**Introducing a new console experience for AWS WAF**
You can now use the updated experience to access AWS WAF functionality anywhere in the console. For more details, see [Working with the console](https://docs.aws.amazon.com/waf/latest/developerguide/working-with-console.html).
# Logging AWS WAF protection pack (web ACL) traffic
This section explains the logging options for your AWS WAF protection packs (web ACLs).
You can enable logging to get detailed information about traffic that is analyzed by your web ACL. Logged information includes the time that AWS WAF received a web request from your AWS resource, detailed information about the request, and details about the rules that the request matched. You can send protection pack (web ACL) logs to an Amazon CloudWatch Logs log group, an Amazon Simple Storage Service (Amazon S3) bucket, or an Amazon Data Firehose delivery stream.
In addition to logs that you can enable for your protection packs (web ACLs), AWS also uses service logs of website or application traffic processed by AWS WAF to provide support for and protect the security of AWS customers and services.
**Note**
The protection pack (web ACL) logging configuration only affects the AWS WAF logs. In particular, the redacted fields configuration for logging has no impact on request sampling or Security Lake data collection. You can exclude fields from collection or sampling by configuring protection pack (web ACL) data protection. Other than data protection, Security Lake data collection is configured entirely through the Security Lake service.
**Topics**
+ [
# Pricing for logging protection pack (web ACL) traffic information
](logging-pricing.md)
+ [
# AWS WAF logging destinations
](logging-destinations.md)
+ [
# Configuring logging for a protection pack (web ACL)
](logging-management-configure.md)
+ [
# Finding your protection pack (web ACL) records
](logging-management.md)
+ [
# Log fields for protection pack (web ACL) traffic
](logging-fields.md)
+ [
# Log examples for protection pack (web ACL) traffic
](logging-examples.md)
**Other data collection and analysis options**
In addition to logging, you can enable the following options for data collection and analysis:
+ **Amazon Security Lake** – You can configure Security Lake to collect protection pack (web ACL) data. Security Lake collects log and event data from various sources for normalization, analysis, and management. For information about this option, see [What is Amazon Security Lake?](https://docs.aws.amazon.com/security-lake/latest/userguide/what-is-security-lake.html) and [Collecting data from AWS services](https://docs.aws.amazon.com/security-lake/latest/userguide/internal-sources.html) in the *Amazon Security Lake user guide*.
AWS WAF doesn't charge you for using this option. For pricing information, see [Security Lake Pricing](https://aws.amazon.com/security-lake/pricing/) and [How Security Lake pricing is determined](https://docs.aws.amazon.com/security-lake/latest/userguide/estimating-costs.html) in the *Amazon Security Lake user guide*.
+ **Request sampling** – You can configure your protection pack (web ACL) to sample the web requests that it evaluates, to get an idea of the type of traffic that your application is receiving. For information about this option, see [Viewing a sample of web requests](web-acl-testing-view-sample.md).
# Pricing for logging protection pack (web ACL) traffic information
This section explains the pricing considerations for using protection pack (web ACL) traffic logs.
You are charged for logging protection pack (web ACL) traffic information according to the costs associated with each log destination type. These charges are in addition to the charges for using AWS WAF. Your costs can vary depending on factors such as the destination type that you choose and the amount of data that you log.
The following provides links to the pricing information for each logging destination type:
+ **CloudWatch Logs** – The charges are for vended log delivery. See [Amazon CloudWatch Logs Pricing](https://aws.amazon.com/cloudwatch/pricing/). Under **Paid Tier**, choose the **Logs** tab, and then under **Vended Logs**, see the information for **Delivery to CloudWatch Logs**.
+ **Amazon S3 buckets** – The Amazon S3 charges are the combined charges for CloudWatch Logs vended log delivery to the Amazon S3 buckets and for using Amazon S3.
+ For Amazon S3, see [Amazon S3 Pricing](https://aws.amazon.com/s3/pricing/).
+ For CloudWatch Logs vended log delivery to the Amazon S3, see [Amazon CloudWatch Logs Pricing](https://aws.amazon.com/cloudwatch/pricing/). Under **Paid Tier**, choose the **Logs** tab, and then under **Vended Logs**, see the information for **Delivery to S3**
+ **Firehose** – See [Amazon Data Firehose Pricing](https://aws.amazon.com/kinesis/data-firehose/pricing/).
For information about AWS WAF pricing, see [AWS WAF Pricing](https://aws.amazon.com/waf/pricing/).
# AWS WAF logging destinations
This section describes the logging options that you can choose from for your AWS WAF logs. Each section provides guidance for configuring logging including information about any behavior that's specific to the destination type. After you've configured the logging destination, you can provide its specifications to your protection pack (web ACL) logging configuration to start logging to it.
**Topics**
+ [CloudWatch Logs](logging-cw-logs.md)
+ [Amazon S3](logging-s3.md)
+ [Firehose](logging-kinesis.md)
# Sending protection pack (web ACL) traffic logs to a Amazon CloudWatch Logs log group
This topic provides information for sending your protection pack (web ACL) traffic logs to a CloudWatch Logs log group.
**Note**
You are charged for logging in addition to the charges for using AWS WAF. For information, see [Pricing for logging protection pack (web ACL) traffic information](logging-pricing.md).
To send logs to Amazon CloudWatch Logs, you create a CloudWatch Logs log group. When you enable logging in AWS WAF, you provide the log group ARN. After you enable logging for your protection pack (web ACL), AWS WAF delivers logs to the CloudWatch Logs log group in log streams.
When you use CloudWatch Logs, you can explore the logs for your protection pack (web ACL) in the AWS WAF console. In your protection pack (web ACL) page, select the tab **Logging insights**. This option is in addition to the logging insights that are provided for CloudWatch Logs through the CloudWatch console.
Configure the log group for AWS WAF protection pack (web ACL) logs in the same Region as the protection pack (web ACL) and using the same account as you use to manage the protection pack (web ACL). For information about configuring a CloudWatch Logs log group, see [Working with Log Groups and Log Streams](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/Working-with-log-groups-and-streams.html).
## Quotas for CloudWatch Logs log groups
CloudWatch Logs has a default maximum quota for throughput, shared across all log groups within a region, which you can request to increase. If your logging requirements are too high for the current throughput setting, you'll see throttling metrics for `PutLogEvents` for your account. To view the limit in the Service Quotas console and request an increase, see the [CloudWatch Logs PutLogEvents quota](https://console.aws.amazon.com/servicequotas/home/services/logs/quotas/L-7E1FAE88).
