AWS WAF Log Enablement And Extraction Guide

Enable Logging

1. In AWS WAF, open the target web ACL and configure a logging destination.
2. Choose one logging destination per web ACL: Amazon CloudWatch Logs, Amazon S3, or Amazon Data Firehose.
3. Make sure the destination name follows AWS WAF requirements. AWS documents that destination names must start with `aws-waf-logs-`.
4. If needed, apply data protection or redaction settings before enabling logging so the exported logs match your data-handling policy.

Extract or Export the Logs

5. If you log to S3, download the resulting objects into the aiFObserve workspace.
6. If you log to CloudWatch Logs, export the log stream to files or forward it to S3/Firehose before conversion.
7. If you log to Firehose, collect the delivered JSON objects from the configured destination bucket or downstream system.

Important Fields to Preserve

• web ACL action
• client IP
• URI
• headers/user agent
• rule group or terminating rule
• timestamp
• request body size or byte-related fields where present