Web ACL logging configuration - Amazon WAF, Amazon Firewall Manager, and Amazon Shield Advanced
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Web ACL logging configuration

You can enable and disable logging for a web ACL at any time.


You are charged for logging in addition to the charges for using Amazon WAF. For information, see Pricing for logging web ACL traffic information.

If you can't find a log record in your logs

On rare occasions, it's possible for Amazon WAF log delivery to fall below 100%, with logs delivered on a best effort basis. The Amazon WAF architecture prioritizes the security of your applications over all other considerations. In some situations, such as when logging flows experience traffic throttling, this can result in records being dropped. This shouldn't affect more than a few records. If you notice a number of missing log entries, contact the Amazon Web Services Support Center.

In the logging configuration for your web ACL, you can customize what Amazon WAF sends to the logs.

  • Field redaction – You can redact the following fields from the log records for the rules that use the corresponding match settings: URI path, Query string, Single header, and HTTP method. Redacted fields appear as REDACTED in the logs. For example, if you redact the Query string field, in the logs, it will be listed as REDACTED for all rules that use the Query string match component setting. Redaction applies only to the request component that you specify for matching in the rule, so the redaction of the Single header component doesn't apply to rules that match on Headers. For a list of the log fields, see Log fields.


    This setting has no impact on request sampling. With request sampling, the only way to exclude fields is by disabling sampling for the web ACL.

  • Log filtering – You can add filtering to specify which web requests are kept in the logs and which are dropped. You filter on the settings that Amazon WAF applies during the web request evaluation. You can filter on the following settings:

    • Fully qualified label – Fully qualified labels have a prefix, optional namespaces, and label name. The prefix identifies the rule group or web ACL context of the rule that added the label. For information about labels, see Amazon WAF labels on web requests.

    • Rule action – You can filter on any normal rule action setting and also on the legacy EXCLUDED_AS_COUNT override option for rule group rules. For information about rule action settings, see Rule action. For information about current and legacy rule action overrides for rule group rules, see Action override options for rule groups.

      • The normal rule action filters apply to actions that are configured in rules and also to actions that are configured using the current option for overriding a rule group rule action.

      • The EXCLUDED_AS_COUNT log filter overlaps with the Count action log filter. EXCLUDED_AS_COUNT filters both the current and legacy options for overriding a rule group rule action to Count.

Enabling logging for a web ACL

To enable logging for a web ACL, you must have already configured a logging destination. For information about your destination choices and the requirements for each, see Amazon WAF logging destinations.

To enable logging for a web ACL
  1. Sign in to the Amazon Web Services Management Console and open the Amazon WAF console at https://console.amazonaws.cn/wafv2/.

  2. In the navigation pane, choose Web ACLs.

  3. Choose the name of the web ACL that you want to enable logging for. The console takes you to the web ACL's description, where you can edit it.

  4. On the Logging tab, choose Enable logging.

  5. Choose the logging destination type, and then choose the logging destination that you configured. You must choose a logging destination whose name begins with aws-waf-logs-.

  6. (Optional) If you don't want some fields included in the logs, redact them. Choose the field to redact, and then choose Add. Repeat as necessary to redact additional fields.


    This setting has no impact on request sampling. With request sampling, the only way to exclude fields is by disabling sampling for the web ACL.

  7. (Optional) If you don't want to send all requests to the logs, add your filtering criteria and behavior. Under Filter logs, for each filter that you want to apply, choose Add filter, then choose your filtering criteria and specify whether you want to keep or drop requests that match the criteria. When you finish adding filters, if needed, modify the Default logging behavior.

  8. Choose Enable logging.


    When you successfully enable logging, Amazon WAF will create a service-linked role with the necessary permissions to write logs to the logging destination. For more information, see Using service-linked roles for Amazon WAF.