X

Oracle Management Cloud Blog covers the latest releases, customer stories, how-to guides and more.

  • November 9, 2020

How to send OCI WAF Logs to OCI Logging Analytics and get Security Insights

Nazih Bachir DJOUMI, and Scott Elvington

1. Introduction

We have introduced in a previous blog how we can get OCI WAF Security Insights through Oracle Management Cloud Log Analytics Service using Event Services, a Serverless Function and IDCS.

In this blog, we are going to get OCI WAF Security Insights much easier and faster using the new OCI native service Logging Analytics. By native we mean it's built from the ground up as integrated functionality within Oracle Cloud.

Below, is one example dashboard showing WAF Activity Overview that can be imported to quickly see a wide variety of useful insights from your WAF logs.

At the end of this blog, you can see additional WAF Dashboards that drill further into details. All of these sample dashboards are included in the resources associated with this article.
 

At a high level, we are going to see how to forward WAF Logs to an OCI Object Storage bucket, how to ingest those logs from the bucket to the Logging Analytics service, and finally, how to import the dashboard into your Logging Analytics service.

As a prerequisite, you should be familiar with OCI and rest APIs. We suppose you have an Oracle cloud account already provisioned and OCI Logging Analytics service activated and ready to use by completing all prerequisite tasks.  
We suppose that a WAF policy has been configured in a target compartment Mycompartment, and that an OCI Object Storage bucket has been created in the same compartment . We suppose you have admin access within the account.

For security purpose, we will use a specific user let’s call it api.waf.log.user for this integration.

Before starting, let’s prepare all the needed details from OCI, WAF policy and OCI Object Storage.

You may find it useful to put the collected details along with their step number into a text editor for easy reference in later steps.

2. COLLECT INFORMATION

2.1 From OCI

2.1.1. Go to Administration > Tenancy details and copy the tenancy OCID 

2.1.2.  In Administration > Tenancy, pick the Region Name. Go to Administration > Region Management save the corresponding Region Identifier

2.1.3. In Administration > Identity > Users, create a new user api.waf.log.user for the integration between the WAF Log and the OCI Bucket. Add the API Public Key and copy the Fingerprint. 
2.1.4. Copy the OCID
2.1.5. Click on Customer Secret Keys, and generate a new secret key. Save the secret key in a safe place
2.1.6. Copy the Access Key
2.1.7. In Administration > Identity > Groups, create a new group apigroup and add the user previously created on this group. Copy the group OCID
2.1.8. Copy the group name.

2.2 From WAF

2.2.1. Go to Security > WAF Policies then click on the policy already created. Copy the policy OCID. 
2.2.2. Copy the CNAME Target
2.2.3. Copy the domain name of the target application

2.3. From Object Storage

2.3.1. Go to Object Storage and click on the Bucket you already created. Copy the OCID
2.3.2. Copy the Bucket name
2.3.3. Copy the namespace
2.3.4. Click on the compartment and copy the compartment OCID
2.3.5. Copy the compartment name

 

3. FORWARD WAF LOG TO OCI BUCKET

In order to forward WAF Logs to your OCI Bucket your created previously, you should create an SR with Oracle Support. 

3.1. Set IAM Policy

The user created in step 2.1.3 must have write permission on the bucket.  To do so, we need to grant privileges on the group that contain this user.
3.1.1. Go to Administration > Identity > Policy and create the below policy statement: 


allow group <group_name_step_2.1.8> to manage object-family in compartment <compartment_name_step_2.5.5>

3.1.2. Copy the policy OCID

3.2. Enable WAF log streaming (Requires an SR)

Once the policy is set, raise an SR on your Oracle WAF Portal support and provide the following information:
•    Domain name of the application (step 2.4.3), and additional domain name if applicable. 
•    Access Key (step 2.1.6) 
•    Secret Key (step 2.1.5)
•    WAF Policy OCID (step 2.4.1)
•    Bucket Name (step 2.5.2)
•    Bucket OCID (step 2.5.1)
•    Namespace (step 2.5.3)
•    Tenancy OCID (step 2.1.1)
•    Compartment OCID (step 2.5.4)
•    Policy OCID (step: 3.1.2)
•    Region identifier (step 2.1.2)
•    Bucket Region.
•    Upload Prefix: "%{+YYYY}/%{+MM}/%{+dd}/%{[log_type]}"

The implementation should take a few days before seeing the logs on your OCI Bucket.

