This section provides examples for logging web ACL traffic.
Example Rate-based rule 1: Rule configuration with one key, set to
Header:dogname
{
"Name": "RateBasedRule",
"Priority": 1,
"Statement": {
"RateBasedStatement": {
"Limit": 100,
"AggregateKeyType": "CUSTOM_KEYS",
"CustomKeys": [
{
"Header": {
"Name": "dogname",
"TextTransformations": [
{
"Priority": 0,
"Type": "NONE"
}
]
}
}
]
}
},
"Action": {
"Block": {}
},
"VisibilityConfig": {
"SampledRequestsEnabled": true,
"CloudWatchMetricsEnabled": true,
"MetricName": "RateBasedRule"
}
}Example Rate-based rule 1: Log entry for request blocked by rate-based rule
{
"timestamp":1683355579981,
"formatVersion":1,
"webaclId": ...,
"terminatingRuleId":"RateBasedRule",
"terminatingRuleType":"RATE_BASED",
"action":"BLOCK",
"terminatingRuleMatchDetails":[
],
"httpSourceName":"APIGW",
"httpSourceId":"EXAMPLE11:rjvegx5guh:CanaryTest",
"ruleGroupList":[
],
"rateBasedRuleList":[
{
"rateBasedRuleId": ...,
"rateBasedRuleName":"RateBasedRule",
"limitKey":"CUSTOMKEYS",
"maxRateAllowed":100,
"evaluationWindowSec":"120",
"customValues":[
{
"key":"HEADER",
"name":"dogname",
"value":"ella"
}
]
}
],
"nonTerminatingMatchingRules":[
],
"requestHeadersInserted":null,
"responseCodeSent":null,
"httpRequest":{
"clientIp":"52.46.82.45",
"country":"FR",
"headers":[
{
"name":"X-Forwarded-For",
"value":"52.46.82.45"
},
{
"name":"X-Forwarded-Proto",
"value":"https"
},
{
"name":"X-Forwarded-Port",
"value":"443"
},
{
"name":"Host",
"value":"rjvegx5guh.execute-api.eu-west-3.amazonaws.com"
},
{
"name":"X-Amzn-Trace-Id",
"value":"Root=1-645566cf-7cb058b04d9bb3ee01dc4036"
},
{
"name":"dogname",
"value":"ella"
},
{
"name":"User-Agent",
"value":"RateBasedRuleTestKoipOneKeyModulePV2"
},
{
"name":"Accept-Encoding",
"value":"gzip,deflate"
}
],
"uri":"/CanaryTest",
"args":"",
"httpVersion":"HTTP/1.1",
"httpMethod":"GET",
"requestId":"Ed0AiHF_CGYF-DA="
}
}Example Rate-based rule 2: Rule configuration with two keys, set to
Header:dogname and Header:catname
{
"Name": "RateBasedRule",
"Priority": 1,
"Statement": {
"RateBasedStatement": {
"Limit": 100,
"AggregateKeyType": "CUSTOM_KEYS",
"CustomKeys": [
{
"Header": {
"Name": "dogname",
"TextTransformations": [
{
"Priority": 0,
"Type": "NONE"
}
]
}
},
{
"Header": {
"Name": "catname",
"TextTransformations": [
{
"Priority": 0,
"Type": "NONE"
}
]
}
}
]
}
},
"Action": {
"Block": {}
},
"VisibilityConfig": {
"SampledRequestsEnabled": true,
"CloudWatchMetricsEnabled": true,
"MetricName": "RateBasedRule"
}
}Example Rate-based rule 2: Log entry for request blocked by rate-based rule
{
"timestamp":1633322211194,
"formatVersion":1,
"webaclId":...,
"terminatingRuleId":"RateBasedRule",
"terminatingRuleType":"RATE_BASED",
"action":"BLOCK",
"terminatingRuleMatchDetails":[
],
"httpSourceName":"APIGW",
"httpSourceId":"EXAMPLE11:rjvegx5guh:CanaryTest",
"ruleGroupList":[
],
"rateBasedRuleList":[
{
"rateBasedRuleId":...,
"rateBasedRuleName":"RateBasedRule",
"limitKey":"CUSTOMKEYS",
"maxRateAllowed":100,
"evaluationWindowSec":"120",
"customValues":[
{
"key":"HEADER",
"name":"dogname",
"value":"ella"
},
{
"key":"HEADER",
"name":"catname",
"value":"goofie"
}
]
}
],
"nonTerminatingMatchingRules":[
],
"requestHeadersInserted":null,
"responseCodeSent":null,
"httpRequest":{
"clientIp":"52.46.82.35",
"country":"FR",
"headers":[
{
"name":"X-Forwarded-For",
"value":"52.46.82.35"
},
{
