Managing logging for a web ACL - AWS WAF, AWS Firewall Manager, and AWS Shield Advanced

Managing logging for a web ACL

You can enable and disable logging for a web ACL at any time.

Note

You are charged for logging in addition to the charges for using AWS WAF. For information, see Pricing for logging web ACL traffic information.

In the logging configuration for your web ACL, you can customize what AWS WAF sends to the logs.

  • Field redaction – You can redact some fields from the log records. Redacted fields appear as REDACTED in the logs. For example, if you redact the URI field, the URI field in the logs will be REDACTED. For a list of the log fields, see Log Fields.

  • Log filtering – You can add filtering to specify which web requests are kept in the logs and which are dropped. You filter on the settings that AWS WAF applies during the web request evaluation. You can filter on the following settings:

    • Fully qualified label – Fully qualified labels have a prefix, optional namespaces, and label name. The prefix identifies the rule group or web ACL context of the rule that added the label. For information about labels, see Labels on web requests.

    • Rule action – You can filter on any normal rule action setting and also on the legacy EXCLUDED_AS_COUNT override option for rule group rules. For information about rule action settings, see AWS WAF rule action. For information about current and legacy rule action overrides for rule group rules, see Action overrides in rule groups.

      • The normal rule action filters apply to actions that are configured in rules and also to actions that are configured using the current option for overriding a rule group rule action.

      • The EXCLUDED_AS_COUNT log filter overlaps with the Count action log filter. EXCLUDED_AS_COUNT filters both the current and legacy options for overriding a rule group rule action to Count.

To enable logging for a web ACL

This procedure requires a configured logging destination. For information about your destination choices and the requirements for each, see AWS WAF logging destinations.

  1. Sign in to the AWS Management Console and open the AWS WAF console at https://console.aws.amazon.com/wafv2/.

  2. In the navigation pane, choose Web ACLs.

  3. Choose the name of the web ACL that you want to enable logging for. The console takes you to the web ACL's description, where you can edit it.

  4. On the Logging tab, choose Enable logging.

  5. Choose the logging destination type, and then choose the logging destination that you configured. You must choose a logging destination whose name begins with aws-waf-logs-.

  6. (Optional) If you don't want certain fields and their values included in the logs, redact those fields. Choose the field to redact, and then choose Add. Repeat as necessary to redact additional fields. The redacted fields appear as REDACTED in the logs. For example, if you redact the URI field, the URI field in the logs will be REDACTED.

  7. (Optional) If you don't want to send all requests to the logs, add your filtering criteria and behavior. Under Filter logs, for each filter that you want to apply, choose Add filter, then choose your filtering criteria and specify whether you want to keep or drop requests that match the criteria. When you finish adding filters, if needed, modify the Default logging behavior.

  8. Choose Enable logging.

    Note

    When you successfully enable logging, AWS WAF will create a service linked role with the necessary permissions to write logs to the logging destination. For more information, see Using service-linked roles for AWS WAF.

To disable logging for a web ACL

  1. In the navigation pane, choose Web ACLs.

  2. Choose the name of the web ACL that you want to disable logging for. The console takes you to the web ACL's description, where you can edit it.

  3. On the Logging tab, choose Disable logging.

  4. In the dialog box, choose Disable logging.