Log all AWS WAF Matched Rules to S3 and/or Loggly using Serverless
Switch branches/tags
Nothing to show
Clone or download
Failed to load latest commit information.
.gitignore Initial commit Jan 5, 2018
LICENSE Create LICENSE Jan 5, 2018
README.md Initial commit Jan 5, 2018
env.yml.example Initial commit Jan 5, 2018
handler.js Initial commit Jan 5, 2018
hits.js Initial commit Jan 5, 2018
loggly.js Initial commit Jan 5, 2018
package.json Initial commit Jan 5, 2018
s3.js Initial commit Jan 5, 2018
serverless.yml Increase to max perf. and timeout Feb 16, 2018


AWS WAF Logger

The AWS WAF is an amazing feature however actually getting meaningful logs out of it can be a pain. Since putting it in-place we have been wanting to analyse the traffic patterns and which rules are getting hit. However, at this time AWS does not provide such a log stream.

To remedy this we have created this small scheduled Lambda which queries the AWS SDK GetSampledRequests action to fetch any matches and store them in S3 and/or Loggly. This allows us to look at current and historical data about the WAF's actions.


You must first specify your desired configuration within env.yml, using env.yml.example as a template. This service uses Serverless to manage provisioning the Lambda, so with this present on your machine you can simply execute:

$ serverless deploy -v

Depending on if you have configured to output the logs to S3 and/or Loggly you will now begin to see any resulting output based on your check frequency.

Note: GetSampledRequests only returns a 'sample' (max 500) among the first 5,000 request that your resource receives during the specified time range. As such the check frequency may need to be adjusted according to your throughput.