Building a Real-Time AWS WAF Log Analytics Dashboard with OpenSearch
DevOpsofworld6 min read
This blog will walk you through a powerful end-to-end log analytics pipeline using AWS WAF, Kinesis Firehose, S3, Logstash, and OpenSearch Dashboards. We aim to analyze and visualize traffic patterns, particularly unwanted requests, filtered by WAF on an EC2-hosted NGINX server.
🧩 Architecture Overview
Here’s the flow of data across our components:
NGINX application on an EC2 instance in a public subnet.
A Load Balancer is attached to the EC2 instance.
AWS WAF rules are applied to block access from certain sources.
Logs sent to Amazon Kinesis Data Firehose.
Firehose delivers logs to an S3 Bucket.
Logstash reads from S3 and parses logs.
Logs are indexed into OpenSearch servers.
Visualized through OpenSearch Dashboards.
🏗️ Step 1: Deploy NGINX on EC2
Spin up an EC2 instance in a public subnet and install NGINX:
sudo apt-get update -y
sudo apt-get install nginx -y
sudo systemctl enable nginx
sudo systemctl start nginx
sudo systemctl status nginx
Ensure the EC2 is behind an Application Load Balancer (ALB).
Step 2: Protect with AWS WAF
Attach AWS WAF to your ALB. Create custom rules to filter traffic (e.g., block based on IP, User-Agent, geo, etc.).
Enable logging in WAF and configure Kinesis Data Firehose as the log destination.
🧾 Step-by-Step Instructions
1. Create an AWS WAF Web ACL
Go to the AWS WAF & Shield service in the AWS Console.
Click “Create web ACL”.
Provide a name and description (e.g.,
nginx-web-acl).Select Region (e.g.,
us-east-1) and Resource type as “Regional resources”.Choose Associated AWS resource type: select Application Load Balancer.
Choose the ALB that routes traffic to your NGINX EC2 instance.
2. Add WAF Rules
You can use managed rules or define custom ones. Examples:
➤ Block Local IP Range (Simulate External Access Block)
To simulate blocking local system traffic, add a custom rule to block a specific IP:
Under “Add rules”, click Add my own rules and rule groups.
Create a rule:
Rule name:
BlockLocalIPType: IP set
Create a new IP set with your local public IP.
Set action to Block.
Add the rule to the Web ACL.
3. Configure Logging to Kinesis Data Firehose
WAF logs can be sent to Amazon Kinesis Data Firehose, which will forward them to S3.
On the left nav, go to Logging and metrics under WAF.
Click “Enable logging”.
Select your Web ACL.
Choose the Kinesis Firehose delivery stream that you created earlier (
waf-logs-stream).Optionally, add filters or redactions.
Save changes.
4. Verify Logs Are Flowing
Send traffic through your Load Balancer (via browser or
curl).In the S3 bucket, JSON log files arrive via Firehose.
- Each log event will contain request metadata like
clientIp,action,ruleMatched,httpRequest, etc.
- Each log event will contain request metadata like
These logs will be picked up later by Logstash and placed in your pipeline.
🐳 Step 3: Deploy OpenSearch and Logstash with Docker
Create a Docker network:
docker network create opensearch-net
🔍 Run OpenSearch:
docker run -d --name opensearch-node1 \
--network opensearch-net \
-p 9200:9200 -p 9600:9600 \
-e "discovery.type=single-node" \
-e "OPENSEARCH_INITIAL_ADMIN_PASSWORD=Redhat@123" \
opensearchproject/opensearch:latest
📊 OpenSearch Dashboards:
docker run -d --name opensearch-dashboards \
--network opensearch-net \
-p 5601:5601 \
-e OPENSEARCH_HOSTS='["https://opensearch-node1:9200"]' \
-e OPENSEARCH_USERNAME='admin' \
-e OPENSEARCH_PASSWORD='Redhat@123' \
opensearchproject/opensearch-dashboards:latest
📥 Step 5: Logstash to Process WAF Logs
Use the official image with the OpenSearch plugin:
docker run -d --name logstash-01 \
--network opensearch-net \
-v /home/neetesh/cloudkeeper-workspace/waf-promethuses-02/logstash-pipeline:/usr/share/logstash/pipeline \
-v /tmp/logstash-s3:/tmp/logstash-s3 \
opensearchproject/logstash-oss-with-opensearch-output-plugin:latest
🔧 Logstash Pipeline Configuration
input {
s3 {
bucket => "poc-s3-bucket-00000001"
prefix => "" # Adjust if you want to limit path
region => "us-east-1" # Replace with your bucket’s region
codec => "json"
sincedb_path => "/tmp/logstash-s3.sincedb"
temporary_directory => "/tmp/logstash-s3"
access_key_id => "ACCESS_KEY_ID"
secret_access_key => "SECRET_ACCESS_KEY"
}
}
filter {
if "_jsonparsefailure" in [tags] {
drop { }
}
if [action] {
mutate { add_field => { "action" => "%{[action]}" } }
}
if [terminatingRuleId] {
mutate { add_field => { "terminating_rule" => "%{[terminatingRuleId]}" } }
}
if [httpRequest][clientIp] {
mutate { add_field => { "client_ip" => "%{[httpRequest][clientIp]}" } }
}
if [httpRequest][country] {
mutate { add_field => { "country" => "%{[httpRequest][country]}" } }
}
if [httpRequest][httpMethod] {