"name":"X-Forwarded-Proto",
"value":"https"
},
{
"name":"X-Forwarded-Port",
"value":"443"
},
{
"name":"Host",
"value":"23llbyn8v3.execute-api.eu-west-3.amazonaws.com"
},
{
"name":"X-Amzn-Trace-Id",
"value":"Root=1-64556629-17ac754c2ed9f0620e0f2a0c"
},
{
"name":"catname",
"value":"goofie"
},
{
"name":"dogname",
"value":"ella"
},
{
"name":"User-Agent",
"value":"Apache-HttpClient/UNAVAILABLE (Java/11.0.19)"
},
{
"name":"Accept-Encoding",
"value":"gzip,deflate"
}
],
"uri":"/CanaryTest",
"args":"",
"httpVersion":"HTTP/1.1",
"httpMethod":"GET",
"requestId":"EdzmlH5OCGYF1vQ="
}
}
Example Log output for a rule that triggered on SQLi detection (terminating)
{
"timestamp": 1576280412771,
"formatVersion": 1,
"webaclId": "arn:aws:wafv2:ap-southeast-2:111122223333:regional/webacl/STMTest/1EXAMPLE-2ARN-3ARN-4ARN-123456EXAMPLE",
"terminatingRuleId": "STMTest_SQLi_XSS",
"terminatingRuleType": "REGULAR",
"action": "BLOCK",
"terminatingRuleMatchDetails": [
{
"conditionType": "SQL_INJECTION",
"sensitivityLevel": "HIGH",
"location": "HEADER",
"matchedData": [
"10",
"AND",
"1"
]
}
],
"httpSourceName": "-",
"httpSourceId": "-",
"ruleGroupList": [],
"rateBasedRuleList": [],
"nonTerminatingMatchingRules": [],
"httpRequest": {
"clientIp": "1.1.1.1",
"country": "AU",
"headers": [
{
"name": "Host",
"value": "localhost:1989"
},
{
"name": "User-Agent",
"value": "curl/7.61.1"
},
{
"name": "Accept",
"value": "*/*"
},
{
"name": "x-stm-test",
"value": "10 AND 1=1"
}
],
"uri": "/myUri",
"args": "",
"httpVersion": "HTTP/1.1",
"httpMethod": "GET",
"requestId": "rid"
},
"labels": [
{
"name": "value"
}
]
}Example Log output for a rule that triggered on SQLi detection (non-terminating)
{
"timestamp":1592357192516
,"formatVersion":1
,"webaclId":"arn:aws:wafv2:us-east-1:123456789012:global/webacl/hello-world/5933d6d9-9dde-js82-v8aw-9ck28nv9"
,"terminatingRuleId":"Default_Action"
,"terminatingRuleType":"REGULAR"
,"action":"ALLOW"
,"terminatingRuleMatchDetails":[]
,"httpSourceName":"-"
,"httpSourceId":"-"
,"ruleGroupList":[]
,"rateBasedRuleList":[]
,"nonTerminatingMatchingRules":
[{
"ruleId":"TestRule"
,"action":"COUNT"
,"ruleMatchDetails":
[{
"conditionType":"SQL_INJECTION"
,"sensitivityLevel": "HIGH"
,"location":"HEADER"
,"matchedData":[
"10"
,"and"
,"1"]
}]
}]
,"httpRequest":{
"clientIp":"3.3.3.3"
,"country":"US"
,"headers":[
{"name":"Host","value":"localhost:1989"}
,{"name":"User-Agent","value":"curl/7.61.1"}
,{"name":"Accept","value":"*/*"}
,{"name":"myHeader","myValue":"10 AND 1=1"}
]
,"uri":"/myUri","args":""
,"httpVersion":"HTTP/1.1"
,"httpMethod":"GET"
,"requestId":"rid"
},
"labels": [
{
"name": "value"
}
]
}Example Log output for multiple rules that triggered inside a rule group (RuleA-XSS is terminating and Rule-B is non-terminating)
{
"timestamp":1592361810888,
"formatVersion":1,
"webaclId":"arn:aws:wafv2:us-east-1:123456789012:global/webacl/hello-world/5933d6d9-9dde-js82-v8aw-9ck28nv9"
,"terminatingRuleId":"RG-Reference"
,"terminatingRuleType":"GROUP"
,"action":"BLOCK",
"terminatingRuleMatchDetails":
[{
"conditionType":"XSS"
,"location":"HEADER"
,"matchedData":["<","frameset"]
}]
,"httpSourceName":"-"
,"httpSourceId":"-"
,"ruleGroupList":
[{
"ruleGroupId":"arn:aws:wafv2:us-east-1:123456789012:global/rulegroup/hello-world/c05lb698-1f11-4m41-aef4-99a506d53f4b"
,"terminatingRule":{
"ruleId":"RuleA-XSS"
,"action":"BLOCK"
,"ruleMatchDetails":null
}
