Amazon Web Application Firewall

Crawler

Overview

AWS WAF is a web application firewall that helps protect your web applications from common web exploits.

Enable this integration to see your WAF metrics in Datadog.

Setup

Installation

If you haven’t already, set up the Amazon Web Services integration first.

Metric collection

In the AWS integration tile, ensure that WAF is checked under metric collection.
Install the Datadog - AWS WAF integration.
AWS WAF metrics requires the selection of Collect custom metrics on the AWS integration tile. Click the Update Configuration button after this step:

Log Collection

Enable Web Application Firewall audit logs

Enable logging to get detailed information about your web ACL analyzed traffic:

Create a Amazon Kinesis Data Firehose with a name starting with aws-waf-logs-.
In the Amazon Kinesis Data Firehose destination, pick Amazon S3 and make sure you add waf as prefix.
Select the wanted web ACL and send its logs to the newly created Firehose (detailled steps).

The WAF logs are now collected and send to a S3 bucket.

Send logs to Datadog

If you haven’t already, set up the Datadog log collection AWS Lambda function.
Once the lambda function is installed, manually add a trigger on the S3 bucket that contains your WAF logs in the AWS console, in your Lambda, click on S3 in the trigger list:

Configure your trigger by choosing the S3 bucket that contains your WAF logs and change the event type to Object Created (All) then click on the add button.

Data Collected

Metrics

waf.allowed_requests (gauge)	The number of allowed web requests. Shown as request
waf.allowed_requests.maximum (gauge)	The maximum number of allowed web requests. Shown as request
waf.allowed_requests.minimum (gauge)	The minimum number of allowed web requests. Shown as request
waf.allowed_requests.samplecount (gauge)	The sampled number of allowed web requests. Shown as request
waf.allowed_requests.sum (gauge)	The sum of allowed web requests. Shown as request
waf.blocked_requests (gauge)	The number of blocked web requests. Shown as request
waf.blocked_requests.maximum (gauge)	The maximum number of blocked web requests. Shown as request
waf.blocked_requests.minimum (gauge)	The minimum number of blocked web requests. Shown as request
waf.blocked_requests.samplecount (gauge)	The sampled number of blocked web requests. Shown as request
waf.blocked_requests.sum (gauge)	The sum of blocked web requests. Shown as request
waf.counted_requests (gauge)	The number of counted web requests. Shown as request
waf.counted_requests.maximum (gauge)	The maximum number of counted web requests. Shown as request
waf.counted_requests.minimum (gauge)	The minimum number of counted web requests. Shown as request
waf.counted_requests.samplecount (gauge)	The sampled number of counted web requests. Shown as request
waf.counted_requests.sum (gauge)	The sum of counted web requests. Shown as request

Each of the metrics retrieved from AWS is assigned the same tags that appear in the AWS console, including but not limited to host name, security-groups, and more.

Events

The AWS WAF integration does not include any events.

Service Checks

The AWS WAF integration does not include any service checks.

Troubleshooting

Need help? Contact Datadog support.