Firewall Log Contents

AWS Network Firewall Logs Overview

Log Components and Fields

  1. firewall_name

    • The name of the firewall associated with the log entry.

  2. availability_zone

    • The Availability Zone where the firewall endpoint generated the log entry.

  3. event_timestamp

    • The time the log was created in epoch seconds (UTC).

  4. event

    • Contains detailed information about the event, including:

      • Human-readable timestamp

      • Event type (e.g., alert, netflow, tls)

      • Network packet details

      • Information on stateful rules (if applicable)


Types of Events in Network Firewall Logs

1. Alert and Flow Events (Suricata EVE Format)

  • Produced by Suricata, the open-source threat detection engine.

  • Alert Logs: Use the EVE output type alert to log detected security events.

  • Flow Logs: Use the EVE output type netflow to log uni-directional network flows (each flow entry logs traffic in a single direction).

Custom Field:

  • If TLS inspection is enabled, the logs include the field: "tls_inspected": true If TLS inspection is not configured, this field is omitted.


2. TLS Events (Dedicated TLS Engine)

  • Generated by a separate stateful TLS inspection engine.

  • Use the EVE output type tls for SSL/TLS events.

TLS Inspection Configuration:

Custom Fields in TLS Logs:

  1. "tls_error":

    • Reports TLS-related issues, such as Server Name Indication (SNI) mismatches.

    • Example Errors:

      • Client Hello SNI is NULL or mismatches the server certificate subject name.

  2. "revocation_check":

    • Reports failed certificate revocation checks for outbound traffic.

    • Includes:

      • Revocation status

      • Action taken (e.g., DROP)

      • SNI for the revoked certificate


Example Log Entries

1. Example Alert Log Entry (Suricata EVE Format)

{
    "firewall_name": "test-firewall",
    "availability_zone": "us-east-1b",
    "event_timestamp": "1602627001",
    "event": {
        "timestamp": "2020-10-13T22:10:01.006481+0000",
        "flow_id": 1582438383425873,
        "event_type": "alert",
        "src_ip": "203.0.113.4",
        "src_port": 55555,
        "dest_ip": "192.0.2.16",
        "dest_port": 111,
        "proto": "TCP",
        "alert": {
            "action": "allowed",
            "signature_id": 5,
            "rev": 0,
            "signature": "test_tcp",
            "category": "",
            "severity": 1
        }
    }
}

Explanation:

  • This log shows an alert event triggered by Suricata.

  • Source IP: 203.0.113.4 attempted a TCP connection to 192.0.2.16 on port 111.

  • The alert action was "allowed", with a severity level of 1.


2. Example TLS Log Entry (Certificate Revocation Check Failure)

{
    "firewall_name": "egress-fw",
    "availability_zone": "us-east-1d",
    "event_timestamp": 1708361189,
    "event": {
        "src_ip": "10.0.2.53",
        "src_port": "55930",
        "revocation_check": {
            "leaf_cert_fpr": "1234567890EXAMPLE0987654321",
            "status": "REVOKED",
            "action": "DROP"
        },
        "dest_ip": "54.92.160.72",
        "dest_port": "443",
        "timestamp": "2024-02-19T16:46:29.441824Z",
        "sni": "revoked-rsa-dv.ssl.com"
    }
}

Explanation:

  • Source IP: 10.0.2.53 tried to connect to destination IP 54.92.160.72 over port 443 (HTTPS).

  • The certificate revocation check failed with the status "REVOKED", and the connection was dropped.

  • The log includes the SNI value: revoked-rsa-dv.ssl.com.

Last updated