AWS-WAF-Log S3存放,通过Athena查看
创始人
2025-01-11 07:08:09
0次
1.创建好waf-cdn 并且设置好规则和log存储方式为s3
2. Amazon Athena 服务 使用 (注意s3桶位置相同得区域)
https://docs.aws.amazon.com/zh_cn/athena/latest/ug/waf-logs.html
官方文档参考,建一个分区查询表
不能直接使用 因为是cdn 资源需要修改相关字段
CREATE EXTERNAL TABLE `waf_logs`( `timestamp` bigint, `formatversion` int, `webaclid` string, `terminatingruleid` string, `terminatingruletype` string, `action` string, `terminatingrulematchdetails` array < struct < conditiontype: string, sensitivitylevel: string, location: string, matcheddata: array < string > > >, `httpsourcename` string, `httpsourceid` string, `rulegrouplist` array < struct < rulegroupid: string, terminatingrule: struct < ruleid: string, action: string, rulematchdetails: array < struct < conditiontype: string, sensitivitylevel: string, location: string, matcheddata: array < string > > > >, nonterminatingmatchingrules: array < struct < ruleid: string, action: string, overriddenaction: string, rulematchdetails: array < struct < conditiontype: string, sensitivitylevel: string, location: string, matcheddata: array < string > > >, challengeresponse: struct < responsecode: string, solvetimestamp: string >, captcharesponse: struct < responsecode: string, solvetimestamp: string > > >, excludedrules: string > >, `ratebasedrulelist` array < struct < ratebasedruleid: string, limitkey: string, maxrateallowed: int > >, `nonterminatingmatchingrules` array < struct < ruleid: string, action: string, rulematchdetails: array < struct < conditiontype: string, sensitivitylevel: string, location: string, matcheddata: array < string > > >, challengeresponse: struct < responsecode: string, solvetimestamp: string >, captcharesponse: struct < responsecode: string, solvetimestamp: string > > >, `requestheadersinserted` array < struct < name: string, value: string > >, `responsecodesent` string, `httprequest` struct < clientip: string, country: string, headers: array < struct < name: string, value: string > >, uri: string, args: string, httpversion: string, httpmethod: string, requestid: string >, `labels` array < struct < name: string > >, `captcharesponse` struct < responsecode: string, solvetimestamp: string, failureReason: string >, `challengeresponse` struct < responsecode: string, solvetimestamp: string, failureReason: string >, `ja3Fingerprint` string, `oversizefields` string, `requestbodysize` int, `requestbodysizeinspectedbywaf` int ) PARTITIONED BY ( `region` string, `date` string) ROW FORMAT SERDE 'org.openx.data.jsonserde.JsonSerDe' STORED AS INPUTFORMAT 'org.apache.hadoop.mapred.TextInputFormat' OUTPUTFORMAT 'org.apache.hadoop.hive.ql.io.HiveIgnoreKeyTextOutputFormat' LOCATION 's3:///AWSLogs//WAFLogs/cloudfront/' TBLPROPERTIES( 'projection.enabled' = 'true', 'projection.region.type' = 'enum', 'projection.region.values' = 'cloudfront', 'projection.date.type' = 'date', 'projection.date.range' = '2024/07/08,NOW', 'projection.date.format' = 'yyyy/MM/dd', 'projection.date.interval' = '1', 'projection.date.interval.unit' = 'DAYS', 'storage.location.template' = 's3:///AWSLogs//WAFLogs/${region}//${date}/') 修改< >中的字符为自己的资源
测试查询
SELECT COUNT(httpRequest.country) as count, httpRequest.country FROM waf_logs WHERE terminatingruletype='RATE_BASED' GROUP BY httpRequest.country ORDER BY count LIMIT 100; SELECT COUNT(*) AS count, webaclid, action, httprequest.clientip, httprequest.uri FROM waf_logs WHERE terminatingruleid='' GROUP BY webaclid, action, httprequest.clientip, httprequest.uri ORDER BY count DESC LIMIT 100; 具体的sql 字段需要修改成自己的 可以先检索全表 查看字段 方便搜索
相关内容
热门资讯
绝活儿辅助!广东雀神智能插件是...
绝活儿辅助!广东雀神智能插件是真的(辅助挂)其实是有辅助软件(存在有挂)1、广东雀神智能插件是真的公...
绝活辅助!天天爱消除自动消除辅...
绝活辅助!天天爱消除自动消除辅助(辅助挂)一贯是有辅助工具(有挂透明挂);运天天爱消除自动消除辅助辅...
模块辅助!凑一桌关春天怎么才能...
模块辅助!凑一桌关春天怎么才能开挂(辅助挂)果然真的有辅助挂(有挂技术)1、凑一桌关春天怎么才能开挂...
模块辅助!聚友联盟辅助器(辅助...
模块辅助!聚友联盟辅助器(辅助挂)一直真的是有辅助器(证实有挂)1、起透看视 聚友联盟辅助器辅助软件...
指引辅助!途游小程序辅助器(辅...
指引辅助!途游小程序辅助器(辅助挂)果然确实有辅助神器(新版有挂)1、在途游小程序辅助器插件功能辅助...
阶段辅助!手机卡五星辅助软件(...
阶段辅助!手机卡五星辅助软件(辅助挂)确实是真的有辅助方法(确实有挂)1、手机卡五星辅助软件免费辅助...
手段辅助!芒果辅助器安卓版(辅...
手段辅助!芒果辅助器安卓版(辅助挂)原来真的有辅助脚本(有挂解惑)1、这是跨平台的芒果辅助器安卓版轻...
诀窍辅助!免费宝宝浙江游戏安装...
诀窍辅助!免费宝宝浙江游戏安装(辅助挂)竟然真的是有辅助攻略(有挂实锤)1、免费宝宝浙江游戏安装脚本...
办法辅助!透视盒子(辅助挂)一...
办法辅助!透视盒子(辅助挂)一贯是真的有辅助教程(有挂总结)透视盒子辅助器是一种具有地方特色的麻将游...
策略辅助!凑一桌游戏辅助(辅助...
策略辅助!凑一桌游戏辅助(辅助挂)本来真的有辅助插件(有挂技巧)1、点击下载安装,凑一桌游戏辅助脚本...