,"nonTerminatingMatchingRules":
[{
"ruleId":"RuleB-SQLi"
,"action":"COUNT"
,"ruleMatchDetails":
[{
"conditionType":"SQL_INJECTION"
,"sensitivityLevel": "LOW"
,"location":"HEADER"
,"matchedData":[
"10"
,"and"
,"1"]
}]
}]
,"excludedRules":null
}]
,"rateBasedRuleList":[]
,"nonTerminatingMatchingRules":[]
,"httpRequest":{
"clientIp":"3.3.3.3"
,"country":"US"
,"headers":
[
{"name":"Host","value":"localhost:1989"}
,{"name":"User-Agent","value":"curl/7.61.1"}
,{"name":"Accept","value":"*/*"}
,{"name":"myHeader1","value":"<frameset onload=alert(1)>"}
,{"name":"myHeader2","value":"10 AND 1=1"}
]
,"uri":"/myUri"
,"args":""
,"httpVersion":"HTTP/1.1"
,"httpMethod":"GET"
,"requestId":"rid"
},
"labels": [
{
"name": "value"
}
]
}Example Log output for a rule that triggered for the inspection of the request body with content type JSON
AWS WAF currently reports the location for JSON body inspection as
UNKNOWN.
{
"timestamp": 1576280412771,
"formatVersion": 1,
"webaclId": "arn:aws:wafv2:ap-southeast-2:123456789012:regional/webacl/test/111",
"terminatingRuleId": "STMTest_SQLi_XSS",
"terminatingRuleType": "REGULAR",
"action": "BLOCK",
"terminatingRuleMatchDetails": [
{
"conditionType": "SQL_INJECTION",
"sensitivityLevel": "LOW",
"location": "UNKNOWN",
"matchedData": [
"10",
"AND",
"1"
]
}
],
"httpSourceName": "ALB",
"httpSourceId": "alb",
"ruleGroupList": [],
"rateBasedRuleList": [],
"nonTerminatingMatchingRules": [],
"requestHeadersInserted":null,
"responseCodeSent":null,
"httpRequest": {
"clientIp": "1.1.1.1",
"country": "AU",
"headers": [],
"uri": "",
"args": "",
"httpVersion": "HTTP/1.1",
"httpMethod": "POST",
"requestId": "null"
},
"labels": [
{
"name": "value"
}
]
}Example Log output for a CAPTCHA rule against a web request with a valid, unexpired CAPTCHA token
The following log listing is for a web request that matched a rule with
CAPTCHA action. The web request has a valid and unexpired
CAPTCHA token, and is only noted as a CAPTCHA
match by AWS WAF, similar to the behavior for the Count action. This CAPTCHA
match is noted under nonTerminatingMatchingRules.
{
"timestamp": 1632420429309,
"formatVersion": 1,
"webaclId": "arn:aws:wafv2:us-east-1:123456789012:regional/webacl/captcha-web-acl/585e38b5-afce-4d2a-b417-14fb08b66c67",
"terminatingRuleId": "Default_Action",
"terminatingRuleType": "REGULAR",
"action": "ALLOW",
"terminatingRuleMatchDetails": [],
"httpSourceName": "APIGW",
"httpSourceId": "123456789012:b34myvfw0b:pen-test",
"ruleGroupList": [],
"rateBasedRuleList": [],
"nonTerminatingMatchingRules": [
{
"ruleId": "captcha-rule",
"action": "CAPTCHA",
"ruleMatchDetails": [],
"captchaResponse": {
"responseCode": 0,
"solveTimestamp": 1632420429
}
}
],
"requestHeadersInserted": [
{
"name": "x-amzn-waf-test-header-name",
"value": "test-header-value"
}
],
"responseCodeSent": null,
"httpRequest": {
"clientIp": "72.21.198.65",
"country": "US",
"headers": [
{
"name": "X-Forwarded-For",
"value": "72.21.198.65"
},
{
"name": "X-Forwarded-Proto",
"value": "https"
},
{
"name": "X-Forwarded-Port",
"value": "443"
},
{
"name": "Host",
"value": "b34myvfw0b.gamma.execute-api.us-east-1.amazonaws.com"
},
{
"name": "X-Amzn-Trace-Id",
"value": "Root=1-614cc24d-5ad89a09181910c43917a888"
},
{
"name": "cache-control",
"value": "max-age=0"
},
{
"name": "sec-ch-ua",
"value": "\"Chromium\";v=\"94\", \"Google Chrome\";v=\"94\", \";Not A Brand\";v=\"99\""
