--- title: AWS WAF description: |- AWS WAF is a web application firewall that helps protect your web applications from common web exploits. breadcrumbs: Docs > Integrations > AWS WAF --- # AWS WAF Integration version1.0.0 ## Overview{% #overview %} AWS WAF is a web application firewall that helps protect your web applications from common web exploits. Enable this integration to see your WAF metrics in Datadog. ## Setup{% #setup %} ### Installation{% #installation %} If you haven't already, set up the [Amazon Web Services integration](https://docs.datadoghq.com/integrations/amazon_web_services/) first. ### Metric collection{% #metric-collection %} 1. In the [AWS integration page](https://app.datadoghq.com/integrations/amazon-web-services), ensure that `WAF` or `WAFV2` is enabled under the `Metric Collection` tab, depending on which endpoint you are using. 1. Install the [Datadog - AWS WAF integration](https://app.datadoghq.com/integrations/amazon-waf). ### Log collection{% #log-collection %} Enable Web Application Firewall audit logs to get detailed information about your web ACL analyzed traffic: #### WAF{% #waf %} 1. Create an `Amazon Data Firehose` with a name starting with `aws-waf-logs-`. 1. In the `Amazon Data Firehose` destination, pick `Amazon S3` and make sure you add `waf` as prefix. 1. Select the desired web ACL and configure it to send logs to the newly created Firehose ([detailed steps](https://docs.aws.amazon.com/waf/latest/developerguide/classic-logging.html)). #### WAFV2{% #wafv2 %} 1. Create an `S3 bucket` with a name starting with `aws-waf-logs-`. 1. Configure the logging destination for the Amazon S3 bucket ([detailed steps](https://docs.aws.amazon.com/waf/latest/developerguide/logging.html)). The WAF/WAFV2 logs are collected and sent to the specified S3 bucket. #### Send logs to Datadog{% #send-logs-to-datadog %} 1. If you haven't already, set up the [Datadog Forwarder Lambda function](https://docs.datadoghq.com/logs/guide/forwarder/). 1. After the Lambda function is installed, manually add a trigger on the S3 bucket that contains your WAF logs in the AWS console. In your Lambda, click on S3 in the trigger list. 1. To configure your trigger, choose the S3 bucket that contains your WAF logs and change the event type to `Object Created (All)`. 1. Click **Add**. **Notes**: - The Datadog Lambda forwarder automatically transforms arrays of nested object in WAF logs into a `key:value` format for ease of use. - If you see an error message that "Configurations on the same bucket cannot share a common event type", make sure the bucket does not have another event notification linked to another lambda forwarder. Your S3 bucket cannot have multiple instances of `All object create events`. ## Data collected{% #data-collected %} ### Metrics{% #metrics %} | | | | | **aws.waf.allowed\_requests**(count) | The number of allowed web requests.*Shown as request* | | **aws.waf.blocked\_requests**(count) | The number of blocked web requests.*Shown as request* | | **aws.waf.counted\_requests**(count) | The number of counted web requests.*Shown as request* | | **aws.waf.passed\_requests**(count) | The number of passed web requests.*Shown as request* | | **aws.wafv2.allow\_rule\_match**(count) | The number of matched rules that terminated request evaluation with an Allow action. | | **aws.wafv2.allowed\_requests**(count) | The number of allowed web requests.*Shown as request* | | **aws.wafv2.block\_rule\_match**(count) | The number of matched rules that terminated request evaluation with a Block action. | | **aws.wafv2.blocked\_requests**(count) | The number of blocked web requests.*Shown as request* | | **aws.wafv2.captcha\_requests**(count) | The number of web requests that had CAPTCHA controls applied.