LoginSignup

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?

This article is a Private article. Only a writer and users who know the URL can access it.
Please change open range to public in publish setting if you want to share this article with other users.

More than 1 year has passed since last update.

@k_hoso

AWS WAFのログ用、CloudWatch Log Insights のクエリサンプル

Last updated at Posted at 2023-10-12

WAFのログをCloudWatch Log Insightsで検索するためのクエリサンプル集

ルール指定でブロックされたログ
fields @timestamp, @message
| filter action = "BLOCK"
| filter terminatingRuleId = "AWSManagedRulesSQLiRuleSet"
| sort @timestamp desc
| limit 20
ブロックされた理由まで表示する
fields @timestamp, @message, terminatingRuleId, ruleGroupList.0.terminatingRule.ruleId
| filter action = "BLOCK"
| filter terminatingRuleId != "OwnRulesIpLimit"
| sort @timestamp desc
| limit 20
リクエスト毎のブロックされた件数
stats count(*) by httpRequest.uri, terminatingRuleId, terminatingRuleType
| filter action = "BLOCK"
| sort @timestamp desc
| limit 20
許可されたリクエスト
fields @timestamp, @message
| filter action = "ALLOW"
| filter httpRequest.country = "JP"
| filter httpRequest.clientIp = "152.165.126.58"
| sort @timestamp desc
| limit 20
クライアントIP等指定でログを検索
fields @timestamp, @message
| filter httpRequest.country = "JP"
| filter httpRequest.clientIp = "1xx.1xx.1xx.xx"
| filter httpRequest.headers.0.value = "www.hogehoge.com"
| sort @timestamp desc
| limit 20
0

Register as a new user and use Qiita more conveniently

  1. You get articles that match your needs
  2. You can efficiently read back useful information
  3. You can use dark theme
What you can do with signing up
Sign upLogin

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?