mutate { add_field => { "http_method" => "%{[httpRequest][httpMethod]}" } }
}
if [httpRequest][uri] {
mutate { add_field => { "uri" => "%{[httpRequest][uri]}" } }
}
if [httpRequest][httpVersion] {
mutate { add_field => { "http_version" => "%{[httpRequest][httpVersion]}" } }
}
if [httpRequest][headers] {
ruby {
code => '
begin
headers = event.get("[httpRequest][headers]")
headers.each do |h|
if h["name"].downcase == "user-agent"
event.set("user_agent", h["value"])
elsif h["name"].downcase == "host"
event.set("host_header", h["value"])
end
end
rescue => e
event.tag("_header_parse_failure")
end
'
}
}
}
output {
opensearch {
hosts => ["https://opensearch-node1:9200"]
user => "admin"
password => "Redhat@123"
ssl => true
ssl_certificate_verification => false
index => "aws-waf-logs-test-%{+YYYY.MM.dd}"
}
stdout { codec => rubydebug }
}
📈 Step 6: Visualize Logs in OpenSearch Dashboards
Navigate to http://localhost:5601 and log in with:
Username:
adminPassword:
Redhat@123
Create an index pattern: aws-waf-logs-test-*
You can now create rich visualizations such as:
📦 Full OpenSearch Dashboard: JSON Import Snippets
You can now import a ready-made dashboard with rich visualizations into OpenSearch Dashboards using the export JSON you've created.
📁 Included Visualizations
Your exported dashboard includes:
| Title | Type | Description |
| WAF Actions | Pie Chart | Visual breakdown of ALLOW, BLOCK, CAPTCHA actions. |
| Total HTTP Requests | Metric | Count of total requests received. |
| Blocked HTTP Requests | Metric | Requests specifically marked as BLOCK. |
| HTTP Versions Breakdown | Pie Chart | Shows HTTP protocol versions like 1.1 vs 2.0. |
| HTTP Methods | Pie Chart | GET, POST, etc. |
| Top Hosts | Pie Chart | Popular host headers seen in WAF logs. |
| Top Countries | Pie Chart | Countries from which requests originated. |
| Top IP Addresses | Pie Chart | Most frequent source IPs. |
| Top User Agents | Pie Chart | Devices or clients initiating traffic. |
| Top Web ACLs | Table | Lists WAF WebACLs that matched requests. |
| Unique IP Address Count | Metric | Unique source IPs seen. |
| Number of Requests per Country | Bar Chart | Comparative view of traffic volume per country. |
{"attributes":{"buildNum":8430,"defaultIndex":"50aec450-30b5-11f0-9eb5-8f6a0d106a1d"},"id":"3.0.0","migrationVersion":{"config":"7.9.0"},"references":[],"type":"config","updated_at":"2025-05-14T11:19:38.632Z","version":"WzIsMV0="}
{"attributes":{"fields":"[{\"count\":0,\"name\":\"@timestamp\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"@version\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"@version.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"@version\"}}},{\"count\":0,\"name\":\"_id\",\"type\":\"string\",\"esTypes\":[\"_id\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"count\":0,\"name\":\"_index\",\"type\":\"string\",\"esTypes\":[\"_index\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"count\":0,\"name\":\"_score\",\"type\":\"number\",\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"_source\",\"type\":\"_source\",\"esTypes\":[\"_source\"],\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"_type\",\"type\":\"string\",\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"action\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"action.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"action\"}}},{\"count\":0,\"name\":\"captchaResponse.failureReason\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"captchaResponse.failureReason.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"captchaResponse.failureReason\"}}},{\"count\":0,\"name\":\"captchaResponse.responseCode\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"client_ip\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"client_ip.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"client_ip\"}}},{\"count\":0,\"name\":\"country\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"country.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"country\"}}},{\"count\":0,\"name\":\"event.original\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"event.original.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"event.original\"}}},{\"count\":0,\"name\":\"formatVersion\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"host.name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host.name\"}}},{\"count\":0,\"name\":\"host_header\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"host_header.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host_header\"}}},{\"count\":0,\"name\":\"httpRequest.clientIp\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"httpRequest.clientIp.