Fastly WAF Security Logs
Fastly Web Application Firewall (WAF) logs capture security events and threat detection data from Fastly’s edge security services. These logs include information about HTTP requests, response states, client information, and geographic data that helps protect web applications from various cyber threats.
Ingest Methods
Setup the ingestion of this source using one of the following guides:
- AWS S3 Bucket
- AWS S3 Bucket with Custom SQS
- Azure Blob Storage
- Google Cloud Storage
- Cloudflare R2 Bucket
If using an AWS S3 bucket use the following SNS topic ARN to send your bucket notifications.
arn:aws:sns:<REGION>:253602268883:runreveal_fastlywafSetup
Setting up Fastly WAF logs requires the use of Fastly’s log streaming service to send logs to your object storage bucket. For a detailed guide on collecting logs from a storage bucket review the links under Ingest Methods above.
Fastly Log Streaming Configuration
Configure Fastly to stream WAF logs to your chosen storage bucket using Fastly’s real-time log streaming feature. This provides immediate delivery of security events for real-time monitoring and analysis.
Supported Storage Providers
| Provider | Description | Setup Guide |
|---|---|---|
| AWS S3 | Stream WAF logs directly to Amazon S3 for scalable storage and integration with AWS analytics services | Fastly S3 Logging Guide |
| Google Cloud Storage | Send WAF logs to Google Cloud Storage for integration with BigQuery and other GCP analytics tools | Fastly Google Cloud Storage Logging Guide |
| Azure Blob Storage | Configure Fastly to stream WAF logs to Azure Blob Storage for integration with Azure analytics services | Fastly Azure Blob Storage Logging Guide |
| Cloudflare R2 | Use Cloudflare R2’s S3-compatible API to receive Fastly WAF logs. Configure as an S3 endpoint with R2 credentials | Cloudflare R2 S3 API Documentation |
Source Configuration
When setting up your Fastly WAF source, provide:
- Source Name: A descriptive name for your Fastly WAF source
- Object Storage Configuration: Based on your chosen storage method
- Health Check Duration: Configure how often to check source health (default: 1 day)
- Notification Channels: Set up alerts for when the source stops receiving events
Schema
The following columns are exposed for this source. RunReveal applies schema normalization across all sources, ensuring uniform field names and data types for cross-source queries and reusable detection logic.
Table: fastly_waf_logs (16 columns)
fastly_waf_logs (16 columns)| Column | Type |
|---|---|
timestamp | String |
client_ip | String |
geo_country | String |
geo_city | String |
host | String |
url | String |
request_method | String |
request_protocol | String |
request_referer | String |
request_user_agent | String |
response_state | String |
response_status | String |
response_reason | String |
response_body_size | String |
fastly_server | String |
fastly_is_edge | String |