Once completed, you should see logs arriving from WAF to your OCI Bucket:


4. CREATE OCI POLICIES

Here, we are going to create all the policies required to for managing Logging Analytics Service and Dashboards.
To make it simple, we will grant the policies to the user api.waf.log.user member of the group apigroup previously created.  
In Identity > Policies, create a new policy with the following statements needed for managing Logging Analytics Service:


allow service loganalytics to READ loganalytics-features-family in tenancy
Allow group apigroup to manage all-resources IN TENANCY where any {request.permission='LOG_ANALYTICS_OBJECT_COLLECTION_RULE_CREATE',request.permission='LOG_ANALYTICS_LOG_GROUP_UPLOAD_LOGS',request.permission='LOG_ANALYTICS_ENTITY_UPLOAD_LOGS',request.permission='LOG_ANALYTICS_SOURCE_READ',request.permission='BUCKET_UPDATE',request.permission='LOG_ANALYTICS_OBJECT_COLLECTION_RULE_DELETE'}
allow service loganalytics to read buckets in tenancy
allow service loganalytics to read objects in tenancy
allow service loganalytics to manage cloudevents-rules in tenancy
allow service loganalytics to inspect compartments in tenancy
allow service loganalytics to use tag-namespaces in tenancy where all {target.tag-namespace.name = /oracle-tags/}

Add also the following statement needed for managing Dashboards:

Allow group apigroup to manage management-dashboard-family in tenancy
 

5. PREPARE OCI LOGGING ANALYTICS SERVICE

Here, we are going to perform two steps: import the Log Source and parser from the associated blog resources, then create an OCI Logging Analytics Log Group.
To import Sources and Parsers into your OCI Logging Analytics service, navigate to the service, click on Administration then on Import Configuration Content in the Action panel.

Drag and drop the Log Source ZIP file downloaded from the blog resources and click on import

 

 Once the Log Source and Parsers are imported, let’s create a Log Group.

To do so, click the Log Groups and select the compartment on which you want to create the group. To make it relevant, you can use the same compartment on which the WAF policy and the OCI Bucket have been created. Then click Create Log Group. Give it a name and a description and click Create. Copy the OCID you will need it in the next step.

6. COLLECT LOGS FROM OCI OBJECT STORAGE

Here, we are going to collect log continuously from the object storage containing WAF Logs.

To enable the log collection, an ObjectCollectionRule resource needs to be created. The IAM policies created on step 4 are required to create the ObjectCollectionRule resource.

You can use CLI or oci-curl or your favorite REST API tool to perform this.

In this example, we will use the CLI.

Set your oci-cli environement then launch the following command by setting a name for the rule and updating the values of compartmentId, osNamespace, osBucketName, namespace-name.

oci log-analytics object-collection-rule create --name rule_idcs --compartment-id XXX --os-namespace XXX --os-bucket-name XXX --log-group-id XXX --log-source-name IDCS --namespace-name XXX --collection-type HISTORIC_LIVE --poll-since BEGINNING

The logSourceName value is the one imported on step 5, keep it as it is.

CollectionType and pollSince values are set to collect all historical data then continuously collect all newly logs.

For more options see this reference

By now, if you navigate to your OCI Logging analytics, you can see the WAF Logs:


  

7. IMPORT DASHBOARDS

Here, we are going to import the dashboard into you OCI Logging Analytics Service.

Download the Dashboard JSON file from the blog resources.

Edit the file and replace all EDITCOMPARTMENT by the compartment target OCID on which you would like to import the dashboards.

Note that the compartment target should be Mycompartment or a compartment parent of Mycompartment 

You are now ready to import the dashboard.

Launch the following oci-cli command .

oci management-dashboard dashboard import --dashboards /path/to/dashboard.json

Now, you should be able to see 5 new dashboards on your Logging Analytics Service service that you can start to use

  
  In addition to the Overview dashboard, below more specific dashboard leveraging other security insight.

I hope you found this blog helpful. Here are a couple of next steps to help you get started: 

  • If you don't have an Oracle Cloud Infrastructure account, try our Free Tier.

 

8. RESOURCES

 

Be the first to comment

Comments ( 0 )
Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.