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"httpRequest.clientIp\"}}},{\"count\":0,\"name\":\"httpRequest.country\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"httpRequest.country.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"httpRequest.country\"}}},{\"count\":0,\"name\":\"httpRequest.headers.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"httpRequest.headers.name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"httpRequest.headers.name\"}}},{\"count\":0,\"name\":\"httpRequest.headers.value\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"httpRequest.headers.value.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"httpRequest.headers.value\"}}},{\"count\":0,\"name\":\"httpRequest.httpMethod\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"httpRequest.httpMethod.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"httpRequest.httpMethod\"}}},{\"count\":0,\"name\":\"httpRequest.httpVersion\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"httpRequest.httpVersion.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"httpRequest.httpVersion\"}}},{\"count\":0,\"name\":\"httpRequest.uri\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"httpRequest.uri.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"httpRequest.uri\"}}},{\"count\":0,\"name\":\"http_method\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"http_method.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"http_method\"}}},{\"count\":0,\"name\":\"http_version\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"http_version.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"http_version\"}}},{\"count\":0,\"name\":\"log.file.path\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"log.file.path.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"log.file.path\"}}},{\"count\":0,\"name\":\"nonTerminatingMatchingRules.action\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"nonTerminatingMatchingRules.action.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"nonTerminatingMatchingRules.action\"}}},{\"count\":0,\"name\":\"nonTerminatingMatchingRules.ruleId\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"nonTerminatingMatchingRules.ruleId.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"nonTerminatingMatchingRules.ruleId\"}}},{\"count\":0,\"name\":\"rateBasedRuleList.customValues.key\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"rateBasedRuleList.customValues.key.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rateBasedRuleList.customValues.key\"}}},{\"count\":0,\"name\":\"rateBasedRuleList.customValues.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"rateBasedRuleList.customValues.name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rateBasedRuleList.customValues.name\"}}},{\"count\":0,\"name\":\"rateBasedRuleList.customValues.value\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"rateBasedRuleList.customValues.value.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rateBasedRuleList.customValues.value\"}}},{\"count\":0,\"name\":\"rateBasedRuleList.evaluationWindowSec\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"rateBasedRuleList.evaluationWindowSec.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rateBasedRuleList.evaluationWindowSec\"}}},{\"count\":0,\"name\":\"rateBasedRuleList.limitKey\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"rateBasedRuleList.limitKey.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rateBasedRuleList.limitKey\"}}},{\"count\":0,\"name\":\"rateBasedRuleList.maxRateAllowed\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"rateBasedRuleList.rateBasedRuleId\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"rateBasedRuleList.rateBasedRuleId.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rateBasedRuleList.rateBasedRuleId\"}}},{\"count\":0,\"name\":\"rateBasedRuleList.rateBasedRuleName\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"rateBasedRuleList.rateBasedRuleName.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rateBasedRuleList.rateBasedRuleName\"}}},{\"count\":0,\"name\":\"terminatingRuleId\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"terminatingRuleId.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"terminatingRuleId\"}}},{\"count\":0,\"name\":\"terminatingRuleType\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"terminatingRuleType.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"terminatingRuleType\"}}},{\"count\":0,\"name\":\"terminating_rule\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"terminating_rule.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"terminating_rule\"}}},{\"count\":0,\"name\":\"timestamp\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"uri\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"uri.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"uri\"}}},{\"count\":0,\"name\":\"user_agent\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"user_agent.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"user_agent\"}}},{\"count\":0,\"name\":\"webaclId\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"webaclId.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"webaclId\"}}}]","timeFieldName":"@timestamp","title":"aws-waf-logs-*"},"id":"50aec450-30b5-11f0-9eb5-8f6a0d106a1d","migrationVersion":{"index-pattern":"7.6.0"},"references":[],"type":"index-pattern","updated_at":"2025-05-14T11:19:34.933Z","version":"WzEsMV0="}