## Log group naming
Your log group names must start with `aws-waf-logs-` and can end with any suffix you like, for example, `aws-waf-logs-testLogGroup2`.
The resulting ARN format is as follows:
```
arn:aws:logs:Region:account-id:log-group:aws-waf-logs-log-group-suffix
```
The log streams have the following naming format:
```
Region_web-acl-name_log-stream-number
```
The following shows an example log stream for protection pack (web ACL) `TestWebACL` in Region `us-east-1`.
```
us-east-1_TestWebACL_0
```
## Permissions required to publish logs to CloudWatch Logs
Configuring protection pack (web ACL) traffic logging for a CloudWatch Logs log group requires the permissions settings described in this section. The permissions are set for you when you use one of the AWS WAF full access managed policies, `AWSWAFConsoleFullAccess` or `AWSWAFFullAccess`. If you want to manage finer-grained access to your logging and AWS WAF resources, you can set the permissions yourself. For information about managing permissions, see [Access management for AWS resources](https://docs.aws.amazon.com/IAM/latest/UserGuide/access.html) in the *IAM User Guide*. For information about the AWS WAF managed policies, see [AWS managed policies for AWS WAF](security-iam-awsmanpol.md).
These permissions allow you to change the protection pack (web ACL) logging configuration, to configure log delivery for CloudWatch Logs, and to retrieve information about your log group. These permissions must be attached to the user that you use to manage AWS WAF.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Action": [
"wafv2:PutLoggingConfiguration",
"wafv2:DeleteLoggingConfiguration"
],
"Resource": [
"*"
],
"Effect": "Allow",
"Sid": "LoggingConfigurationAPI"
},
{
"Sid": "WebACLLoggingCWL",
"Action": [
"logs:CreateLogDelivery",
"logs:DeleteLogDelivery",
"logs:PutResourcePolicy",
"logs:DescribeResourcePolicies",
"logs:DescribeLogGroups"
],
"Resource": [
"*"
],
"Effect": "Allow"
}
]
}
```
------
When actions are permitted on all AWS resources, it's indicated in the policy with a `"Resource"` setting of `"*"`. This means that the actions are permitted on all AWS resources *that each action supports*. For example, the action `wafv2:PutLoggingConfiguration` is supported only for `wafv2` logging configuration resources.
# Sending protection pack (web ACL) traffic logs to an Amazon Simple Storage Service bucket
This topic provides information for sending your protection pack (web ACL) traffic logs to an Amazon S3 bucket.
**Note**
You are charged for logging in addition to the charges for using AWS WAF. For information, see [Pricing for logging protection pack (web ACL) traffic information](logging-pricing.md).
To send your protection pack (web ACL) traffic logs to Amazon S3, you set up an Amazon S3 bucket from the same account as you use to manage the protection pack (web ACL), and you name the bucket starting with `aws-waf-logs-`. When you enable logging in AWS WAF, you provide the bucket name. For information about creating a logging bucket, see [Create a Bucket](https://docs.aws.amazon.com/AmazonS3/latest/userguide/CreatingABucket.html) in the *Amazon Simple Storage Service User Guide*.
You can access and analyze your Amazon S3 logs using the Amazon Athena interactive query service. Athena makes it easy to analyze data directly in Amazon S3 using standard SQL. With a few actions in the AWS Management Console, you can point Athena at data stored in Amazon S3 and quickly begin using standard SQL to run ad-hoc queries and get results. For more information, see [Querying AWS WAF logs](https://docs.aws.amazon.com/athena/latest/ug/waf-logs.html) in the *Amazon Athena user guide*. For additional sample Amazon Athena queries, see [aws-samples/waf-log-sample-athena-queries](https://github.com/aws-samples/waf-log-sample-athena-queries) on the GitHub website.
**Note**
AWS WAF supports encryption with Amazon S3 buckets for key type Amazon S3 key (SSE-S3) and for AWS Key Management Service (SSE-KMS) AWS KMS keys. AWS WAF doesn't support encryption for AWS Key Management Service keys that are managed by AWS.
Log files from your protection pack (web ACL) are published to the Amazon S3 bucket at 5-minute intervals. Each log file contains log records for the traffic recorded in the previous 5 minutes.
The maximum file size for a log file is 75 MB. If the log file reaches the file size limit within the 5-minute period, the log stops adding records to it, publishes it to the Amazon S3 bucket, and then creates a new log file.
The log files are compressed. If you open the files using the Amazon S3 console, Amazon S3 decompresses the log records and displays them. If you download the log files, you must decompress them to view the records.
A single log file contains interleaved entries with multiple records. To see all the log files for a protection pack (web ACL), look for entries aggregated by the protection pack (web ACL) name, Region, and your account ID.
## Naming requirements and syntax
Bucket names for AWS WAF logging must start with `aws-waf-logs-` and can end with any suffix you want. For example, `aws-waf-logs-LOGGING-BUCKET-SUFFIX`.
**Bucket location**
The bucket locations use the following syntax:
```
s3://aws-waf-logs-LOGGING-BUCKET-SUFFIX/
```
**Bucket ARN**
The format of the bucket Amazon Resource Name (ARN) is as follows:
```
arn:aws:s3:::aws-waf-logs-LOGGING-BUCKET-SUFFIX
```
**Bucket locations with prefixes**
If you use prefixes in your object keys name to organize the data that you store in your buckets, you can provide your prefixes in your logging bucket names.
**Note**
This option is not available through the console. Use the AWS WAF APIs, CLI, or AWS CloudFormation.
For information about using prefixes in Amazon S3, see [Organizing objects using prefixes](https://docs.aws.amazon.com/AmazonS3/latest/userguide/using-prefixes.html) in the *Amazon Simple Storage Service User Guide*.
The bucket locations with prefixes use the following syntax:
```
s3://aws-waf-logs-LOGGING-BUCKET-SUFFIX/KEY-NAME-PREFIX/
```
**Bucket folders and file names**
Inside your buckets, and following any prefixes that you provide, your AWS WAF logs are written under a folder structure that's determined by your account ID, the Region, the protection pack (web ACL) name, and the date and time.
