查询 Amazon Network Firewall 日志
Amazon Network Firewall 是一种托管式服务,您可以使用它为您的 Amazon Virtual Private Cloud 实例部署必要的网络保护。Amazon Network Firewall 与 Amazon Firewall Manager 结合使用,以便您可以基于 Amazon Network Firewall 规则构建策略,然后在您的 VPC 和账户中集中应用这些策略。有关 Amazon Network Firewall 的更多信息,请参阅 Amazon Network Firewall
您可以为您转发到防火墙有状态规则引擎的流量配置 Amazon Network Firewall 日志记录。日志记录为您提供有关网络流量的详细信息,包括有状态引擎接收数据包的时间、有关数据包的详细信息以及针对数据包采取的任何有状态规则操作。日志将发布到您配置的日志目标,您可以在其中检索和查看日志。有关更多信息,请参阅《Amazon Network Firewall 开发人员指南》中的录入来自 Amazon Network Firewall 的网络流量。
为警报日志创建表
-
修改下面的 DDL 语句示例,使其符合警报日志的结构。您可能需要更新语句以包含最新版本日志的列。有关更多信息,请参阅《Amazon Network Firewall 开发人员指南》中的防火墙日志的内容。
CREATE EXTERNAL TABLE network_firewall_alert_logs ( firewall_name string, availability_zone string, event_timestamp string, event struct< timestamp:string, flow_id:bigint, event_type:string, src_ip:string, src_port:int, dest_ip:string, dest_port:int, proto:string, app_proto:string, tls_inspected:boolean, alert:struct< alert_id:string, alert_type:string, action:string, signature_id:int, rev:int, signature:string, category:string, severity:int, rule_name:string, alert_name:string, alert_severity:string, alert_description:string, file_name:string, file_hash:string, packet_capture:string, reference_links:array<string> >, src_country:string, dest_country:string, src_hostname:string, dest_hostname:string, user_agent:string, url:string > ) ROW FORMAT SERDE 'org.openx.data.jsonserde.JsonSerDe' LOCATION 's3://DOC-EXAMPLE-BUCKET/
path_to_alert_logs_folder
/'; -
修改
LOCATION
子句以指定您在 Amazon S3 中的日志文件夹。 -
在 Athena 查询编辑器中运行
CREATE TABLE
查询。查询完成后,Athena 将注册network_firewall_alert_logs
表,使其指向的数据可以进行查询。
警报日志示例查询
本节中的示例警报日志查询会筛选执行了 TLS 检查且警报严重性级别为 2 或更高的事件。
查询使用别名来创建输出列标题,以显示列所属的 struct
。例如,event.alert.category
字段的列标题是 event_alert_category
,而不只是 category
。若要进一步自定义列名,可以根据自己的喜好修改别名。例如,可以使用下划线或其他分隔符来分隔 struct
名称和字段名称。
请记得根据表定义和查询结果中所需的字段修改列名和 struct
引用。
SELECT firewall_name, availability_zone, event_timestamp, event.timestamp AS event_timestamp, event.flow_id AS event_flow_id, event.event_type AS event_type, event.src_ip AS event_src_ip, event.src_port AS event_src_port, event.dest_ip AS event_dest_ip, event.dest_port AS event_dest_port, event.proto AS event_protol, event.app_proto AS event_app_proto, event.tls_inspected AS event_tls_inspected, event.alert.alert_id AS event_alert_alert_id, event.alert.alert_type AS event_alert_alert_type, event.alert.action AS event_alert_action, event.alert.signature_id AS event_alert_signature_id, event.alert.rev AS event_alert_rev, event.alert.signature AS event_alert_signature, event.alert.category AS event_alert_category, event.alert.severity AS event_alert_severity, event.alert.rule_name AS event_alert_rule_name, event.alert.alert_name AS event_alert_alert_name, event.alert.alert_severity AS event_alert_alert_severity, event.alert.alert_description AS event_alert_alert_description, event.alert.file_name AS event_alert_file_name, event.alert.file_hash AS event_alert_file_hash, event.alert.packet_capture AS event_alert_packet_capture, event.alert.reference_links AS event_alert_reference_links, event.src_country AS event_src_country, event.dest_country AS event_dest_country, event.src_hostname AS event_src_hostname, event.dest_hostname AS event_dest_hostname, event.user_agent AS event_user_agent, event.url AS event_url FROM network_firewall_alert_logs WHERE event.alert.severity >= 2 AND event.tls_inspected = true LIMIT 10;
为 netflow 日志创建表
-
修改下面的 DDL 语句示例,使其符合 netflow 日志的结构。您可能需要更新语句以包含最新版本日志的列。有关更多信息,请参阅《Amazon Network Firewall 开发人员指南》中的防火墙日志的内容。
CREATE EXTERNAL TABLE network_firewall_netflow_logs ( firewall_name string, availability_zone string, event_timestamp string, event struct< timestamp:string, flow_id:bigint, event_type:string, src_ip:string, src_port:int, dest_ip:string, dest_port:int, proto:string, app_proto:string, netflow:struct< pkts:int, bytes:bigint, start:string, `end`:string, age:int, min_ttl:int, max_ttl:int, tcp_flags:struct< syn:boolean, fin:boolean, rst:boolean, psh:boolean, ack:boolean, urg:boolean >, tls_inspected:boolean > > ) ROW FORMAT SERDE 'org.openx.data.jsonserde.JsonSerDe' LOCATION 's3://DOC-EXAMPLE-BUCKET/
path_to_netflow_logs_folder
/'; -
修改
LOCATION
子句以指定您在 Amazon S3 中的日志文件夹。 -
在 Athena 查询编辑器中运行
CREATE TABLE
查询。查询完成后,Athena 将注册network_firewall_netflow_logs
表,使其指向的数据可以进行查询。
Netflow 日志示例查询
本节中的 netflow 日志查询示例会筛选执行了 TLS 检查的事件。
查询使用别名来创建输出列标题,以显示列所属的 struct
。例如,event.netflow.bytes
字段的列标题是 event_netflow_bytes
,而不只是 bytes
。若要进一步自定义列名,可以根据自己的喜好修改别名。例如,可以使用下划线或其他分隔符来分隔 struct
名称和字段名称。
请记得根据表定义和查询结果中所需的字段修改列名和 struct
引用。
SELECT event.src_ip AS event_src_ip, event.dest_ip AS event_dest_ip, event.proto AS event_proto, event.app_proto AS event_app_proto, event.netflow.pkts AS event_netflow_pkts, event.netflow.bytes AS event_netflow_bytes, event.netflow.tcp_flags.syn AS event_netflow_tcp_flags_syn, event.netflow.tls_inspected AS event_netflow_tls_inspected FROM network_firewall_netflow_logs WHERE event.netflow.tls_inspected = true