},
{
"name": "sec-ch-ua-mobile",
"value": "?0"
},
{
"name": "sec-ch-ua-platform",
"value": "\"Windows\""
},
{
"name": "upgrade-insecure-requests",
"value": "1"
},
{
"name": "user-agent",
"value": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.54 Safari/537.36"
},
{
"name": "accept",
"value": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9"
},
{
"name": "sec-fetch-site",
"value": "same-origin"
},
{
"name": "sec-fetch-mode",
"value": "navigate"
},
{
"name": "sec-fetch-user",
"value": "?1"
},
{
"name": "sec-fetch-dest",
"value": "document"
},
{
"name": "referer",
"value": "https://b34myvfw0b.gamma.execute-api.us-east-1.amazonaws.com/pen-test/pets"
},
{
"name": "accept-encoding",
"value": "gzip, deflate, br"
},
{
"name": "accept-language",
"value": "en-US,en;q=0.9"
},
{
"name": "cookie",
"value": "aws-waf-token=51c71352-41f5-4f6d-b676-c24907bdf819:EQoAZ/J+AAQAAAAA:t9wvxbw042wva7E2Y6lgud/bS6YG0CJKVAJqaRqDZ140ythKW0Zj9wKB2O8lSkYDRqf1yONcVBFo5u0eYi0tvT4rtQCXsu+KanAardW8go4QSLw4yoED59lgV7oAhGyCalAzE7ra29j+RvvZPsQyoQuDCrtoY/TvQyMTXIXzGPDC/rKBbg=="
}
],
"uri": "/pen-test/pets",
"args": "",
"httpVersion": "HTTP/1.1",
"httpMethod": "GET",
"requestId": "GINMHHUgoAMFxug="
}
}Example Log output for a CAPTCHA rule against a web request that doesn't have a CAPTCHA token
The following log listing is for a web request that matched a rule with CAPTCHA action. The web request didn't have a CAPTCHA token, and was blocked by AWS WAF.
{
"timestamp": 1632420416512,
"formatVersion": 1,
"webaclId": "arn:aws:wafv2:us-east-1:123456789012:regional/webacl/captcha-web-acl/585e38b5-afce-4d2a-b417-14fb08b66c67",
"terminatingRuleId": "captcha-rule",
"terminatingRuleType": "REGULAR",
"action": "CAPTCHA",
"terminatingRuleMatchDetails": [],
"httpSourceName": "APIGW",
"httpSourceId": "123456789012:b34myvfw0b:pen-test",
"ruleGroupList": [],
"rateBasedRuleList": [],
"nonTerminatingMatchingRules": [],
"requestHeadersInserted": null,
"responseCodeSent": 405,
"httpRequest": {
"clientIp": "72.21.198.65",
"country": "US",
"headers": [
{
"name": "X-Forwarded-For",
"value": "72.21.198.65"
},
{
"name": "X-Forwarded-Proto",
"value": "https"
},
{
"name": "X-Forwarded-Port",
"value": "443"
},
{
"name": "Host",
"value": "b34myvfw0b.gamma.execute-api.us-east-1.amazonaws.com"
},
{
"name": "X-Amzn-Trace-Id",
"value": "Root=1-614cc240-18b57ff33c10e5c016b508c5"
},
{
"name": "sec-ch-ua",
"value": "\"Chromium\";v=\"94\", \"Google Chrome\";v=\"94\", \";Not A Brand\";v=\"99\""
},
{
"name": "sec-ch-ua-mobile",
"value": "?0"
},
{
"name": "sec-ch-ua-platform",
"value": "\"Windows\""
},
{
"name": "upgrade-insecure-requests",
"value": "1"
},
{
"name": "user-agent",
"value": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.54 Safari/537.36"
},
{
"name": "accept",
"value": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9"
},
{
"name": "sec-fetch-site",
"value": "cross-site"
},
{
"name": "sec-fetch-mode",
"value": "navigate"
},
{
"name": "sec-fetch-user",
"value": "?1"
},
{
"name": "sec-fetch-dest",
"value": "document"
},
{
"name": "accept-encoding",
"value": "gzip, deflate, br"
},
{
"name": "accept-language",
"value": "en-US,en;q=0.9"
}
],
"uri": "/pen-test/pets",
"args": "",
"httpVersion": "HTTP/1.1",
"httpMethod": "GET",
"requestId": "GINKHEssoAMFsrg="
},
"captchaResponse": {
"responseCode": 405,
"solveTimestamp": 0,
"failureReason": "TOKEN_MISSING"
}
}