Forward AWS WAF log to Splunk

This section will share how to push AWS WAF logs to Splunk Enterprise. 
Splunk architecture that has been used is a single deployment.

Requirement needed:

1) Installed App in Splunk by Hurricane Labs (

2) Permission to operate on Amazon Kinesis console and WAF console

Splunk Web 

 Create HTTP Event Collector (HEC) Token. Create a new token with source type "aws:waf".

Setting » Data Inputs » HTTP Event Collector » New Token

Kinesis needs to reach the Splunk HEC server on your configured HEC port (used default 8088).


AWS Console

Open the Amazon Kinesis console and create a delivery stream. As mention above, the user needs to have permission to create the delivery stream.

Choose 3rd party service provider (Splunk) for the destination.

Fill in the detailed requirement needed in the destination section. For Splunk cluster endpoint use Splunk Enterprise with HEC port (8088). The authentication token can be gained from Splunk Web that has been created early.

Setup S3 bucket. Recommend to create your bucket to prevent data loss and also as a backup event while delivering it to your Splunk.

Review all your settings and create a delivery stream. Make sure it is ready to operate if the status turns to "Active" mode.

 Navigate to the WAF console to enable logging. By default, it disables.

Splunk Console

Edit inputs.conf at $SPLUNK_HOME/etc/apps/splunk_httpinput/local/ 


Restart Splunk service.
After all these settings, the user can verify its working by sending demo data. Sending demo data can be done at the Kinesis Firehose console. These steps are what has been done when working with the AWS WAF log.