Enabling logging for a web ACL - Amazon WAF, Amazon Firewall Manager, and Amazon Shield Advanced
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Enabling logging for a web ACL

This section provides instructions for enabling logging for a web ACL.

Note

You are charged for logging in addition to the charges for using Amazon WAF. For information, see Pricing for logging web ACL traffic information.

To enable logging for a web ACL, you must have already configured a logging destination. For information about your destination choices and the requirements for each, see Amazon WAF logging destinations.

To enable logging for a web ACL
  1. Sign in to the Amazon Web Services Management Console and open the Amazon WAF console at https://console.amazonaws.cn/wafv2/.

  2. In the navigation pane, choose Web ACLs.

  3. Choose the name of the web ACL that you want to enable logging for. The console takes you to the web ACL's description, where you can edit it.

  4. On the Logging tab, choose Enable logging.

  5. Choose the logging destination type, and then choose the logging destination that you configured. You must choose a logging destination whose name begins with aws-waf-logs-.

  6. (Optional) If you don't want some fields included in the logs, redact them. Choose the field to redact, and then choose Add. Repeat as necessary to redact additional fields.

    Note

    This setting has no impact on request sampling. With request sampling, the only way to exclude fields is by disabling sampling for the web ACL.

  7. (Optional) If you don't want to send all requests to the logs, add your filtering criteria and behavior. Under Filter logs, for each filter that you want to apply, choose Add filter, then choose your filtering criteria and specify whether you want to keep or drop requests that match the criteria. When you finish adding filters, if needed, modify the Default logging behavior.

  8. Choose Enable logging.

    Note

    When you successfully enable logging, Amazon WAF will create a service-linked role with the necessary permissions to write logs to the logging destination. For more information, see Using service-linked roles for Amazon WAF.