Splunk App - The Imperva CWAF app provides and easy-to-use experience to analyze traffic information passing to your web servers and applications and details the important information in dashboards.
- Activate logging and configure the log integration settings in the Imperva Cloud Security Console. (Account > SIEM Logs > WAF Log Setup)
- Select 'Amazon S3' as the Connection type.
- Disable Encryption. (This is how this app was tested)
- Select 'CEF' as format type
- Disable Compression.
- Enter in the Amazon S3 API Details (Key and Secret) and S3 Bucket Path. (example: imperva-logs/waflogs)
- Ensure 'Website Log Levels' are set to 'All Logs'.
- Account > SIEM Logs > Website Log Levels
- Install 'Splunk Add-on for Amazon Web Services (AWS)'.
- Go to 'Splunk Add-on for Amazon Web Services (AWS)' > 'Configuration' tab > Add.
- Enter Name, AWS Key ID, Secret Key and region category if appropriate. Save. 'example: Name=Imperva, AWS Key ID=1234567HGSD, Secret Key=12345LKJH, region=Global'
- Create an index in Splunk called 'imperva'.
- Create a data input in Splunk. Go to 'Settings' > 'Data Inputs' > Locate 'AWS S3' > '+ Add'.
- Fill in the details like the example below. (If not listed below, leave default)
Name=imperva, AWS Account=Imperva, Bucket Name=imperva-logs, Key prefix=waflogs/ -More Settings- Set sourcetype=manual, Source type=imperva:cef, Index=imperva
- Finally, Install the 'Imperva CWAF' app.
- Restart Splunk if needed.
- If logs are coming through with strange formatting, try setting the logs to uncompressed in the Imperva WAF console.
1.1.1
- Travis Anderson