```
AWSLogs/account-id/WAFLogs/Region/web-acl-name/YYYY/MM/dd/HH/mm
```
Inside the folders, the log file names follow a similar format:
```
account-id_waflogs_Region_web-acl-name_timestamp_hash.log.gz
```
The time specifications used in the folder structure and in the log file name adhere to the timestamp format specification `YYYYMMddTHHmmZ`.
The following shows an example log file in an Amazon S3 bucket for a bucket named `aws-waf-logs-LOGGING-BUCKET-SUFFIX`. The AWS account is `11111111111`. The protection pack (web ACL) is `TEST-WEBACL` and the Region is `us-east-1`.
```
s3://aws-waf-logs-LOGGING-BUCKET-SUFFIX/AWSLogs/11111111111/WAFLogs/us-east-1/TEST-WEBACL/2021/10/28/19/50/11111111111_waflogs_us-east-1_TEST-WEBACL_20211028T1950Z_e0ca43b5.log.gz
```
**Note**
Your bucket names for AWS WAF logging must start with `aws-waf-logs-` and can end with any suffix you want.
## Permissions required to publish logs to Amazon S3
Configuring protection pack (web ACL) traffic logging for an Amazon S3 bucket requires the following permissions settings. These permissions are set for you when you use one of the AWS WAF full access managed policies, `AWSWAFConsoleFullAccess` or `AWSWAFFullAccess`. If you want to further manage access to your logging and AWS WAF resources, you can set these permissions yourself. For information about managing permissions, see [Access management for AWS resources](https://docs.aws.amazon.com/IAM/latest/UserGuide/access.html) in the *IAM User Guide*. For information about the AWS WAF managed policies, see [AWS managed policies for AWS WAF](security-iam-awsmanpol.md).
The following permissions allow you to change the protection pack (web ACL) logging configuration and to configure log delivery to your Amazon S3 bucket. These permissions must be attached to the user that you use to manage AWS WAF.
**Note**
When you set the permissions listed below, you might see errors in your AWS CloudTrail logs that indicate access denied, but the permissions are correct for AWS WAF logging.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement":[
{
"Action":[
"wafv2:PutLoggingConfiguration",
"wafv2:DeleteLoggingConfiguration"
],
"Resource":[
"*"
],
"Effect":"Allow",
"Sid":"LoggingConfigurationAPI"
},
{
"Sid":"WebACLLogDelivery",
"Action":[
"logs:CreateLogDelivery",
"logs:DeleteLogDelivery"
],
"Resource": "*",
"Effect":"Allow"
},
{
"Sid":"WebACLLoggingS3",
"Action":[
"s3:PutBucketPolicy",
"s3:GetBucketPolicy"
],
"Resource": [
"arn:aws:s3:::aws-waf-logs-amzn-s3-demo-destination-bucket-suffix"
],
"Effect":"Allow"
}
]
}
```
------
When actions are permitted on all AWS resources, it's indicated in the policy with a `"Resource"` setting of `"*"`. This means that the actions are permitted on all AWS resources *that each action supports*. For example, the action `wafv2:PutLoggingConfiguration` is supported only for `wafv2` logging configuration resources.
By default, Amazon S3 buckets and the objects that they contain are private. Only the bucket owner can access the bucket and the objects stored in it. The bucket owner, however, can grant access to other resources and users by writing an access policy.
If the user creating the log owns the bucket, the service automatically attaches the following policy to the bucket to give the log permission to publish logs to it:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AWSLogDeliveryWrite",
"Effect": "Allow",
"Principal": {
"Service": "delivery.logs.amazonaws.com"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::aws-waf-logs-amzn-s3-demo-destination-bucket-suffix/AWSLogs/123456789012/*",
"Condition": {
"StringEquals": {
"s3:x-amz-acl": "bucket-owner-full-control",
"aws:SourceAccount": ["123456789012"]
},
"ArnLike": {
"aws:SourceArn": ["arn:aws:logs:us-east-2:123456789012:*"]
}
}
},
{
"Sid": "AWSLogDeliveryAclCheck",
"Effect": "Allow",
"Principal": {
"Service": "delivery.logs.amazonaws.com"
},
"Action": "s3:GetBucketAcl",
"Resource": "arn:aws:s3:::aws-waf-logs-amzn-s3-demo-destination-bucket-suffix",
"Condition": {
"StringEquals": {
"aws:SourceAccount": ["123456789012"]
},
"ArnLike": {
"aws:SourceArn": ["arn:aws:logs:us-east-2:123456789012:*"]
}
}
}
]
}
```
------
**Note**
Your bucket names for AWS WAF logging must start with `aws-waf-logs-` and can end with any suffix you want.
If the user creating the log doesn't own the bucket, or doesn't have the `GetBucketPolicy` and `PutBucketPolicy` permissions for the bucket, the log creation fails. In this case, the bucket owner must manually add the preceding policy to the bucket and specify the log creator's AWS account ID. For more information, see [How Do I Add an S3 Bucket Policy?](https://docs.aws.amazon.com/AmazonS3/latest/userguide/add-bucket-policy.html) in the *Amazon Simple Storage Service User Guide*. If the bucket receives logs from multiple accounts, add a `Resource` element entry to the `AWSLogDeliveryWrite` policy statement for each account.
For example, the following bucket policy allows AWS account `111122223333` to publish logs to a bucket named `aws-waf-logs-LOGGING-BUCKET-SUFFIX`:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Id": "AWSLogDeliveryWrite20150319",
"Statement": [
{
"Sid": "AWSLogDeliveryWrite",
"Effect": "Allow",
"Principal": {
"Service": "delivery.logs.amazonaws.com"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::aws-waf-logs-amzn-s3-demo-destination-bucket-suffix/AWSLogs/111122223333/*",
"Condition": {
"StringEquals": {
"s3:x-amz-acl": "bucket-owner-full-control",
"aws:SourceAccount": ["111122223333"]
},
"ArnLike": {
"aws:SourceArn": ["arn:aws:logs:us-east-1:111122223333:*"]
}
}
},
{
"Sid": "AWSLogDeliveryAclCheck",
"Effect": "Allow",
"Principal": {
"Service": "delivery.logs.amazonaws.com"
},
"Action": "s3:GetBucketAcl",
"Resource": "arn:aws:s3:::aws-waf-logs-amzn-s3-demo-destination-bucket-suffix",
"Condition": {
"StringEquals": {
"aws:SourceAccount": ["111122223333"]
},
"ArnLike": {
"aws:SourceArn": ["arn:aws:logs:us-east-1:111122223333:*"]
}
}
}
]
}
```
------
**Note**
In some cases, you may see `AccessDenied` errors in AWS CloudTrail if the `s3:ListBucket` permission has not been granted to `delivery.logs.amazonaws.com`. To avoid these errors in your CloudTrail logs, you must grant the `s3:ListBucket` permission to `delivery.logs.amazonaws.com` and you must include the `Condition` parameters shown with the `s3:GetBucketAcl `permission set in the preceding bucket policy. To make this simpler, instead of creating a new `Statement`, you can directly update the `AWSLogDeliveryAclCheck` to be `“Action”: [“s3:GetBucketAcl”, “s3:ListBucket”]`.
