Filebeat AWS Module - S3 input support for AWS WAF logs

[octavialarentisgsa]

Describe the enhancement:
An enhancement to current the Filebeat AWS module to allow parsing of AWS WAF logs directly to ECS format is requested.

Describe a specific use case for the enhancement or feature:
Currently the Filebeat AWS module allows certain AWS logs to be pulled directly from AWS S3 buckets (CloudTrail, CloudWatch, ELB, EC2 etc.). This module does not offer support for WAF logs, which requires custom log format parsing to migrate the raw log format into the ECS format.

[elasticmachine]

Pinging @elastic/integrations (Team:Integrations)

[elasticmachine]

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

[andrewkroh]

WAF logs have a JSON format. https://docs.aws.amazon.com/waf/latest/developerguide/logging.html

They can be written to S3 from Kinesis. https://aws.amazon.com/premiumsupport/knowledge-center/waf-configure-comprehensive-logging/

Note that according to #25296, the Content-Type on the file may not be application/json so to use the aws-s3 input you need to set content_type: application/json to get the data parsed as JSON.

[legoguy1000]

@octavialarentisgsa can you take a look at elastic/integrations#1886. Since you use the WAF logs, I'd like to get your input.

[kaykhan]

Its a little bit confusing from the current documentation how to actually integrate aws waf logs into elasticsearch.

I still don't see waf mentioned under the filebeat module https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-aws.html - so is it even possible? although it is mentioned in the elastic agents https://docs.elastic.co/en/integrations/aws/waf (we don't use elastic agents)

[legoguy1000]

Correct, there is no filebeat module for it. Only an agent integration.