Firewall Log Contents

AWS Network Firewall Logs Overview

Log Components and Fields

1. firewall_name

   • The name of the firewall associated with the log entry.

2. availability_zone

   • The Availability Zone where the firewall endpoint generated the log entry.

3. event_timestamp

   • The time the log was created in epoch seconds (UTC).

4. event

   • Contains detailed information about the event, including:

     • Human-readable timestamp

     • Event type (e.g., alert, netflow, tls)

     • Network packet details

     • Information on stateful rules (if applicable)

---

Types of Events in Network Firewall Logs

1. Alert and Flow Events (Suricata EVE Format)

• Produced by Suricata, the open-source threat detection engine.

• Alert Logs: Use the EVE output type alert to log detected security events.

• Flow Logs: Use the EVE output type netflow to log uni-directional network flows (each flow entry logs traffic in a single direction).

Custom Field:

• If TLS inspection is enabled, the logs include the field: "tls_inspected": true If TLS inspection is not configured, this field is omitted.

---

2. TLS Events (Dedicated TLS Engine)

• Generated by a separate stateful TLS inspection engine.

• Use the EVE output type tls for SSL/TLS events.

TLS Inspection Configuration:

• These logs only appear if the firewall is configured for TLS inspection. For details, refer to TLS Inspection Configurations.

Custom Fields in TLS Logs:

1. "tls_error":

   • Reports TLS-related issues, such as Server Name Indication (SNI) mismatches.

   • Example Errors:

     • Client Hello SNI is NULL or mismatches the server certificate subject name.

2. "revocation_check":

   • Reports failed certificate revocation checks for outbound traffic.

   • Includes:

     • Revocation status

     • Action taken (e.g., DROP)

     • SNI for the revoked certificate

---

Example Log Entries

1. Example Alert Log Entry (Suricata EVE Format)

{
    "firewall_name": "test-firewall",
    "availability_zone": "us-east-1b",
    "event_timestamp": "1602627001",
    "event": {
        "timestamp": "2020-10-13T22:10:01.006481+0000",
        "flow_id": 1582438383425873,
        "event_type": "alert",
        "src_ip": "203.0.113.4",
        "src_port": 55555,
        "dest_ip": "192.0.2.16",
        "dest_port": 111,
        "proto": "TCP",
        "alert": {
            "action": "allowed",
            "signature_id": 5,
            "rev": 0,
            "signature": "test_tcp",
            "category": "",
            "severity": 1
        }
    }
}

Explanation:

• This log shows an alert event triggered by Suricata.

• Source IP: 203.0.113.4 attempted a TCP connection to 192.0.2.16 on port 111.

• The alert action was "allowed", with a severity level of 1.

---

2. Example TLS Log Entry (Certificate Revocation Check Failure)

{
    "firewall_name": "egress-fw",
    "availability_zone": "us-east-1d",
    "event_timestamp": 1708361189,
    "event": {
        "src_ip": "10.0.2.53",
        "src_port": "55930",
        "revocation_check": {
            "leaf_cert_fpr": "1234567890EXAMPLE0987654321",
            "status": "REVOKED",
            "action": "DROP"
        },
        "dest_ip": "54.92.160.72",
        "dest_port": "443",
        "timestamp": "2024-02-19T16:46:29.441824Z",
        "sni": "revoked-rsa-dv.ssl.com"
    }
}

Explanation:

• Source IP: 10.0.2.53 tried to connect to destination IP 54.92.160.72 over port 443 (HTTPS).

• The certificate revocation check failed with the status "REVOKED", and the connection was dropped.

• The log includes the SNI value: revoked-rsa-dv.ssl.com.