Useful collection of scripts for working with AWS through the AWS CLI
If you prefer to easily get and query WAF logs, you can use jq
, instead of configuring Athena which is difficult, expensive and error-prone.
# Set all required variables in the shell, adjust accordingly.
accountId=123456789
albName=myAlb
filterDate=2024/09/13
wafRule=waf_rule_123
region=eu-north-1
# First download all WAF logs
aws s3 cp s3://${albName}/AWSLogs/${accountId}/WAFLogs/${region}/${waf_rule_123}/${filterDate} . --recursive
# Clean up from previous runs, if any
rm -rf ./**/*.log
# Uncompress the log files
gunzip ./**/*.gz
# Select all blocked requests
cat ./**/*.log | jq -c '. | select(."action" == "BLOCK")' | jq '.'
# You can tailor the above query further to narrow down or filter for logs using jq or other tools.
# E.g. showing the number of requests for a given URL path:
cat ./**/*.log | jq -c '. | select(."action" == "BLOCK")' | jq '.httpRequest.uri' | sort | uniq -c
# E.g. showing blocked requests from a particular country with a specific URL path:
cat ./*/.log | jq -c '. | select(."action" == "BLOCK")' | jq 'select(."httpRequest".country == "US")' | jq 'select(.httpRequest.uri == "/login/v-1")' | less