If you’re running applications behind an Application Load Balancer, Amazon CloudFront, API Gateway, or AWS AppSync, AWS WAF is your first line of defense against malicious web traffic. Graylog provides a purpose-built way to make those enforcement decisions immediately actionable. The AWS WAF Content Pack, available with an Illuminate license and Graylog Enterprise or Graylog Security, delivers ready-to-use parsing rules, streams, GIM categorization, and a dashboard so you can turn raw WAF JSON log messages into structured, searchable security intelligence.
What is AWS WAF?
AWS WAF is Amazon’s web application firewall. It inspects HTTP and HTTPS requests reaching Application Load Balancers, CloudFront distributions, API Gateway, and AppSync, evaluating each request against managed or custom rule sets and applying an allow / block, count, CAPTCHA, or challenge action.
Because AWS WAF sits directly in front of internet-facing applications, its logs capture exactly what attackers are probing for and exactly what your rule sets are catching or missing. Logging WAF enforcement events gives your security team visibility into both attack activity and the decisions made to stop it.
What This Pack Does
The AWS WAF Content Pack is purpose-built for AWS WAF v2 (current generation web ACLs) with logging enabled and delivery through Amazon Kinesis Data Firehose. Once installed, it automatically identifies AWS WAF event log messages, parses the WAF JSON payload, and normalizes HTTP request and enforcement fields. Graylog Pipeline rules map BLOCK, ALLOW, COUNT, CAPTCHA, and CHALLENGE actions to the Graylog Information Model (GIM), assign severity, and set alert fields so enforcement outcomes surface as network detections.
| Included in the pack |
| • Stream: Illuminate: AWS WAF Messages — created automatically if it doesn’t exist, with routing preconfigured and no stream rules required.
• Index Set: AWS WAF Event Log Messages — pre-defined with a daily rotation and 90-day retention, adjustable after installation. • Parsing Rules: Extracts structured HTTP request, source, and vendor fields from the AWS WAF JSON payload. • GIM Categorization: BLOCK, CAPTCHA, and CHALLENGE actions mapped to detection events; ALLOW and COUNT actions mapped to network events. • Dashboard: AWS WAF Spotlight overview dashboard summarizing block, allow, count, CAPTCHA, and challenge activity. |
| Requirements |
| • Graylog 7.1.0+ with a valid Enterprise or Security license and Illuminate installed
• AWS WAF v2 (current generation web ACLs) with logging enabled • Log delivery configured through Amazon Kinesis Data Firehose |
Getting Logs into Graylog
Step 1 — Enable AWS WAF Logging
On the target Web ACL, enable logging and select an Amazon Kinesis Data Firehose stream as the delivery destination.
Step 2 — Configure the Firehose Delivery Stream
Configure the Firehose stream to deliver records to Graylog using the AWS Kinesis/CloudWatch input. Identification is handled automatically through the aws_kinesis_stream and aws_kinesis_message_type fields set by the Graylog AWS Kinesis input, so no specific stream name is required.
Step 3 — Sample Log Format
AWS WAF delivers one JSON object per inspected request. A BLOCK decision from a managed rule group may look like this:
{
"timestamp": 1778140491525,
"formatVersion": 1,
"webaclId": "arn:aws:wafv2:us-east-1:517803882956:regional/webacl/prod-waf/3b8a9ef3-9057-4538-acdd-bda6c27c2131",
"terminatingRuleId": "AWS-AWSManagedRulesCommonRuleSet",
"terminatingRuleType": "MANAGED_RULE_GROUP",
"action": "BLOCK",
"httpSourceName": "ALB",
"httpRequest": {
"clientIp": "185.142.236.41",
"country": "SC",
"uri": "/.well-known/security.txt",
"httpMethod": "GET",
"scheme": "http",
"host": "34.238.104.93"
},
"labels": [
{ "name": "awswaf:managed:aws:core-rule-set:NoUserAgent_Header" }
]
}
An ALLOW decision handled by the web ACL’s default action may look like this:
{
"timestamp": 1778154180000,
"formatVersion": 1,
"webaclId": "arn:aws:wafv2:us-east-1:517803882956:regional/webacl/prod-waf/3b8a9ef3-9057-4538-acdd-bda6c27c2131",
"terminatingRuleId": "Default_Action",
"terminatingRuleType": "REGULAR",
"action": "ALLOW",
"httpSourceName": "ALB",
"httpRequest": {
"clientIp": "192.0.2.10",
"country": "US",
"uri": "/",
"httpMethod": "GET",
"scheme": "https",
"host": "app.example.com"
},
"labels": []
}
Step 4 — Install and Activate the Content Pack
In Graylog, navigate to Enterprise → Illuminate, locate the AWS WAF Processing Pack and Spotlight, and activate them. The stream and index set are created automatically. No additional rules are needed. For more detail, checkout the docs here.
