Contents of a AWS Network Firewall log
The Network Firewall logs contain the following information:
-
firewall_name – The name of the firewall that's associated with the log entry.
-
availability_zone – The Availability Zone of the firewall endpoint that generated the log entry.
-
event_timestamp – The time that the log was created, written in epoch seconds at Coordinated Universal Time (UTC).
-
event – Detailed information about the event. This information includes the event timestamp converted to human readable format, event type, network packet details, and, if applicable, details about the stateful rule that the packet matched against.
-
Alert and flow events – Alert and flow events are produced by Suricata, the open source threat detection engine that the stateful rules engine runs on. Suricata writes the event information in the Suricata EVE JSON output format, with the exception of the AWS managed
tls_inspected
attribute.-
Flow log events use the EVE output type
netflow
. The log typenetflow
logs uni-directional flows, so each event represents traffic going in a single direction. -
Alert log events using the EVE output type
alert
. -
If the firewall that's associated with the log uses TLS inspection and the firewall's traffic uses SSL/TLS, Network Firewall adds the custom field
"tls_inspected": true
to the log. If your firewall doesn't use TLS inspection, Network Firewall omits this field.
For detailed information about these Suricata events, see EVE JSON Output
in the Suricata User Guide . -
-
TLS events – TLS events are produced by a dedicated stateful TLS engine, which is separate from Suricata. TLS events have the output type
tls
. The logs have a JSON structure that's similar to the Suricata EVE output.These events require the firewall to be configured for TLS inspection. For information, see Inspecting SSL/TLS traffic with TLS inspection configurations in AWS Network Firewall.
TLS logs report the following types of errors:
-
TLS errors, with the custom field
"tls_error":
containing the error details. Currently, this category includes Server Name Indication (SNI) mismatches and SNI naming errors. Typically these errors are caused by problems with customer traffic or with the customer's client or server. For example, errors caused when the client hello SNI is NULL or doesn't match the subject name in the server certificate. -
Revocation check errors, with the custom field
"revocation_check":
containing the check failure details. These report outbound traffic that fails the server certificate revocation check during TLS inspection. This requires the firewall to be configured with TLS inspection for outbound traffic, and for the TLS inspection to be configured to check the certificate revocation status. The logs include the revocation check status, the action taken, and the SNI that the revocation check was for. For information about configuring certificate revocation checking, see Using SSL/TLS certificates with TLS inspection configurations in AWS Network Firewall.
-
-
Example alert log entry
The following listing shows an example alert log entry for Network Firewall.
{ "firewall_name":"test-firewall", "availability_zone":"us-east-1b", "event_timestamp":"1602627001", "event":{ "timestamp":"2020-10-13T22:10:01.006481+0000", "flow_id":1582438383425873, "event_type":"alert", "src_ip":"203.0.113.4", "src_port":55555, "dest_ip":"192.0.2.16", "dest_port":111, "proto":"TCP", "alert":{ "action":"allowed", "signature_id":5, "rev":0, "signature":"test_tcp", "category":"", "severity":1 } } }
Example TLS log entry
The following listing shows an example TLS log entry for a failed certificate revocation check.
{ "firewall_name": "egress-fw", "availability_zone": "us-east-1d", "event_timestamp": 1708361189, "event": { "src_ip": "10.0.2.53", "src_port": "55930", "revocation_check": { "leaf_cert_fpr": "1234567890EXAMPLE0987654321", "status": "REVOKED", "action": "DROP" }, "dest_ip": "54.92.160.72", "dest_port": "443", "timestamp": "2024-02-19T16:46:29.441824Z", "sni": "revoked-rsa-dv.ssl.com" } }