{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"WAF Actions (ALLOW vs BLOCK vs CAPTCHA)","uiStateJSON":"{\"vis\":{\"colors\":{\"BLOCK\":\"#ef9988\"}}}","version":1,"visState":"{\"title\":\"WAF Actions (ALLOW vs BLOCK vs CAPTCHA)\",\"type\":\"pie\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"action.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"},\"schema\":\"segment\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"isDonut\":true,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"row\":true,\"type\":\"pie\"}}"},"id":"99127f00-30b7-11f0-9eb5-8f6a0d106a1d","migrationVersion":{"visualization":"7.10.0"},"references":[{"id":"50aec450-30b5-11f0-9eb5-8f6a0d106a1d","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2025-05-14T12:15:02.158Z","version":"WzEzLDFd"}
{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Total HTTP Requests","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Total HTTP Requests\",\"type\":\"metric\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{\"customLabel\":\"Total HTTP Requests\"},\"schema\":\"metric\"}],\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\",\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":60}}}}"},"id":"63e0d4c0-30b8-11f0-9eb5-8f6a0d106a1d","migrationVersion":{"visualization":"7.10.0"},"references":[{"id":"50aec450-30b5-11f0-9eb5-8f6a0d106a1d","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2025-05-14T11:41:35.628Z","version":"WzYsMV0="}
{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"key\":\"action.keyword\",\"negate\":false,\"params\":{\"query\":\"BLOCK\"},\"type\":\"phrase\",\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"query\":{\"match_phrase\":{\"action.keyword\":\"BLOCK\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Blocked HTTP Requests","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Blocked HTTP Requests\",\"type\":\"metric\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{\"customLabel\":\"Blocked Requests\"},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"filters\",\"params\":{\"filters\":[{\"input\":{\"query\":\"\",\"language\":\"kuery\"},\"label\":\"\"}]},\"schema\":\"group\"}],\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\",\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":60}}}}"},"id":"7132d620-30bb-11f0-9eb5-8f6a0d106a1d","migrationVersion":{"visualization":"7.10.0"},"references":[{"id":"50aec450-30b5-11f0-9eb5-8f6a0d106a1d","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"},{"id":"50aec450-30b5-11f0-9eb5-8f6a0d106a1d","name":"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index","type":"index-pattern"}],"type":"visualization","updated_at":"2025-05-14T12:03:30.357Z","version":"WzgsMV0="}
{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"HTTP Versions Breakdown","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"HTTP Versions Breakdown\",\"type\":\"pie\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"http_version.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"},\"schema\":\"segment\"}],\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}}}"},"id":"7119bbf0-30d3-11f0-9eb5-8f6a0d106a1d","migrationVersion":{"visualization":"7.10.0"},"references":[{"id":"50aec450-30b5-11f0-9eb5-8f6a0d106a1d","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2025-05-14T14:55:14.223Z","version":"WzE4LDFd"}
{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"HTTP Methods","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"HTTP Methods\",\"type\":\"pie\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"http_method.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"},\"schema\":\"segment\"}],\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"row\":true}}"},"id":"1f420b20-30d3-11f0-9eb5-8f6a0d106a1d","migrationVersion":{"visualization":"7.10.0"},"references":[{"id":"50aec450-30b5-11f0-9eb5-8f6a0d106a1d","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2025-05-14T14:53:01.512Z","version":"WzE1LDFd"}
