-
Notifications
You must be signed in to change notification settings - Fork 166
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge branch 'main' into cloudwatch-firehose
- Loading branch information
Showing
458 changed files
with
22,462 additions
and
49 deletions.
There are no files selected for viewing
Validating CODEOWNERS rules …
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,31 @@ | ||
name: Elastic docs | ||
|
||
on: | ||
pull_request_target: | ||
# The paths property can be omitted entirely if the repo is mainly used for docs. Leaving it in can result in builds that | ||
# have branch protection checks in place lose the ability to merge because the workflow is not starting. If this property | ||
# is included, please ensure that branch protection checks are disabled for the repo. | ||
paths: | ||
# Preface with your docs dir if you need further specificity (optional) | ||
- 'docs/en/serverless/**.mdx' | ||
- 'docs/en/serverless/**.docnav.json' | ||
- 'docs/en/serverless/**.docapi.json' | ||
- 'docs/en/serverless/**.devdocs.json' | ||
- 'docs/en/serverless/**.jpg' | ||
- 'docs/en/serverless/**.jpeg' | ||
- 'docs/en/serverless/**.svg' | ||
- 'docs/en/serverless/**.png' | ||
- 'docs/en/serverless/**.gif' | ||
types: [closed, opened, synchronize, labeled] | ||
|
||
jobs: | ||
publish: | ||
if: contains(github.event.pull_request.labels.*.name, 'ci:doc-build') | ||
uses: elastic/workflows/.github/workflows/docs-elastic-co-publish.yml@main | ||
with: | ||
subdirectory: 'docs/en/serverless/' | ||
secrets: | ||
VERCEL_GITHUB_TOKEN: ${{ secrets.VERCEL_GITHUB_TOKEN_PUBLIC }} | ||
VERCEL_TOKEN: ${{ secrets.VERCEL_TOKEN_PUBLIC }} | ||
VERCEL_ORG_ID: ${{ secrets.VERCEL_ORG_ID_PUBLIC }} | ||
VERCEL_PROJECT_ID_DOCS_CO: ${{ secrets.VERCEL_PROJECT_ID_DOCS_CO_PUBLIC }} |
This file was deleted.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Binary file added
BIN
+473 KB
docs/en/observability/cloud-monitoring/aws/images/firehose-waf-logs.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
128 changes: 128 additions & 0 deletions
128
docs/en/observability/cloud-monitoring/aws/monitor-aws-waf-firehose.asciidoc
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,128 @@ | ||
[[monitor-aws-waf-firehose]] | ||
= Monitor Web Application Firewall (WAF) logs | ||
|
||
++++ | ||
<titleabbrev>Monitor WAF logs</titleabbrev> | ||
++++ | ||
|
||
In this section, you'll learn how to send AWS WAF events from AWS to your {stack} using Amazon Data Firehose. | ||
|
||
You will go through the following steps: | ||
|
||
- Select a WAF-compatible resource (for example, a CloudFront distribution) | ||
- Create a delivery stream in Amazon Data Firehose | ||
- Create a web Access Control List (ACL) to generate WAF logs | ||
- Set up logging to forward the logs to the {stack} using a Firehose stream | ||
- Visualize your WAF logs in {kib} | ||
|
||
[discrete] | ||
[[firehose-waf-prerequisites]] | ||
== Before you begin | ||
|
||
We assume that you already have: | ||
|
||
- An AWS account with permissions to pull the necessary data from AWS. | ||
- A deployment using our hosted {ess} on {ess-trial}[{ecloud}]. The deployment includes an {es} cluster for storing and searching your data, and {kib} for visualizing and managing your data. AWS Data Firehose works with Elastic Stack version 7.17 or greater, running on Elastic Cloud only. | ||
|
||
IMPORTANT: Make sure the deployment is on AWS, because the Amazon Data Firehose delivery stream connects specifically to an endpoint that needs to be on AWS. | ||
|
||
[discrete] | ||
[[firehose-waf-step-one]] | ||
== Step 1: Install the AWS integration in {kib} | ||
|
||
. In {kib}, navigate to *Management* > *Integrations* and browse the catalog to find the AWS integration. | ||
|
||
. Navigate to the *Settings* tab and click *Install AWS assets*. | ||
|
||
[discrete] | ||
[[firehose-waf-step-two]] | ||
== Step 2: Create a delivery stream in Amazon Data Firehose | ||
|
||
. Go to the https://console.aws.amazon.com/[AWS console] and navigate to Amazon Data Firehose. | ||
|
||
. Click *Create Firehose stream* and choose the source and destination of your Firehose stream. Unless you are streaming data from Kinesis Data Streams, set source to `Direct PUT` and destination to `Elastic`. | ||