## Permissions for using AWS Key Management Service with a KMS key
If your logging destination uses server-side encryption with keys that are stored in AWS Key Management Service (SSE-KMS) and you use a customer managed key (KMS key), you must give AWS WAF permission to use your KMS key. To do this, you add a key policy to the KMS key for your chosen destination. This permits AWS WAF logging to write your log files to your destination.
Add the following key policy to your KMS key to allow AWS WAF to log to your Amazon S3 bucket.
```
{
"Sid": "Allow AWS WAF to use the key",
"Effect": "Allow",
"Principal": {
"Service": [
"delivery.logs.amazonaws.com"
]
},
"Action": "kms:GenerateDataKey*",
"Resource": "*"
}
```
## Permissions required to access Amazon S3 log files
Amazon S3 uses access control lists (ACLs) to manage access to the log files created by an AWS WAF log. By default, the bucket owner has `FULL_CONTROL` permissions on each log file. The log delivery owner, if different from the bucket owner, has no permissions. The log delivery account has `READ` and `WRITE` permissions. For more information, see [Access Control List (ACL) Overview](https://docs.aws.amazon.com/AmazonS3/latest/userguide/acl-overview.html) in the *Amazon Simple Storage Service User Guide*.
# Sending protection pack (web ACL) traffic logs to an Amazon Data Firehose delivery stream
This section provides information for sending your protection pack (web ACL) traffic logs to an Amazon Data Firehose delivery stream.
**Note**
You are charged for logging in addition to the charges for using AWS WAF. For information, see [Pricing for logging protection pack (web ACL) traffic information](logging-pricing.md).
To send logs to Amazon Data Firehose, you send logs from your protection pack (web ACL) to an Amazon Data Firehose delivery stream which you configure in Firehose. After you enable logging, AWS WAF delivers logs to your storage destination through the HTTPS endpoint of Firehose.
One AWS WAF log is equivalent to one Firehose record. If you typically receive 10,000 requests per second and you enable full logs, you should have a 10,000 records per second setting in Firehose. If you don't configure Firehose correctly, AWS WAF won't record all logs. For more information, see [Amazon Kinesis Data Firehose quotas](https://docs.aws.amazon.com/firehose/latest/dev/limits.html).
For information about how to create an Amazon Data Firehose delivery stream and review your stored logs, see [What is Amazon Data Firehose?](https://docs.aws.amazon.com/firehose/latest/dev/what-is-this-service.html)
For information about creating your delivery stream, see [Creating an Amazon Data Firehose delivery stream](https://docs.aws.amazon.com/firehose/latest/dev/basic-create.html).
## Configuring an Amazon Data Firehose delivery stream for your protection pack (web ACL)
Configure an Amazon Data Firehose delivery stream for your protection pack (web ACL) as follows.
+ Create it using the same account as you use to manage the protection pack (web ACL).
+ Create it in the same Region as the protection pack (web ACL). If you are capturing logs for Amazon CloudFront, create the firehose in US East (N. Virginia) Region, `us-east-1`.
+ Give the data firehose a name that starts with the prefix `aws-waf-logs-`. For example, `aws-waf-logs-us-east-2-analytics`.
+ Configure it for direct put, which allows applications to access the delivery stream directly. In the [Amazon Data Firehose console](https://console.aws.amazon.com/firehose), for the delivery stream **Source** setting, choose **Direct PUT or other sources**. Through the API, set the delivery stream property `DeliveryStreamType` to `DirectPut`.
**Note**
Do not use a `Kinesis stream` as your source.
## Permissions required to publish logs to an Amazon Data Firehose delivery stream
To understand the permissions required for your Kinesis Data Firehose configuration, see [Controlling Access with Amazon Kinesis Data Firehose](https://docs.aws.amazon.com/firehose/latest/dev/controlling-access.html).
You must have the following permissions to successfully enable protection pack (web ACL) logging with an Amazon Data Firehose delivery stream.
+ `iam:CreateServiceLinkedRole`
+ `firehose:ListDeliveryStreams`
+ `wafv2:PutLoggingConfiguration`
For information about service-linked roles and the `iam:CreateServiceLinkedRole` permission, see [Using service-linked roles for AWS WAF](using-service-linked-roles.md).
# Configuring logging for a protection pack (web ACL)
This section provides instructions for configuring data protection for a protection pack (web ACL).
**Note**
You are charged for logging in addition to the charges for using AWS WAF. For information, see [Pricing for logging protection pack (web ACL) traffic information](logging-pricing.md).
To enable logging for a protection pack (web ACL), you must have already configured the logging destination that you're going to use. For information about your destination choices and the requirements for each, see [AWS WAF logging destinations](logging-destinations.md).
**To configure logging for a protection pack (web ACL)**
1. Sign in to the AWS Management Console and open the AWS WAF console at [https://console.aws.amazon.com/wafv2/homev2](https://console.aws.amazon.com/wafv2/homev2).
1. In the navigation pane, choose **protection packs (web ACLs)**.
1. Choose the name of the protection pack (web ACL) that you want to enable logging for. The console takes you to the protection pack (web ACL)'s description, where you can edit it.
1. On the **Logging and metrics** tab, choose **Enable logging**.
1. Choose the logging destination type, and then choose the logging destination that you configured. You must choose a logging destination whose name begins with `aws-waf-logs-`.
1. (Optional) If you don't want some fields included in the logs, redact them. Choose the field to redact, and then choose **Add**. Repeat as necessary to redact additional fields. Redacted fields appear in the logs as `xxx`.