{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Top Hosts","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Top Hosts\",\"type\":\"pie\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"host_header.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"},\"schema\":\"segment\"}],\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}}}"},"id":"49df5b20-30d4-11f0-9eb5-8f6a0d106a1d","migrationVersion":{"visualization":"7.10.0"},"references":[{"id":"50aec450-30b5-11f0-9eb5-8f6a0d106a1d","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2025-05-14T15:01:22.321Z","version":"WzI3LDFd"}
{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Top Countries ","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Top Countries \",\"type\":\"pie\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"country.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"},\"schema\":\"segment\"}],\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}}}"},"id":"0824e100-30d4-11f0-9eb5-8f6a0d106a1d","migrationVersion":{"visualization":"7.10.0"},"references":[{"id":"50aec450-30b5-11f0-9eb5-8f6a0d106a1d","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2025-05-14T15:05:39.905Z","version":"WzMwLDFd"}
{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Top IP Addresses","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Top IP Addresses\",\"type\":\"pie\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"client_ip.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"},\"schema\":\"segment\"}],\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}}}"},"id":"e4418fe0-30d3-11f0-9eb5-8f6a0d106a1d","migrationVersion":{"visualization":"7.10.0"},"references":[{"id":"50aec450-30b5-11f0-9eb5-8f6a0d106a1d","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2025-05-14T15:05:50.998Z","version":"WzMxLDFd"}
{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Top User Agents","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Top User Agents\",\"type\":\"pie\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"user_agent.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"},\"schema\":\"segment\"}],\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}}}"},"id":"26b45d80-30d4-11f0-9eb5-8f6a0d106a1d","migrationVersion":{"visualization":"7.10.0"},"references":[{"id":"50aec450-30b5-11f0-9eb5-8f6a0d106a1d","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2025-05-14T15:00:35.246Z","version":"WzI1LDFd"}
{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Top Web ACLs","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Top Web ACLs\",\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"webaclId.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"},\"schema\":\"bucket\"}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\"}}"},"id":"c6952af0-30d4-11f0-9eb5-8f6a0d106a1d","migrationVersion":{"visualization":"7.10.0"},"references":[{"id":"50aec450-30b5-11f0-9eb5-8f6a0d106a1d","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2025-05-14T15:05:19.523Z","version":"WzI5LDFd"}
{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filter\":[]}"},"optionsJSON":"{\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"embeddableConfig\":{},\"gridData\":{\"h\":15,\"i\":\"674ecf5a-ed50-411f-8178-d0c28c2f0acd\",\"w\":24,\"x\":0,\"y\":0},\"panelIndex\":\"674ecf5a-ed50-411f-8178-d0c28c2f0acd\",\"version\":\"3.0.0\",\"panelRefName\":\"panel_0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":15,\"i\":\"9a2fb88c-a482-4adc-9ab9-1693caca9e07\",\"w\":24,\"x\":24,\"y\":0},\"panelIndex\":\"9a2fb88c-a482-4adc-9ab9-1693caca9e07\",\"version\":\"3.0.0\",\"panelRefName\":\"panel_1\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":15,\"i\":\"02404d24-4e9f-4120-bc80-5931a1e8fe7c\",\"w\":24,\"x\":24,\"y\":15},\"panelIndex\":\"02404d24-4e9f-4120-bc80-5931a1e8fe7c\",\"version\":\"3.0.0\",\"panelRefName\":\"panel_2\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":15,\"i\":\"681f6ea4-757a-4fbd-b74d-20698edf01dd\",\"w\":24,\"x\":0,\"y\":15},\"panelIndex\":\"681f6ea4-757a-4fbd-b74d-20698edf01dd\",\"version\":\"3.0.0\",\"panelRefName\":\"panel_3\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":15,\"i\":\"1c3d4763-f99f-4945-a32f-c6553518f059\",\"w\":24,\"x\":24,\"y\":30},\"panelIndex\":\"1c3d4763-f99f-4945-a32f-c6553518f059\",\"version\":\"3.0.0\",\"panelRefName\":\"panel_4\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":15,\"i\":\"9ce23390-217d-4d1d-a9df-0d9a2d858966\",\"w\":24,\"x\":0,\"y\":30},\"panelIndex\":\"9ce23390-217d-4d1d-a9df-0d9a2d858966\",\"version\":\"3.0.0\",\"panelRefName\":\"panel_5\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":15,\"i\":\"d9b7d60d-e78b-473c-9493-4ed9cdeb824f\",\"w\":24,\"x\":24,\"y\":45},\"panelIndex\":\"d9b7d60d-e78b-473c-9493-4ed9cdeb824f\",\"version\":