Logging Amazon WAF web ACL traffic
This section explains logging and other data collection options that you can use with Amazon WAF.
You can enable logging to get detailed information about traffic that is analyzed by your web ACL. Logged information includes the time that Amazon WAF received a web request from your Amazon resource, detailed information about the request, and details about the rules that the request matched. You can send web ACL logs to an Amazon CloudWatch Logs log group, an Amazon Simple Storage Service (Amazon S3) bucket, or an Amazon Data Firehose delivery stream.
Other data collection and analysis options
In addition to logging, you can enable the following options for data collection and analysis:
Amazon Security Lake – You can configure Security Lake to collect web ACL data. Security Lake collects log and event data from various sources for normalization, analysis, and management. For information about this option, see What is Amazon Security Lake? and Collecting data from Amazon services in the Amazon Security Lake user guide.
Amazon WAF doesn't charge you for using this option. For pricing information, see Security Lake Pricing
and How Security Lake pricing is determined in the Amazon Security Lake user guide. Request sampling – You can configure your web ACL to sample the web requests that it evaluates, to get an idea of the type of traffic that your application is receiving. For information about this option, see Viewing a sample of web requests.
Note
Web ACL logging configuration only affects the Amazon WAF logs. In particular, the redacted fields configuration for logging has no impact on request sampling or Security Lake data collection. Security Lake data collection is configured entirely through the Security Lake service. The only way to exclude fields from sampled requests is by disabling sampling for the web ACL.