**Note**
This setting has no impact on request sampling. You can exclude fields from request sampling by configuring protection pack (web ACL) data protection or by disabling sampling for the protection pack (web ACL).
1. (Optional) If you don't want to send all requests to the logs, add your filtering criteria and behavior. Under **Filter logs**, for each filter that you want to apply, choose **Add filter**, then choose your filtering criteria and specify whether you want to keep or drop requests that match the criteria. When you finish adding filters, if needed, modify the **Default logging behavior**.
**Note**
If you add multiple filters, AWS WAF evaluates them starting from the top.
1. Choose **Enable logging**.
**Note**
When you successfully enable logging, AWS WAF will create a service-linked role with the necessary permissions to write logs to the logging destination. For more information, see [Using service-linked roles for AWS WAF](using-service-linked-roles.md).
# Finding your protection pack (web ACL) records
This section explains how to find your protection pack (web ACL) records.
**Note**
You are charged for logging in addition to the charges for using AWS WAF. For information, see [Pricing for logging protection pack (web ACL) traffic information](logging-pricing.md).
**If you can't find a log record in your logs**
On rare occasions, it's possible for AWS WAF log delivery to fall below 100%, with logs delivered on a best effort basis. The AWS WAF architecture prioritizes the security of your applications over all other considerations. In some situations, such as when logging flows experience traffic throttling, this can result in records being dropped. This shouldn't affect more than a few records. If you notice a number of missing log entries, contact the [AWS Support Center](https://console.aws.amazon.com/support/home#/).
In the logging configuration for your protection pack (web ACL), you can customize what AWS WAF sends to the logs.
+ **Field redaction** – You can redact the following fields from the log records for the rules that use the corresponding match settings: **URI path**, **Query string**, **Single header**, and **HTTP method**. Redacted fields appear as `REDACTED` in the logs. For example, if you redact the **Query string** field, in the logs, it will be listed as `REDACTED` for all rules that use the **Query string** match component setting. Redaction applies only to the request component that you specify for matching in the rule, so the redaction of the **Single header** component doesn't apply to rules that match on **Headers**. For a list of the log fields, see [Log fields for protection pack (web ACL) traffic](logging-fields.md).
**Note**
This setting has no impact on request sampling. You can exclude fields from request sampling by configuring protection pack (web ACL) data protection or by disabling sampling for the protection pack (web ACL).
+ **Log filtering** – You can add filtering to specify which web requests are kept in the logs and which are dropped. You filter on the settings that AWS WAF applies during the web request evaluation. You can filter on the following settings:
+ **Fully qualified label** – Fully qualified labels have a prefix, optional namespaces, and label name. The prefix identifies the rule group or protection pack (web ACL) context of the rule that added the label. For information about labels, see [Web request labeling in AWS WAF](waf-labels.md).
+ **Rule action** – You can filter on any normal rule action setting and also on the legacy `EXCLUDED_AS_COUNT` override option for rule group rules. For information about rule action settings, see [Using rule actions in AWS WAF](waf-rule-action.md). For information about current and legacy rule action overrides for rule group rules, see [Overriding rule group actions in AWS WAF](web-acl-rule-group-override-options.md).
+ The normal rule action filters apply to actions that are configured in rules and also to actions that are configured using the current option for overriding a rule group rule action.
+ The `EXCLUDED_AS_COUNT` log filter overlaps with the `Count` action log filter. `EXCLUDED_AS_COUNT` filters both the current and legacy options for overriding a rule group rule action to Count.
# Log fields for protection pack (web ACL) traffic
The following list describes the possible log fields.
**action**
The terminating action that AWS WAF applied to the request. This indicates either allow, block, CAPTCHA, or challenge. The CAPTCHA and Challenge actions are terminating when the web request doesn't contain a valid token.
**args**
The query string.
**captchaResponse**
The CAPTCHA action status for the request, populated when a CAPTCHA action is applied to the request. This field is populated for any CAPTCHA action, whether terminating or non-terminating. If a request has the CAPTCHA action applied multiple times, this field is populated from the last time the action was applied.
The CAPTCHA action terminates web request inspection when the request either doesn't include a token or the token is invalid or expired. If the CAPTCHA action is terminating, this field includes a response code and failure reason. If the action is non-terminating, this field includes a solve timestamp. To differentiate between a terminating and non-terminating action, you can filter for a non-empty `failureReason` attribute in this field.
**cfDistributionTenantId**
The identifier for the CloudFront distribution tenant associated with the web request. This field is optional and only applies to protection packs (web ACLs) associated with CloudFront distribution tenants.
**challengeResponse**
The challenge action status for the request, populated when a Challenge action is applied to the request. This field is populated for any Challenge action, whether terminating or non-terminating. If a request has the Challenge action applied multiple times, this field is populated from the last time the action was applied.
The Challenge action terminates web request inspection when the request either doesn't include a token or the token is invalid or expired. If the Challenge action is terminating, this field includes a response code and failure reason. If the action is non-terminating, this field includes a solve timestamp. To differentiate between a terminating and non-terminating action, you can filter for a non-empty `failureReason` attribute in this field.
**clientAsn**
The Autonomous System Number (ASN) associated with the IP address of the web request's origin.
**clientAsn** is logged in AWS WAF logs only when an ASN match statement is used. This field is not logged otherwise.
**clientIp**
The IP address of the client sending the request.
**country**
The source country of the request. If AWS WAF is unable to determine the country of origin, it sets this field to `-`.
**country**
The source country of the request. If AWS WAF is unable to determine the country of origin, it sets this field to `-`.
**excludedRules**
Used only for rule group rules. The list of rules in the rule group that you have excluded. The action for these rules is set to Count.
If you override a rule to count using the override rule action option, matches aren't listed here. They're listed as the action pairs `action` and `overriddenAction`.
exclusionType
A type that indicates that the excluded rule has the action Count.
ruleId
The ID of the rule within the rule group that is excluded.
**formatVersion**
The format version for the log.
**forwardedAsn**
The Autonomous System Number (ASN) associated with the IP address of from the entity that forwarded the web request.
**headers**
The list of headers.
**httpMethod**
The HTTP method in the request.
**httpRequest**
The metadata about the request.