\"3.0.0\",\"panelRefName\":\"panel_6\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":15,\"i\":\"a7e493f6-23df-4c6d-b95a-d45fe9735d57\",\"w\":24,\"x\":0,\"y\":45},\"panelIndex\":\"a7e493f6-23df-4c6d-b95a-d45fe9735d57\",\"version\":\"3.0.0\",\"panelRefName\":\"panel_7\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":15,\"i\":\"60758b57-6454-4bd0-a723-091816c4ed24\",\"w\":24,\"x\":24,\"y\":60},\"panelIndex\":\"60758b57-6454-4bd0-a723-091816c4ed24\",\"version\":\"3.0.0\",\"panelRefName\":\"panel_8\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":15,\"i\":\"26cb5b48-4840-4a02-92f5-f783e6053c98\",\"w\":24,\"x\":0,\"y\":60},\"panelIndex\":\"26cb5b48-4840-4a02-92f5-f783e6053c98\",\"version\":\"3.0.0\",\"panelRefName\":\"panel_9\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":15,\"i\":\"61169e8e-a911-47dd-8f4f-abab036fa0a7\",\"w\":24,\"x\":24,\"y\":75},\"panelIndex\":\"61169e8e-a911-47dd-8f4f-abab036fa0a7\",\"version\":\"3.0.0\",\"panelRefName\":\"panel_10\"}]","timeRestore":false,"title":"WAF-Monitorings","version":1},"id":"7d2643d0-30bc-11f0-9eb5-8f6a0d106a1d","migrationVersion":{"dashboard":"7.9.3"},"references":[{"id":"99127f00-30b7-11f0-9eb5-8f6a0d106a1d","name":"panel_0","type":"visualization"},{"id":"63e0d4c0-30b8-11f0-9eb5-8f6a0d106a1d","name":"panel_1","type":"visualization"},{"id":"7132d620-30bb-11f0-9eb5-8f6a0d106a1d","name":"panel_2","type":"visualization"},{"id":"7119bbf0-30d3-11f0-9eb5-8f6a0d106a1d","name":"panel_3","type":"visualization"},{"id":"1f420b20-30d3-11f0-9eb5-8f6a0d106a1d","name":"panel_4","type":"visualization"},{"id":"49df5b20-30d4-11f0-9eb5-8f6a0d106a1d","name":"panel_5","type":"visualization"},{"id":"0824e100-30d4-11f0-9eb5-8f6a0d106a1d","name":"panel_6","type":"visualization"},{"id":"e4418fe0-30d3-11f0-9eb5-8f6a0d106a1d","name":"panel_7","type":"visualization"},{"id":"26b45d80-30d4-11f0-9eb5-8f6a0d106a1d","name":"panel_8","type":"visualization"},{"id":"c6952af0-30d4-11f0-9eb5-8f6a0d106a1d","name":"panel_9","type":"visualization"},{"id":"63e0d4c0-30b8-11f0-9eb5-8f6a0d106a1d","name":"panel_10","type":"visualization"}],"type":"dashboard","updated_at":"2025-05-15T06:06:12.962Z","version":"WzM2LDFd"}
{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Unique IP Address Count","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Unique IP Address Count\",\"type\":\"metric\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"client_ip.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"},\"schema\":\"group\"}],\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\",\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":60}}}}"},"id":"8e9c5c50-30d3-11f0-9eb5-8f6a0d106a1d","migrationVersion":{"visualization":"7.10.0"},"references":[{"id":"50aec450-30b5-11f0-9eb5-8f6a0d106a1d","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2025-05-14T14:56:03.733Z","version":"WzE5LDFd"}
{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Number of Requests per Country","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Number of Requests per Country\",\"type\":\"histogram\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{\"customLabel\":\"Total Requests\"},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"country.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Country\"},\"schema\":\"segment\"}],\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"filter\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Total Requests\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Total Requests\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"labels\":{\"show\":false},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"}}}"},"id":"397b01f0-30d7-11f0-9eb5-8f6a0d106a1d","migrationVersion":{"visualization":"7.10.0"},"references":[{"id":"50aec450-30b5-11f0-9eb5-8f6a0d106a1d","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2025-05-14T15:22:22.388Z","version":"WzM0LDFd"}
{"exportedCount":15,"missingRefCount":0,"missingReferences":[]}
🛠️ How to Import the Dashboard
Navigate to OpenSearch Dashboards → Dashboards Management → Saved Objects.
Click Import and upload your JSON file.
Confirm and overwrite if prompted.
Navigate to Dashboards → WAF-Monitorings.
This dashboard will instantly visualize live or historical WAF logs streamed from AWS into OpenSearch via your pipeline.
✅ Conclusion
This blog walked you through building a log analysis pipeline using AWS WAF, Firehose, S3, Logstash, and OpenSearch. With this setup, you gain full visibility into suspicious traffic, helping improve your application’s security posture in real-time.
0
Subscribe to my newsletter
Read articles from DevOpsofworld directly inside your inbox. Subscribe to the newsletter, and don't miss out.
Written by