|
||
. Provide a meaningful *Firehose stream name* that will allow you to identify this delivery stream later. Your Firehose name must start with the prefix `aws-waf-logs-` or it will not show up later. | ||
|
||
NOTE: For advanced use cases, source records can be transformed by invoking a custom Lambda function. When using Elastic integrations, this should not be required. | ||
|
||
[discrete] | ||
[[firehose-waf-step-three]] | ||
== Step 3: Specify the destination settings for your Firehose stream | ||
|
||
. From the *Destination settings* panel, specify the following settings: | ||
+ | ||
* *Elastic endpoint URL*: Enter the Elastic endpoint URL of your Elasticsearch cluster. To find the Elasticsearch endpoint, go to the Elastic Cloud console, navigate to the Integrations page, and select *Connection details*. Here is an example of how it looks like: `https://my-deployment.es.us-east-1.aws.elastic-cloud.com`. | ||
+ | ||
* *API key*: Enter the encoded Elastic API key. To create an API key, go to the Elastic Cloud console, navigate to the Integrations page, select *Connection details* and click *Create and manage API keys*. If you are using an API key with *Restrict privileges*, make sure to review the Indices privileges to provide at least "auto_configure" & "write" permissions for the indices you will be using with this delivery stream. | ||
+ | ||
* *Content encoding*: For a better network efficiency, leave content encoding set to GZIP. | ||
+ | ||
* *Retry duration*: Determines how long Firehose continues retrying the request in the event of an error. A duration of 60-300s should be suitable for most use cases. | ||
+ | ||
* *es_datastream_name*: `logs-aws.waf-default` | ||
|
||
[discrete] | ||
[[firehose-waf-step-four]] | ||
== Step 4: Create a web access control list | ||
|
||
To create a new web access control list (ACL), follow these steps: | ||
|
||
. Go to the https://console.aws.amazon.com/[AWS console] and navigate to the *WAF & Shield* page. | ||
|
||
. Describe web ACL by entering the resource type, region, and name. | ||
|
||
. Associate it to an AWS resource. If you don't have an existing resource, you can create and attach a web ACL to several AWS resources: | ||
+ | ||
- CloudFront distribution | ||
- Application Load Balancers | ||
- Amazon API Gateway REST APIs | ||
- Amazon App Runner services | ||
- AWS AppSync GraphQL APIs | ||
- Amazon Cognito user pools | ||
- AWS Verified Access Instances | ||
|
||
. Add a 1 or 2 rules to the *Free rule groups* list from the AWS managed rule groups. Keep all other settings to their default values. | ||
|
||
. Set the rule priority by keeping default values. | ||
|
||
. Configure metrics by keeping default values. | ||
|
||
. Review and create the web ACL. | ||
|
||
[discrete] | ||
[[firehose-waf-step-five]] | ||
== Step 5: Set up logging | ||
|
||
. Go to the web ACL you created in the previous step. | ||
|
||
. Open the *Logging and metrics* section and edit the following settings: | ||
+ | ||
- *Logging destination*: select "Amazon Data Firehose stream" | ||
- *Amazon Data Firehose stream*: select the Firehose stream you created in step 2. | ||
|
||
WAF creates the required Identity and Access Management (IAM) role. | ||
If your Firehose stream name doesn't appear in the list, make sure the name you chose for the stream starts with `aws-waf-logs-`, as prescribed by AWS naming conventions. | ||
|
||
[discrete] | ||
[[firehose-waf-step-six]] | ||
== Step 6: Visualize your WAF logs in {kib} | ||
|
||
You can now log into your {stack} to check if the WAF logs are flowing. To generate logs, you can use cURL to send HTTP requests to your testing CloudFront distribution. | ||
|
||
[source,console] | ||
---- | ||
curl -i https://<your cloudfront distribution>.cloudfront.net | ||
---- | ||
|
||
To maintain a steady flow of logs, you can use `watch -n 5` to repeat the command every 5 seconds. | ||
|
||
[source,console] | ||
---- | ||
watch -n 5 curl -i https://<your cloudfront distribution>.cloudfront.net | ||
---- | ||
|
||
Navigate to Kibana and visualize the first WAF logs in your {stack}. | ||
|
||
[role="screenshot"] | ||
image::firehose-waf-logs.png[Firehose WAF logs in Kibana] |
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.