**httpSourceId**
The ID of the associated resource:
+ For an Amazon CloudFront distribution, the ID is the `distribution-id` in the ARN syntax:
`arn:partitioncloudfront::account-id:distribution/distribution-id`
+ For an Application Load Balancer, the ID is the `load-balancer-id` in the ARN syntax:
`arn:partition:elasticloadbalancing:region:account-id:loadbalancer/app/load-balancer-name/load-balancer-id`
+ For an Amazon API Gateway REST API, the ID is the `api-id` in the ARN syntax:
`arn:partition:apigateway:region::/restapis/api-id/stages/stage-name`
+ For an AWS AppSync GraphQL API, the ID is the `GraphQLApiId` in the ARN syntax:
`arn:partition:appsync:region:account-id:apis/GraphQLApiId`
+ For an Amazon Cognito user pool, the ID is the `user-pool-id` in the ARN syntax:
`arn:partition:cognito-idp:region:account-id:userpool/user-pool-id`
+ For an AWS App Runner service, the ID is the `apprunner-service-id` in the ARN syntax:
`arn:partition:apprunner:region:account-id:service/apprunner-service-name/apprunner-service-id`
**httpSourceName**
The source of the request. Possible values: `CF` for Amazon CloudFront, `APIGW` for Amazon API Gateway, `ALB` for Application Load Balancer, `APPSYNC` for AWS AppSync, `COGNITOIDP` for Amazon Cognito, `APPRUNNER` for App Runner, and `VERIFIED_ACCESS` for Verified Access.
**httpVersion**
The HTTP version.
**ja3Fingerprint**
The JA3 fingerprint of the request.
JA3 fingerprint inspection is available only for Amazon CloudFront distributions and Application Load Balancers.
The JA3 fingerprint is a 32-character hash derived from the TLS Client Hello of an incoming request. This fingerprint serves as a unique identifier for the client's TLS configuration. AWS WAF calculates and logs this fingerprint for each request that has enough TLS Client Hello information for the calculation.
You provide this value when you configure a JA3 fingerprint match in your protection pack (web ACL) rules. For information about creating a match against the JA3 fingerprint, see [JA3 fingerprint](waf-rule-statement-fields-list.md#waf-rule-statement-request-component-ja3-fingerprint) in the [Request components in AWS WAF](waf-rule-statement-fields-list.md) for a rule statement.
**ja4Fingerprint**
The JA4 fingerprint of the request.
JA4 fingerprint inspection is available only for Amazon CloudFront distributions and Application Load Balancers.
The JA4 fingerprint is a 36-character hash derived from the TLS Client Hello of an incoming request. This fingerprint serves as a unique identifier for the client's TLS configuration. AWS WAF calculates and logs this fingerprint for each request that has enough TLS Client Hello information for the calculation.
You provide this value when you configure a JA4 fingerprint match in your protection pack (web ACL) rules. For information about creating a match against the JA4 fingerprint, see [JA4 fingerprint](waf-rule-statement-fields-list.md#waf-rule-statement-request-component-ja4-fingerprint) in the [Request components in AWS WAF](waf-rule-statement-fields-list.md) for a rule statement.
**labels**
The labels on the web request. These labels were applied by rules that were used to evaluate the request. AWS WAF logs the first 100 labels.
**nonTerminatingMatchingRules**
The list of non-terminating rules that matched the request. Each item in the list contains the following information.
action
The action that AWS WAF applied to the request. This indicates either count, CAPTCHA, or challenge. The CAPTCHA and Challenge are non-terminating when the web request contains a valid token.
ruleId
The ID of the rule that matched the request and was non-terminating.
ruleMatchDetails
Detailed information about the rule that matched the request. This field is only populated for SQL injection and cross-site scripting (XSS) match rule statements. A matching rule might require a match for more than one inspection criteria, so these match details are provided as an array of match criteria.
Any additional information provided for each rule varies according factors such as the rule configuration, rule match type, and details of the match. For example for rules with a CAPTCHA or Challenge action, the `captchaResponse` or `challengeResponse` will be listed. If the matching rule is in a rule group and you've overridden its configured rule action, the configured action will be provided in `overriddenAction`.
**oversizeFields**
The list of fields in the web request that were inspected by the protection pack (web ACL) and that are over the AWS WAF inspection limit. If a field is oversize but the protection pack (web ACL) doesn't inspect it, it won't be listed here.
This list can contain zero or more of the following values: `REQUEST_BODY`, `REQUEST_JSON_BODY`, `REQUEST_HEADERS`, and `REQUEST_COOKIES`. For more information about oversize fields, see [Oversize web request components in AWS WAF](waf-oversize-request-components.md).
**rateBasedRuleList**
The list of rate-based rules that acted on the request. For information about rate-based rules, see [Using rate-based rule statements in AWS WAF](waf-rule-statement-type-rate-based.md).
rateBasedRuleId
The ID of the rate-based rule that acted on the request. If this has terminated the request, the ID for `rateBasedRuleId` is the same as the ID for `terminatingRuleId`.
rateBasedRuleName
The name of the rate-based rule that acted on the request.
limitKey
The type of aggregation that the rule is using. Possible values are `IP` for web request origin, `FORWARDED_IP` for an IP forwarded in a header in the request, `CUSTOMKEYS` for custom aggregate key settings. and `CONSTANT` for count all requests together, with no aggregation.
limitValue
Used only when rate limiting by a single IP address type. If a request contains an IP address that isn't valid, the `limitvalue` is `INVALID`.
maxRateAllowed
The maximum number of requests allowed in the specified time window for a specific aggregation instance. The aggregation instance is defined by the `limitKey` plus any additional key specifications that you've provided in the rate-based rule configuration.
evaluationWindowSec
The amount of time that AWS WAF included in its request counts, in seconds.
customValues
Unique values identified by the rate-based rule in the request. For string values, the logs print the first 32 characters of the string value. Depending on the key type, these values might be for just a key, such as for HTTP method or query string, or they might be for a key and name, such as for header and the header name.
**requestHeadersInserted**
The list of headers inserted for custom request handling.
**requestId**
The ID of the request, which is generated by the underlying host service. For Application Load Balancer, this is the trace ID. For all others, this is the request ID.
**responseCodeSent**
The response code sent with a custom response.
**ruleGroupId**
The ID of the rule group. If the rule blocked the request, the ID for `ruleGroupID` is the same as the ID for `terminatingRuleId`.