*Shown as request* | | **aws.wafv2.captcha\_rule\_match**(count) | The number of matched rules that terminated request evaluation with a CAPTCHA action. | | **aws.wafv2.captcha\_rule\_match\_with\_valid\_token**(count) | The number of matched rules that applied a non-terminating CAPTCHA action. | | **aws.wafv2.captchas\_attempted**(count) | The number of solutions that were submitted by an end user in response to a CAPTCHA puzzle challenge. | | **aws.wafv2.captchas\_attempted\_sdk**(count) | The number of solutions that were submitted by an end user in response to a CAPTCHA puzzle challenge, for puzzles that were served via the CAPTCHA JavaScript API. | | **aws.wafv2.captchas\_solved**(count) | The number of CAPTCHA puzzle solutions submitted that successfully solved the puzzle. | | **aws.wafv2.captchas\_solved\_sdk**(count) | The number of CAPTCHA puzzle solutions submitted that successfully solved the puzzle, for puzzles that were served via the CAPTCHA JavaScript API. | | **aws.wafv2.challenge\_requests**(count) | The number of web requests that had challenge controls applied.*Shown as request* | | **aws.wafv2.challenge\_rule\_match**(count) | The number of matched rules that terminated request evaluation with a Challenge action. | | **aws.wafv2.challenge\_rule\_match\_with\_valid\_token**(count) | The number of matched rules that applied a non-terminating Challenge action. | | **aws.wafv2.challenges\_attempted**(count) | The number of attempts that were submitted by an end user in response to a silent challenge served by a Challenge rule. | | **aws.wafv2.challenges\_attempted\_sdk**(count) | The number of attempts that were submitted by an end user in response to a silent challenge served by the Challenge JavaScript API. | | **aws.wafv2.challenges\_solved**(count) | The number of silent challenge solutions submitted that successfully passed the silent challenge served by a Challenge rule. | | **aws.wafv2.challenges\_solved\_sdk**(count) | The number of silent challenge solutions submitted that successfully passed the silent challenge served by the Challenge JavaScript API. | | **aws.wafv2.count\_rule\_match**(count) | The number of matched rules that applied a non-terminating Count action. | | **aws.wafv2.counted\_requests**(count) | The number of counted web requests.*Shown as request* | | **aws.wafv2.days\_to\_expiry**(gauge) | The number of days until the expiration date for the associated managed rule group and version.*Shown as day* | | **aws.wafv2.passed\_requests**(count) | The number of passed web requests.*Shown as request* | | **aws.wafv2.requests\_with\_valid\_captcha\_token**(count) | The number of web requests that had CAPTCHA controls applied and that had a valid CAPTCHA token.*Shown as request* | | **aws.wafv2.requests\_with\_valid\_challenge\_token**(count) | The number of web requests that had challenge controls applied and that had a valid challenge token.*Shown as request* | | **aws.wafv2.sample\_allowed\_request**(count) | The number of sampled requests that the Bot Control managed rule group would allow.*Shown as request* | | **aws.wafv2.sample\_blocked\_request**(count) | The number of sampled requests that the Bot Control managed rule group would block.*Shown as request* | | **aws.wafv2.sample\_captcha\_request**(count) | The number of sampled requests that the Bot Control managed rule group would respond to with a CAPTCHA.*Shown as request* | | **aws.wafv2.sample\_challenge\_request**(count) | The number of sampled requests that the Bot Control managed rule group would respond to with a challenge.*Shown as request* | | **aws.wafv2.sample\_count\_request**(count) | The number of sampled requests for which the Bot Control managed rule group would apply a Count action.*Shown as request* | **Note**: Both `aws.waf.*` and `waf.*` metrics are reported due to the historic format of the CloudWatch metric APIs for WAF. Each of the metrics retrieved from AWS is assigned the same tags that appear in the AWS console, including but not limited to host name, security-groups, and more. ### Events{% #events %} The AWS WAF integration does not include any events. ### Service Checks{% #service-checks %} The AWS WAF integration does not include any service checks. ## Troubleshooting{% #troubleshooting %} Need help? Contact [Datadog support](https://docs.datadoghq.com/help/). ## Further Reading{% #further-reading %} - [Key metrics for monitoring AWS WAF](https://www.datadoghq.com/blog/aws-waf-metrics/) - [Tools for collecting AWS WAF data](https://www.datadoghq.com/blog/aws-waf-monitoring-tools/) - [Monitor AWS WAF activity with Datadog](https://www.datadoghq.com/blog/aws-waf-datadog/)