[[["易于理解","easyToUnderstand","thumb-up"],["解决了我的问题","solvedMyProblem","thumb-up"],["其他","otherUp","thumb-up"]],[["很难理解","hardToUnderstand","thumb-down"],["信息或示例代码不正确","incorrectInformationOrSampleCode","thumb-down"],["没有我需要的信息/示例","missingTheInformationSamplesINeed","thumb-down"],["翻译问题","translationIssue","thumb-down"],["其他","otherDown","thumb-down"]],["最后更新时间 (UTC):2025-09-04。"],[[["\u003cp\u003eThis document provides instructions on how to collect AWS Web Application Firewall (WAF) logs into Google Security Operations by setting up a feed, including prerequisites, bucket configurations, and access key creation.\u003c/p\u003e\n"],["\u003cp\u003eAWS WAF logging is configured by selecting an Amazon S3 bucket as the destination, where specific permissions must be granted to allow log writes from AWS WAF.\u003c/p\u003e\n"],["\u003cp\u003eThe document outlines how to set up a new feed in Google Security Operations for AWS WAF logs by defining the source type as Amazon S3, specifying S3 bucket details, and entering authentication keys.\u003c/p\u003e\n"],["\u003cp\u003eThe parser transforms raw AWS WAF JSON logs into the Google Security Operations UDM format, mapping fields like IP addresses, user agents, and rule details for streamlined security analysis.\u003c/p\u003e\n"],["\u003cp\u003eIt also provides a detailed UDM mapping table, which shows how each field in the AWS WAF logs is structured and categorized into the Google SecOps UDM to provide context to the event.\u003c/p\u003e\n"]]],[],null,["# Collect AWS WAF logs\n====================\n\nSupported in: \nGoogle secops [SIEM](/chronicle/docs/secops/google-secops-siem-toc)\n| **Note:** This feature is covered by [Pre-GA Offerings Terms](https://chronicle.security/legal/service-terms/) of the Google Security Operations Service Specific Terms. Pre-GA features might have limited support, and changes to pre-GA features might not be compatible with other pre-GA versions. For more information, see the [Google SecOps Technical Support Service guidelines](https://chronicle.security/legal/technical-support-services-guidelines/) and the [Google SecOps Service Specific Terms](https://chronicle.security/legal/service-terms/).\n\nThis document explains how to collect the AWS Web Application Firewall (WAF) logs by setting up a Google Security Operations feed. The parser transforms raw JSON formatted logs into a structured format conforming to the Google SecOps UDM. It extracts fields like IP addresses, URLs, user agents, and security rule details, mapping them to corresponding UDM fields for consistent representation and analysis.\n\nBefore you begin\n----------------\n\n\\*Ensure you have the following prerequisites:\n\n- Google SecOps instance\n- Privileged access to AWS\n\nConfigure Amazon S3 bucket\n--------------------------\n\n1. Create **Amazon S3 bucket** following this user guide: [Creating a bucket](https://docs.aws.amazon.com/AmazonS3/latest/userguide/creating-bucket.html)\n2. Save bucket **Name** and **Region** for later use.\n3. Create a user following this user guide: [Creating an IAM user](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_create.html#id_users_create_console).\n4. Select the created **User**.\n5. Select the **Security credentials** tab.\n6. Click **Create Access Key** in the **Access Keys** section.\n7. Select **Third-party service** as the **Use case**.\n8. Click **Next**.\n9. Optional: add description tag.\n10. Click **Create access key**.\n11. Click **Download CSV file** to save the **Access Key** and **Secret Access Key** for later use.\n12. Click **Done**.\n13. Select the **Permissions** tab.\n14. Click **Add permissions** in the **Permissions policies** section.\n15. Select **Add permissions**.\n16. Select **Attach policies directly**.\n17. Search for and select the **AmazonS3FullAccess** policy.\n18. Click **Next**.\n19. Click **Add permissions**.