**ruleGroupList**
The list of rule groups that acted on this request, with match information.
**terminatingRule**
The rule that terminated the request. If this is present, it contains the following information.
action
The terminating action that AWS WAF applied to the request. This indicates either allow, block, CAPTCHA, or challenge. The CAPTCHA and Challenge actions are terminating when the web request doesn't contain a valid token.
ruleId
The ID of the rule that matched the request.
ruleMatchDetails
Detailed information about the rule that matched the request. This field is only populated for SQL injection and cross-site scripting (XSS) match rule statements. A matching rule might require a match for more than one inspection criteria, so these match details are provided as an array of match criteria.
Any additional information provided for each rule varies according factors such as the rule configuration, rule match type, and details of the match. For example for rules with a CAPTCHA or Challenge action, the `captchaResponse` or `challengeResponse` will be listed. If the matching rule is in a rule group and you've overridden its configured rule action, the configured action will be provided in `overriddenAction`.
**terminatingRuleId**
The ID of the rule that terminated the request. If nothing terminates the request, the value is `Default_Action`.
**terminatingRuleMatchDetails**
Detailed information about the terminating rule that matched the request. A terminating rule has an action that ends the inspection process against a web request. Possible actions for a terminating rule include Allow, Block, CAPTCHA, and Challenge. During the inspection of a web request, at the first rule that matches the request and that has a terminating action, AWS WAF stops the inspection and applies the action. The web request might contain other threats, in addition to the one that's reported in the log for the matching terminating rule.
This is only populated for SQL injection and cross-site scripting (XSS) match rule statements. The matching rule might require a match for more than one inspection criteria, so these match details are provided as an array of match criteria.
**terminatingRuleType**
The type of rule that terminated the request. Possible values: RATE\$1BASED, REGULAR, GROUP, and MANAGED\$1RULE\$1GROUP.
**timestamp**
The timestamp in milliseconds.
**uri**
The URI of the request.
**fragment**
The part of a URL that follows the "\$1" symbol, providing additional information about the resource, for example, \$1section2.
**webaclId**
The GUID of the protection pack (web ACL).
# Log examples for protection pack (web ACL) traffic
This section provides examples for logging protection pack (web ACL) traffic.
**Example Rate-based rule 1: Rule configuration with one key, set to `Header:dogname`**
```
{
"Name": "RateBasedRule",
"Priority": 1,
"Statement": {
"RateBasedStatement": {
"Limit": 100,
"AggregateKeyType": "CUSTOM_KEYS",
"CustomKeys": [
{
"Header": {
"Name": "dogname",
"TextTransformations": [
{
"Priority": 0,
"Type": "NONE"
}
]
}
}
]
}
},
"Action": {
"Block": {}
},
"VisibilityConfig": {
"SampledRequestsEnabled": true,
"CloudWatchMetricsEnabled": true,
"MetricName": "RateBasedRule"
}
}
```
**Example Rate-based rule 1: Log entry for request blocked by rate-based rule**
```
{
"timestamp":1683355579981,
"formatVersion":1,
"webaclId": ...,
"terminatingRuleId":"RateBasedRule",
"terminatingRuleType":"RATE_BASED",
"action":"BLOCK",
"terminatingRuleMatchDetails":[
],
"httpSourceName":"APIGW",
"httpSourceId":"EXAMPLE11:rjvegx5guh:CanaryTest",
"ruleGroupList":[
],
"rateBasedRuleList":[
{
"rateBasedRuleId": ...,
"rateBasedRuleName":"RateBasedRule",
"limitKey":"CUSTOMKEYS",
"maxRateAllowed":100,
"evaluationWindowSec":"120",
"customValues":[
{
"key":"HEADER",
"name":"dogname",
"value":"ella"
}
]
}
],
"nonTerminatingMatchingRules":[
],
"requestHeadersInserted":null,
"responseCodeSent":null,
"httpRequest":{
"clientIp":"52.46.82.45",
"country":"FR",
"headers":[
{
"name":"X-Forwarded-For",
"value":"52.46.82.45"
},
{
"name":"X-Forwarded-Proto",
"value":"https"
},
{
"name":"X-Forwarded-Port",
"value":"443"
},
{
"name":"Host",
"value":"rjvegx5guh.execute-api.eu-west-3.amazonaws.com"
},
{
"name":"X-Amzn-Trace-Id",
"value":"Root=1-645566cf-7cb058b04d9bb3ee01dc4036"
},
{
"name":"dogname",
"value":"ella"
},
{
"name":"User-Agent",
"value":"RateBasedRuleTestKoipOneKeyModulePV2"
},
{
"name":"Accept-Encoding",
"value":"gzip,deflate"
}
],
"uri":"/CanaryTest",
"args":"",
"httpVersion":"HTTP/1.1",
"httpMethod":"GET",
"requestId":"Ed0AiHF_CGYF-DA="
}
}
```
**Example Rate-based rule 2: Rule configuration with two keys, set to `Header:dogname` and `Header:catname`**
```
{
"Name": "RateBasedRule",
"Priority": 1,
"Statement": {
"RateBasedStatement": {
"Limit": 100,
"AggregateKeyType": "CUSTOM_KEYS",
"CustomKeys": [
{
"Header": {
"Name": "dogname",
"TextTransformations": [
{
"Priority": 0,
"Type": "NONE"
}
]
}
},
{
"Header": {
"Name": "catname",
"TextTransformations": [
