ "logs:CreateLogDelivery", "logs:GetLogDelivery", "logs:UpdateLogDelivery", "logs:DeleteLogDelivery", "logs:ListLogDeliveries" ], "Resource": [ "*" ], "Effect": "Allow", "Sid": "FirewallLogging" }
The permissions required for logging configuration are in addition to the standard permissions required to use the Network Firewall API. For information about the standard permissions that are required to use Network Firewall, see Managing access using policies.
Pricing for firewall logging
You are charged for Amazon CloudWatch vended logs, on top of the basic charges for using Network Firewall. Vended logs are specific AWS service logs published by AWS on your behalf at volume discount pricing. Your logging costs can vary depending on factors such as the
destination
type that you choose and the amount of data that you log. For example, flow logging
sends logs for all of the network traffic that reaches your firewall's stateful
rules, but alert logging sends logs only for network traffic that your stateful
rules drop or explicitly alert on. For information on CloudWatch vended log pricing, see Logs
Topics
