## 로그 그룹 이름은 꼭 aws-waf-logs- 로 시작해야함, 그렇지 않으면 waf에서 인식을 못함, 보존 설정은 원하는 날짜 지정
쿼리 목록
1. 요청한 IP Top 10
fields @timestamp, httpRequest.clientIp as httpRequest.uri, ruleGroupList.ruleId as ruleId, action
| stats count(*) as requestCount by httpRequest.clientIp
| sort requestCount desc
| limit 10
2. host 목록 top 10
fields @timestamp, httpRequest.headers.0.value
| stats count() as requestCount by httpRequest.headers.0.value
| sort requestCount desc
| limit 10
3. block IP and URI
fields @timestamp, httpRequest.uri, action, httpRequest.clientIp
| filter action = 'BLOCK'
| stats count(*) as requestCount by httpRequest.clientIp, httpRequest.uri, action
| sort requestCount desc
| limit 20
4. Block Count
fields @timestamp, action, httpRequest.clientIp, httpRequest.country, httpRequest.uri, terminatingRuleId
| sort @timestamp desc
| filter action="BLOCK" or action="COUNT"
| limit 100
Analyzing AWS WAF logs using Amazon CloudWatch Logs Insights and Contributor Insights
'[AWS-FRF] > WAF&Shield' 카테고리의 다른 글
| [중요][AWS] How to use AWS WAF (Web application firewall)/Web ACL? - Step By Step Tutorial (Part-11) - 특정 IP차단 적용!! (60) | 2024.11.26 |
|---|---|
| [중요][WAF] 실습으로 살펴보는 AWS WAF !! (12) | 2024.09.19 |
| [중요2][AWS] WAF 기준 규칙 그룹!! (18) | 2024.09.19 |
| [참고][AWS] Shield vs WAF !! (88) | 2024.08.08 |
댓글