Collect Edgio WAF logs
This guide explains how to ingest Edgio Web Application Firewall (WAF) logs to Google Security Operations using Google Cloud Storage. Edgio's Real-Time Log Delivery (RTLD) service can automatically deliver compressed WAF log data directly to a Cloud Storage bucket, which Google SecOps can then ingest for analysis and monitoring.
Before you begin
Make sure you have the following prerequisites:
- A Google SecOps instance.
- Privileged access to Google Cloud Platform.
- Privileged access to Edgio Console.
- An active Edgio property with WAF enabled.
Configure a Google Cloud Storage bucket
- Sign in to the Google Cloud console.
- Go to Cloud Storage > Buckets.
- Click Create.
- Provide the following configuration details:
- Name: Enter a unique bucket name (for example,
edgio-waf-logs
). - Location type: Select Region or Multi-region based on your requirements.
- Location: Select the location closest to your Edgio deployment.
- Storage class: Select Standard.
- Access control: Select Uniform.
- Encryption: Select Google-owned and Google-managed encryption key.
- Name: Enter a unique bucket name (for example,
- Click Create.
Configure bucket permissions for Edgio
- In the Google Cloud console, go to your newly created bucket.
- Click Permissions.
- Click Grant Access.
- In the New principals field, add:
real-time-log-delivery@durable-firefly-334516.iam.gserviceaccount.com
- In the Select a role list, select Storage Object Creator.
- Click Save.
Configure Edgio Real-Time Log Delivery
- Sign in to the Edgio Console.
- Select your private space or organization.
- Select the required property.
- From the left pane, select the required environment.
- From the left pane, click Realtime Log Delivery.
- Click + New Log Delivery Profile.
- Select WAF as the log type.
- Provide the following configuration details:
- Name: Enter a descriptive name (for example,
Google SecOps WAF Logs
). - Destination: Select Google Cloud Storage.
- Bucket: Enter your GCS bucket name (for example,
edgio-waf-logs
). - Prefix: Optional. Enter a prefix for log organization (for example,
waf/
). - Log Format: Select JSON (default).
- Downsample the Logs: Leave unchecked for full log delivery.
- Name: Enter a descriptive name (for example,
- In the Fields section, ensure all required fields are selected. Key fields include:
- account_number
- action_type
- client_city
- client_country_code
- client_ip
- client_tls_ja3_md5
- host
- referer
- rule_message
- rule_tags
- server_port
- sub_events
- sub_events_count
- timestamp
- URL
- user_agent
- uuid
- waf_instance_name
- waf_profile_name
- waf_profile_type
- Click Save.
Configure a feed in Google SecOps to ingest Edgio WAF logs
- Go to SIEM Settings > Feeds.
- Click Add new.
- In the Feed name field, enter a name for the feed (for example,
Edgio WAF Logs
). - Select Google Cloud Storage V2 as the Source type.
- Select Edgio WAF as the Log type.
- Click Get Service Account.
- Copy the service account email displayed.
- Click Next.
- Specify values for the following input parameters:
- Storage Bucket URI: Enter your Cloud Storage bucket URI (format:
gs://edgio-waf-logs/waf/
). - Source deletion options: Select deletion option according to your preference.
- Maximum File Age: Include files modified in the last number of days. Default is 180 days.
- Asset namespace: The asset namespace.
- Ingestion labels: The label to be applied to the events from this feed.
- Storage Bucket URI: Enter your Cloud Storage bucket URI (format:
- Click Next.
- Review your new feed configuration in the Finalize screen, and then click Submit.
Grant permissions to the Google SecOps service account
- Return to the Google Cloud console.
- Go to your Cloud Storage bucket.
- Click Permissions.
- Click Grant Access.
- In the New principals field, paste the service account email you copied from Google SecOps.
- In the Select a role list, select Storage Object Viewer.
- If you selected delete options in the feed configuration, also grant Storage Object Admin.
- Click Save.
Need more help? Get answers from Community members and Google SecOps professionals.