{
"Priority": 0,
"Type": "NONE"
}
]
}
}
]
}
},
"Action": {
"Block": {}
},
"VisibilityConfig": {
"SampledRequestsEnabled": true,
"CloudWatchMetricsEnabled": true,
"MetricName": "RateBasedRule"
}
}
```
**Example Rate-based rule 2: Log entry for request blocked by rate-based rule**
```
{
"timestamp":1633322211194,
"formatVersion":1,
"webaclId":...,
"terminatingRuleId":"RateBasedRule",
"terminatingRuleType":"RATE_BASED",
"action":"BLOCK",
"terminatingRuleMatchDetails":[
],
"httpSourceName":"APIGW",
"httpSourceId":"EXAMPLE11:rjvegx5guh:CanaryTest",
"ruleGroupList":[
],
"rateBasedRuleList":[
{
"rateBasedRuleId":...,
"rateBasedRuleName":"RateBasedRule",
"limitKey":"CUSTOMKEYS",
"maxRateAllowed":100,
"evaluationWindowSec":"120",
"customValues":[
{
"key":"HEADER",
"name":"dogname",
"value":"ella"
},
{
"key":"HEADER",
"name":"catname",
"value":"goofie"
}
]
}
],
"nonTerminatingMatchingRules":[
],
"requestHeadersInserted":null,
"responseCodeSent":null,
"httpRequest":{
"clientIp":"52.46.82.35",
"country":"FR",
"headers":[
{
"name":"X-Forwarded-For",
"value":"52.46.82.35"
},
{
"name":"X-Forwarded-Proto",
"value":"https"
},
{
"name":"X-Forwarded-Port",
"value":"443"
},
{
"name":"Host",
"value":"23llbyn8v3.execute-api.eu-west-3.amazonaws.com"
},
{
"name":"X-Amzn-Trace-Id",
"value":"Root=1-64556629-17ac754c2ed9f0620e0f2a0c"
},
{
"name":"catname",
"value":"goofie"
},
{
"name":"dogname",
"value":"ella"
},
{
"name":"User-Agent",
"value":"Apache-HttpClient/UNAVAILABLE (Java/11.0.19)"
},
{
"name":"Accept-Encoding",
"value":"gzip,deflate"
}
],
"uri":"/CanaryTest",
"args":"",
"httpVersion":"HTTP/1.1",
"httpMethod":"GET",
"requestId":"EdzmlH5OCGYF1vQ="
}
}
```
**Example Log output for a rule that triggered on SQLi detection (terminating)**
```
{
"timestamp": 1576280412771,
"formatVersion": 1,
"webaclId": "arn:aws:wafv2:ap-southeast-2:111122223333:regional/webacl/STMTest/1EXAMPLE-2ARN-3ARN-4ARN-123456EXAMPLE",
"terminatingRuleId": "STMTest_SQLi_XSS",
"terminatingRuleType": "REGULAR",
"action": "BLOCK",
"terminatingRuleMatchDetails": [
{
"conditionType": "SQL_INJECTION",
"sensitivityLevel": "HIGH",
"location": "HEADER",
"matchedData": [
"10",
"AND",
"1"
]
}
],
"httpSourceName": "-",
"httpSourceId": "-",
"ruleGroupList": [],
"rateBasedRuleList": [],
"nonTerminatingMatchingRules": [],
"httpRequest": {
"clientIp": "1.1.1.1",
"country": "AU",
"headers": [
{
"name": "Host",
"value": "localhost:1989"
},
{
"name": "User-Agent",
"value": "curl/7.61.1"
},
{
"name": "Accept",
"value": "*/*"
},
{
"name": "x-stm-test",
"value": "10 AND 1=1"
}
],
"uri": "/myUri",
"args": "",
"httpVersion": "HTTP/1.1",
"httpMethod": "GET",
"requestId": "rid"
},
"labels": [
{
"name": "value"
}
]
}
```
**Example Log output for a rule that triggered on SQLi detection (non-terminating)**
```
{
"timestamp":1592357192516
,"formatVersion":1
,"webaclId":"arn:aws:wafv2:us-east-1:123456789012:global/webacl/hello-world/5933d6d9-9dde-js82-v8aw-9ck28nv9"
,"terminatingRuleId":"Default_Action"
,"terminatingRuleType":"REGULAR"
,"action":"ALLOW"
,"terminatingRuleMatchDetails":[]
,"httpSourceName":"-"
,"httpSourceId":"-"
,"ruleGroupList":[]
,"rateBasedRuleList":[]
,"nonTerminatingMatchingRules":
[{
"ruleId":"TestRule"
,"action":"COUNT"
,"ruleMatchDetails":
[{
"conditionType":"SQL_INJECTION"
,"sensitivityLevel": "HIGH"
,"location":"HEADER"
,"matchedData":[
"10"
,"and"
,"1"]
}]
}]
,"httpRequest":{
"clientIp":"3.3.3.3"
,"country":"US"
,"headers":[
{"name":"Host","value":"localhost:1989"}
,{"name":"User-Agent","value":"curl/7.61.1"}
,{"name":"Accept","value":"*/*"}
,{"name":"myHeader","myValue":"10 AND 1=1"}
]
,"uri":"/myUri","args":""
,"httpVersion":"HTTP/1.1"
,"httpMethod":"GET"
,"requestId":"rid"
},
"labels": [
{
"name": "value"
}
]
}
```
**Example Log output for multiple rules that triggered inside a rule group (RuleA-XSS is terminating and Rule-B is non-terminating)**
```
{
"timestamp":1592361810888,
"formatVersion":1,
"webaclId":"arn:aws:wafv2:us-east-1:123456789012:global/webacl/hello-world/5933d6d9-9dde-js82-v8aw-9ck28nv9"
,"terminatingRuleId":"RG-Reference"
,"terminatingRuleType":"GROUP"
,"action":"BLOCK",
"terminatingRuleMatchDetails":
[{
"conditionType":"XSS"
,"location":"HEADER"
,"matchedData":["<","frameset"]
}]
,"httpSourceName":"-"
,"httpSourceId":"-"
,"ruleGroupList":
[{
"ruleGroupId":"arn:aws:wafv2:us-east-1:123456789012:global/rulegroup/hello-world/c05lb698-1f11-4m41-aef4-99a506d53f4b"
,"terminatingRule":{
"ruleId":"RuleA-XSS"
,"action":"BLOCK"
,"ruleMatchDetails":null
}
,"nonTerminatingMatchingRules":
[{
"ruleId":"RuleB-SQLi"
,"action":"COUNT"
,"ruleMatchDetails":
[{
"conditionType":"SQL_INJECTION"
,"sensitivityLevel": "LOW"
,"location":"HEADER"
,"matchedData":[
"10"
,"and"
,"1"]
}]
}]
,"excludedRules":null
}]
,"rateBasedRuleList":[]
,"nonTerminatingMatchingRules":[]
,"httpRequest":{
"clientIp":"3.3.3.3"
,"country":"US"
,"headers":
[
{"name":"Host","value":"localhost:1989"}
,{"name":"User-Agent","value":"curl/7.61.1"}
,{"name":"Accept","value":"*/*"}
,{"name":"myHeader1","value":"