\n\nCreate a WAF web ACL (Access Control List)\n------------------------------------------\n\nIf you haven't set up AWS WAF yet, you'll need to create a WAF web ACL (Access Control List). For existing setups, you can skip to the next procedure.\n\n1. In the AWS Console, search for and select **AWS WAF \\& Shield**.\n2. Click **Create web ACL**.\n3. Provide the following settings:\n - **Name** : Give the ACL a name (for example, `my-waf-web-acl`).\n - **Region**: Choose the region where you want to apply the WAF.\n - **CloudWatch Metrics**: Enable metric collection to track the activity and rules triggered.\n4. Once created, select the **web ACL** for which you want to enable logging.\n\nHow to configure AWS WAF Logging\n--------------------------------\n\n1. In the **AWS WAF Console** , go to the **Logging** tab of your web ACL.\n2. Click **Enable Logging**.\n3. Select **Amazon S3** as the destination for your logs.\n4. Choose the **S3 bucket** created earlier to store the logs.\n5. Optional: configure a log prefix for organizing the logs (for example, `waf-logs/`).\n6. Click **Save**.\n\nVerify Permissions for the S3 Bucket\n------------------------------------\n\nEnsure that the S3 bucket has the proper permissions for AWS WAF to write logs.\n\n1. Go to the **S3 Console**.\n2. Select the bucket where the logs will be stored.\n3. In the **Permissions** tab, add the following Bucket Policy to allow AWS WAF to write logs:\n\n {\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Effect\": \"Allow\",\n \"Principal\": {\n \"Service\": \"wafv2.amazonaws.com\"\n },\n \"Action\": \"s3:PutObject\",\n \"Resource\": \"arn:aws:s3:::your-log-bucket-name/*\"\n }\n ]\n }\n\n| **Note:** Replace `your-log-bucket-name` with the actual name of your S3 bucket.\n\n1. Click **Save**.\n\nSet up feeds\n------------\n\nThere are two different entry points to set up feeds in the\nGoogle SecOps platform:\n\n- **SIEM Settings \\\u003e Feeds \\\u003e Add New**\n- **Content Hub \\\u003e Content Packs \\\u003e Get Started**\n\nHow to set up the AWS WAF feed\n------------------------------\n\n1. Click the **Amazon Cloud Platform** pack.\n2. Locate the **AWS WAF** log type.\n3. Specify the values in the following fields.\n\n - **Source Type**: Amazon SQS V2\n - **Queue Name**: The SQS queue name to read from\n - **S3 URI** : The bucket URI.\n - `s3://your-log-bucket-name/`\n - Replace `your-log-bucket-name` with the actual name of your S3 bucket.\n - **Source deletion options**: Select the deletion option according to your ingestion preferences.\n\n | **Note:** If you select the `Delete transferred files` or `Delete transferred files and empty directories` option, make sure that you granted appropriate permissions to the service account.\n - **Maximum File Age**: Include files modified in the last number of days. Default is 180 days.\n\n - **SQS Queue Access Key ID**: An account access key that is a 20-character alphanumeric string.\n\n - **SQS Queue Secret Access Key**: An account access key that is a 40-character alphanumeric string.\n\n **Advanced options**\n - **Feed Name**: A prepopulated value that identifies the feed.\n - **Asset Namespace**: Namespace associated with the feed.\n - **Ingestion Labels**: Labels applied to all events from this feed.\n4. Click **Create feed**.\n\n| **Note:** The Content Hub is not available on the SIEM standalone platform. To upgrade, contact your Google SecOps representative.\n\nFor more information about configuring multiple feeds for different log types within this product family, see [Configure feeds by product](/chronicle/docs/ingestion/ingestion-entities/configure-multiple-feeds).\n\nUDM Mapping Table\n-----------------\n\n**Need more help?** [Get answers from Community members and Google SecOps professionals.](https://security.googlecloudcommunity.com/google-security-operations-2)"]]