Skip to main content

AWS Web Application Firewall (WAF) logs

The AWS Web Application Firewall (WAF) Matano managed log source lets you ingest your AWS WAF protected traffic logs directly into Matano.

WAF traffic logs provide detailed information about traffic that is analyzed by your web access control lists (ACLs). The AWS WAF managed log source supports AWS WAF but not AWS WAF Classic.


Use the managed log source by specifying the managed.type property in your log_source as AWS_WAF.

name: "aws_waf"

type: "AWS_WAF"


The AWS WAF managed log source supports a single table containing WAF traffic logs.



AWS WAF logging must be enabled on your Web ACL and configured to deliver to the desired S3 Bucket ARN. For more on configuring a Web ACL to deliver traffic logs, see the relevant AWS documentation:

You can provide the S3 bucket you are using for delivery to Matano by using the ingest.s3_source configuration in your log_source.yml (Bring your own bucket).


AWS WAF log data is normalized to ECS fields. Custom fields are normalized into the aws.waf field. You can view the complete mapping to see the full schema.