This article is a Private article. Only a writer and users who know the URL can access it.
Please change open range to public in publish setting if you want to share this article with other users.

AWS WAFのログ用、CloudWatch Log Insights のクエリサンプル

Last updated at 2023-10-12Posted at 2023-10-12

WAFのログをCloudWatch Log Insightsで検索するためのクエリサンプル集

ルール指定でブロックされたログ

fields @timestamp, @message
| filter action = "BLOCK"
| filter terminatingRuleId = "AWSManagedRulesSQLiRuleSet"
| sort @timestamp desc
| limit 20

ブロックされた理由まで表示する

fields @timestamp, @message, terminatingRuleId, ruleGroupList.0.terminatingRule.ruleId
| filter action = "BLOCK"
| filter terminatingRuleId != "OwnRulesIpLimit"
| sort @timestamp desc
| limit 20

リクエスト毎のブロックされた件数

stats count(*) by httpRequest.uri, terminatingRuleId, terminatingRuleType
| filter action = "BLOCK"
| sort @timestamp desc
| limit 20

許可されたリクエスト

fields @timestamp, @message
| filter action = "ALLOW"
| filter httpRequest.country = "JP"
| filter httpRequest.clientIp = "152.165.126.58"
| sort @timestamp desc
| limit 20

クライアントIP等指定でログを検索

fields @timestamp, @message
| filter httpRequest.country = "JP"
| filter httpRequest.clientIp = "1xx.1xx.1xx.xx"
| filter httpRequest.headers.0.value = "www.hogehoge.com"
| sort @timestamp desc
| limit 20

Register as a new user and use Qiita more conveniently

You get articles that match your needs
You can efficiently read back useful information
You can use dark theme

What you can do with signing up