Sending web ACL traffic logs to a Amazon CloudWatch Logs log group
This topic provides information for sending your web ACL traffic logs to a CloudWatch Logs log group.
Note
You are charged for logging in addition to the charges for using Amazon WAF. For information, see Pricing for logging web ACL traffic information.
To send logs to Amazon CloudWatch Logs, you create a CloudWatch Logs log group. When you enable logging in Amazon WAF, you provide the log group ARN. After you enable logging for your web ACL, Amazon WAF delivers logs to the CloudWatch Logs log group in log streams.
When you use CloudWatch Logs, you can explore the logs for your web ACL in the Amazon WAF console. In your web ACL page, select the tab Logging insights. This option is in addition to the logging insights that are provided for CloudWatch Logs through the CloudWatch console.
Configure the log group for Amazon WAF web ACL logs in the same Region as the web ACL and using the same account as you use to manage the web ACL. For information about configuring a CloudWatch Logs log group, see Working with Log Groups and Log Streams.
Quotas for CloudWatch Logs log groups
CloudWatch Logs has a default maximum quota for throughput, shared across all log groups within a region, which you can request to increase.
If your logging requirements are too high for the current throughput setting, you'll see throttling metrics for PutLogEvents
for your account. To view the limit in the Service Quotas console and request an increase, see the CloudWatch Logs PutLogEvents quota
Log group naming
Your log group names must start with aws-waf-logs-
and can end
with any suffix you like, for example,
aws-waf-logs-testLogGroup2
.
The resulting ARN format is as follows:
arn:aws:logs:
Region
:account-id
:log-group:aws-waf-logs-log-group-suffix
The log streams have the following naming format:
Region
_web-acl-name
_log-stream-number
The following shows an example log stream for web ACL TestWebACL
in
Region us-east-1
.
us-east-1_TestWebACL_0
Permissions required to publish logs to CloudWatch Logs
Configuring web ACL traffic logging for a CloudWatch Logs log group requires the
permissions settings described in this section. The permissions are set for you when you use
one of the Amazon WAF full access managed policies,
AWSWAFConsoleFullAccess
or AWSWAFFullAccess
. If
you want to manage finer-grained access to your logging and Amazon WAF resources, you
can set the permissions yourself. For information about managing permissions,
see Access
management for Amazon resources in the
IAM User Guide. For information about the Amazon WAF
managed policies, see Amazon managed policies for Amazon WAF.
These permissions allow you to change the web ACL logging configuration, to configure log delivery for CloudWatch Logs, and to retrieve information about your log group. These permissions must be attached to the user that you use to manage Amazon WAF.
{ "Version":"2012-10-17", "Statement":[ { "Action":[ "wafv2:PutLoggingConfiguration", "wafv2:DeleteLoggingConfiguration" ], "Resource":[ "*" ], "Effect":"Allow", "Sid":"LoggingConfigurationAPI" } { "Sid":"WebACLLoggingCWL", "Action":[ "logs:CreateLogDelivery", "logs:DeleteLogDelivery", "logs:PutResourcePolicy", "logs:DescribeResourcePolicies", "logs:DescribeLogGroups" ], "Resource":[ "*" ], "Effect":"Allow" } ] }
When actions are permitted on all Amazon resources, it's indicated in the policy
with a "Resource"
setting of "*"
. This means that the
actions are permitted on all Amazon resources that each action
supports. For example, the action
wafv2:PutLoggingConfiguration
is supported only for wafv2
logging configuration resources.