Query Amazon WAF logs - Amazon Athena
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Query Amazon WAF logs

Amazon WAF is a web application firewall that lets you monitor and control the HTTP and HTTPS requests that your protected web applications receive from clients. You define how to handle the web requests by configuring rules inside an Amazon WAF web access control list (ACL). You then protect a web application by associating a web ACL to it. Examples of web application resources that you can protect with Amazon WAF include Amazon CloudFront distributions, Amazon API Gateway REST APIs, and Application Load Balancers. For more information about Amazon WAF, see Amazon WAF in the Amazon WAF developer guide.

Amazon WAF logs include information about the traffic that is analyzed by your web ACL, such as the time that Amazon WAF received the request from your Amazon resource, detailed information about the request, and the action for the rule that each request matched.

You can configure an Amazon WAF web ACL to publish logs to one of several destinations, where you can query and view them. For more information about configuring web ACL logging and the contents of the Amazon WAF logs, see Logging Amazon WAF web ACL traffic in the Amazon WAF developer guide.

For information on how to use Athena to analyze Amazon WAF logs for insights into threat detection and potential security attacks, see the Amazon Networking & Content Delivery Blog post How to use Amazon Athena queries to analyze Amazon WAF logs and provide the visibility needed for threat detection.

For an example of how to aggregate Amazon WAF logs into a central data lake repository and query them with Athena, see the Amazon Big Data Blog post Analyzing Amazon WAF logs with OpenSearch Service, Amazon Athena, and Amazon QuickSight.

This topic provides two example CREATE TABLE statements: one that uses partitioning and one that does not.

Note

The CREATE TABLE statements in this topic can be used for both v1 and v2 Amazon WAF logs. In v1, the webaclid field contains an ID. In v2, the webaclid field contains a full ARN. The CREATE TABLE statements here treat this content agnostically by using the string data type.