Overview
AWS WAF is a web application firewall that helps protect your web applications from common web exploits.
Enable this integration to see your WAF metrics in Datadog.
Setup
Installation
If you haven’t already, set up the Amazon Web Services integration first.
Metric collection
In the AWS integration page, ensure that WAF or WAFV2 is enabled under the Metric Collection tab, depending on which endpoint you are using.
Install the Datadog - AWS WAF integration.
Log collection
Enable Web Application Firewall audit logs to get detailed information about your web ACL analyzed traffic:
WAF
- Create an
Amazon Data Firehose with a name starting with aws-waf-logs-. - In the
Amazon Data Firehose destination, pick Amazon S3 and make sure you add waf as prefix. - Select the desired web ACL and configure it to send logs to the newly created Firehose (detailed steps).
WAFV2
- Create an
S3 bucket with a name starting with aws-waf-logs-. - Configure the logging destination for the Amazon S3 bucket (detailed steps).
The WAF/WAFV2 logs are collected and sent to the specified S3 bucket.
Send logs to Datadog
- If you haven’t already, set up the Datadog Forwarder Lambda function.
- After the Lambda function is installed, manually add a trigger on the S3 bucket that contains your WAF logs in the AWS console. In your Lambda, click on S3 in the trigger list.
- To configure your trigger, choose the S3 bucket that contains your WAF logs and change the event type to
Object Created (All). - Click Add.
Notes:
- The Datadog Lambda forwarder automatically transforms arrays of nested object in WAF logs into a
key:value format for ease of use. - If you see an error message that “Configurations on the same bucket cannot share a common event type”, make sure the bucket does not have another event notification linked to another lambda forwarder. Your S3 bucket cannot have multiple instances of
All object create events.
Data collected
Metrics
aws.waf.allowed_requests
(count) | The number of allowed web requests.
Shown as request |
aws.waf.blocked_requests
(count) | The number of blocked web requests.
Shown as request |
aws.waf.counted_requests
(count) | The number of counted web requests.
Shown as request |
aws.waf.passed_requests
(gauge) | The number of passed web requests.
Shown as request |
aws.wafv2.allowed_requests
(count) | The number of allowed web requests.
Shown as request |
aws.wafv2.blocked_requests
(count) | The number of blocked web requests.
Shown as request |
aws.wafv2.counted_requests
(count) | The number of counted web requests.
Shown as request |
aws.wafv2.passed_requests
(count) | The number of passed web requests.
Shown as request |
waf.allowed_requests
(count) | The number of allowed web requests.
Shown as request |
waf.blocked_requests
(count) | The number of blocked web requests.
Shown as request |
waf.counted_requests
(count) | The number of counted web requests.
Shown as request |
waf.passed_requests
(count) | The number of passed web requests.
Shown as request |
Note: Both aws.waf.* and waf.* metrics are reported due to the historic format of the CloudWatch metric APIs for WAF.
Each of the metrics retrieved from AWS is assigned the same tags that appear in the AWS console, including but not limited to host name, security-groups, and more.
Events
The AWS WAF integration does not include any events.
Service Checks
The AWS WAF integration does not include any service checks.
Troubleshooting
Need help? Contact Datadog support.
