Forward AWS WAF log to Splunk
1) Installed App in Splunk by Hurricane Labs (https://splunkbase.splunk.com/app/4714/)
2) Permission to operate on Amazon Kinesis console and WAF console
Create HTTP Event Collector (HEC) Token. Create a new token with source type "aws:waf".
Setting » Data Inputs » HTTP Event Collector » New Token
Kinesis needs to reach the Splunk HEC server on your configured HEC port (used default 8088).
Open the Amazon Kinesis console and create a delivery stream. As mention above, the user needs to have permission to create the delivery stream.
Choose 3rd party service provider (Splunk) for the destination.
Fill in the detailed requirement needed in the destination section. For Splunk cluster endpoint use Splunk Enterprise with HEC port (8088). The authentication token can be gained from Splunk Web that has been created early.
Setup S3 bucket. Recommend to create your bucket to prevent data loss and also as a backup event while delivering it to your Splunk.
Review all your settings and create a delivery stream. Make sure it is ready to operate if the status turns to "Active" mode.
Navigate to the WAF console to enable logging. By default, it disables.
Edit inputs.conf at $SPLUNK_HOME/etc/apps/splunk_httpinput/local/
Restart Splunk service.
After all these settings, the user can verify its working by sending demo data. Sending demo data can be done at the Kinesis Firehose console. These steps are what has been done when working with the AWS WAF log.