Logging for an Amazon WAF policy
You can enable centralized logging for your Amazon WAF policies to get detailed information about traffic that's analyzed by your web ACL within your organization. Amazon Firewall Manager supports this option for Amazon WAFV2, not for Amazon WAF Classic.
The information in the logs includes the time that Amazon WAF received the request from your protected Amazon resource, detailed information about the request, and the action for the rule that each request matched from all in-scope accounts. For information about Amazon WAF logging, see Logging Amazon WAF web ACL traffic in the Amazon WAF Developer Guide.
You can send your logs to an Amazon Data Firehose data stream or Amazon Simple Storage Service (S3) bucket. Each destination type requires some additional configuration in order for Firewall Manager to be able to manage the Amazon WAF logging across your in-scope resources and accounts. The sections that follow provide details.
If the policy has web ACL retrofitting enabled, Firewall Manager doesn't override any logging configuration that's in place in existing web ACLs. For information about retrofitting, see the web ACL source configuration information at Web ACL management for Amazon WAF policies.
Note
Only modify or disable logging for Firewall Manager policies through the Firewall Manager interface. If you use Amazon WAF to update or delete the logging configuration of a web ACL that's managed by Firewall Manager, Firewall Manager won't detect the change automatically. If you have used Amazon WAF, you can manually prompt an update to the Firewall Manager Amazon WAF policy by re-evaluating the policy's rule in Amazon Config. To do this, in the Amazon Config console, locate the Amazon Config rule for the Firewall Manager policy and select the re-evaluate action.