Tail a Customer Firewall to Check for Dropped Traffic
Steps​
-
Locate the Customer Account
- Access the customer's account.
-
Navigate to CloudWatch
- In AWS, search for "CloudWatch".
-
Access Log Groups
- In the left pane, expand "Logs" and click on "Log Groups".
-
Find the Customer Log Group
- In the Log Groups window, locate and click on the log group titled:
Combine_[CUSTOMER]_Log_Group_Firewall
- In the Log Groups window, locate and click on the log group titled:
-
Search Log Streams
- On the next page, ensure the "Log Streams" tab is open at the bottom.
- Find the "Search all log streams" button on the right and click it.
-
Enable Real-Time View
- For real-time logs, click "Start Tailing".
-
Highlight Specific Terms
- Use the "Highlight Term" field to highlight specific strings of interest.
- Example: To highlight the IP address
1.2.3.4, type1.2.3.4into the "Highlight Term" field.
- Example: To highlight the IP address
- Use the "Highlight Term" field to highlight specific strings of interest.
-
Identify Dropped Traffic
- Look for entries containing the terms:
- "reject"
- "block"
- Look for entries containing the terms:
Filtering firewall entries for blocked traffic:​
The following filter should work to find sets of IP addresses that are being blocked:
{ ($.event.dest_ip = "1.2.3.4" || $.event.dest_ip = "1.2.3.4" || $.event.dest_ip = "1.2.3.4") && $.event.alert.action = "blocked" }