Events Processed by This Pack
The content pack processes AWS WAF enforcement events across five outcome categories:
- Block events (terminating rule matched): requests stopped by managed rule groups, custom rule groups, or rate-based rules.
- CAPTCHA events: a CAPTCHA challenge served to verify a human client before the request proceeds.
- Challenge events: a silent JavaScript browser challenge served to distinguish bots from legitimate clients.
- Allow events: requests inspected and passed through to the origin, including matches against the web ACL’s default action.
- Count events: telemetry-only matches where the request was logged but not blocked.
GIM Categorization
All events are mapped to the Graylog Information Model, enabling consistent correlation with other data sources across your environment:
| Log Type | Vendor Event Description | GIM Category | GIM Subcategory | GIM Event Type Code |
| aws_waf | WAF BLOCK – terminating rule matched and request was blocked | detection | detection.network detection | 300001 |
| aws_waf | WAF CAPTCHA – CAPTCHA challenge served to verify a human client | detection | detection.network detection | 300001 |
| aws_waf | WAF CHALLENGE – silent JavaScript browser challenge served | detection | detection.network detection | 300001 |
| aws_waf | WAF ALLOW – request inspected and allowed through | network | network.default | 129999 |
| aws_waf | WAF COUNT – telemetry-only match, request not blocked | network | network.default | 129999 |
Why Log AWS WAF Events?
Collecting AWS WAF enforcement logs gives you more than a record of blocked requests, it directly supports security detection, threat hunting, incident response, and compliance audit use cases.
Security Monitoring
- Detect malicious payloads stopped by managed rule groups, such as SQL injection or cross-site scripting attempts
- Identify sources triggering repeated BLOCK actions, indicating targeted scanning or brute-force probing
- Spot COUNT-only matches that may warrant promotion to a blocking rule
- Track CAPTCHA and CHALLENGE issuance to catch automated clients attempting to bypass them
Threat Hunting
- Search for a specific terminating rule ID tied to a known attack campaign or CVE
- Correlate client IP addresses across ALLOW and BLOCK events to trace attacker enumeration
- Identify unusual country codes generating high volumes of blocked traffic against a web ACL
Incident Response
- Reconstruct the timeline of requests against a Web ACL during an investigation
- Identify which rule group and terminating rule stopped, or missed, a given attack
- Review ALLOW events surrounding a BLOCK to determine what traffic reached the origin beforehand
Compliance & Audit
- Maintain an immutable record of enforcement decisions made by public-facing WAF policies
- Demonstrate application-layer access controls are working as required by PCI DSS, HIPAA, or SOC 2
- Track rule group and Web ACL configuration changes for change management audits
Graylog Enterprise and Security
With Graylog Enterprise and Security, your team gains structured visibility into one of the most exposed layers of your environment, the public-facing web applications sitting behind AWS WAF. The AWS WAF Content Pack turns raw enforcement JSON into searchable, correlated, GIM-tagged data that flows directly into your threat detection, alerting, and investigation workflows. For full details on the fields extracted by this pack, see the Illuminate documentation.