Amazon WAF Log Activity

Owned by Steve Challans
Last updated: Feb 14, 2024
2 min read

The Amazon WAF logs come in on UTC time format as many cloud providers use. So any activity needs to factor in the time difference for your timezone. Some parts of the dashboard only show data for the last 4 hours as cloud logs can generate massive volume of events. If longer search times are desired then its best to use the event search feature to search for logs over longer time period.

Selecting a chart component such as the pie segment, graph item will link through to the Text Details tabular output where you can search and perform additional filtering of the selected data and time period.

  • The specific log types in the widgets are for WAF activity.

    • Log Activity over time - This shows the log activity for today.

    • Log Activity by System - This shows the log activity based on the system name of the target.

    • Log Activity Client IP - The IP address of the client sending the request.

    • Log HTTP Source Name - The source of the request. Possible values: CF for Amazon CloudFront, APIGW for Amazon API Gateway, ALB for Application Load Balancer, APPSYNC for AWS AppSync, COGNITOIDP for Amazon Cognito, APPRUNNER for App Runner, and VERIFIED_ACCESS for Verified Access.

    • Log HTTP Method - The HTTP method in the request.

    • Log Action - The terminating action that AWS WAF applied to the request. This indicates either allow, block, CAPTCHA, or challenge. The CAPTCHA and Challenge actions are terminating when the web request doesn't contain a valid token.

    • Log Network Port - The network port the connection was made on.

    • Log Country of origin - The source country of the request. If AWS WAF is unable to determine the country of origin, it sets this field to -.

  • Some example of the dashboard items are below.

  • image-20240206-073518.png