NetworkFirewall / Client / describe_logging_configuration

describe_logging_configuration#

NetworkFirewall.Client.describe_logging_configuration(**kwargs)#

Returns the logging configuration for the specified firewall.

See also: AWS API Documentation

Request Syntax

response = client.describe_logging_configuration(
    FirewallArn='string',
    FirewallName='string'
)
Parameters:

  • FirewallArn (string) –

    The Amazon Resource Name (ARN) of the firewall.

    You must specify the ARN or the name, and you can specify both.

  • FirewallName (string) –

    The descriptive name of the firewall. You can’t change the name of a firewall after you create it.

    You must specify the ARN or the name, and you can specify both.

Return type:

dict

Returns:

Response Syntax

{
    'FirewallArn': 'string',
    'LoggingConfiguration': {
        'LogDestinationConfigs': [
            {
                'LogType': 'ALERT'|'FLOW'|'TLS',
                'LogDestinationType': 'S3'|'CloudWatchLogs'|'KinesisDataFirehose',
                'LogDestination': {
                    'string': 'string'
                }
            },
        ]
    }
}

Response Structure

  • (dict) –

    • FirewallArn (string) –

      The Amazon Resource Name (ARN) of the firewall.

    • LoggingConfiguration (dict) –

      Defines how Network Firewall performs logging for a Firewall.

      • LogDestinationConfigs (list) –

        Defines the logging destinations for the logs for a firewall. Network Firewall generates logs for stateful rule groups.

        • (dict) –

          Defines where Network Firewall sends logs for the firewall for one log type. This is used in LoggingConfiguration. You can send each type of log to an Amazon S3 bucket, a CloudWatch log group, or a Firehose delivery stream.

          Network Firewall generates logs for stateful rule groups. You can save alert, flow, and TLS log types.

          • LogType (string) –

            The type of log to record. You can record the following types of logs from your Network Firewall stateful engine.

            • ALERT - Logs for traffic that matches your stateful rules and that have an action that sends an alert. A stateful rule sends alerts for the rule actions DROP, ALERT, and REJECT. For more information, see StatefulRule.

            • FLOW - Standard network traffic flow logs. The stateful rules engine records flow logs for all network traffic that it receives. Each flow log record captures the network flow for a specific standard stateless rule group.

            • TLS - Logs for events that are related to TLS inspection. For more information, see Inspecting SSL/TLS traffic with TLS inspection configurations in the Network Firewall Developer Guide.

          • LogDestinationType (string) –

            The type of storage destination to send these logs to. You can send logs to an Amazon S3 bucket, a CloudWatch log group, or a Firehose delivery stream.

          • LogDestination (dict) –

            The named location for the logs, provided in a key:value mapping that is specific to the chosen destination type.

            • For an Amazon S3 bucket, provide the name of the bucket, with key bucketName, and optionally provide a prefix, with key prefix. The following example specifies an Amazon S3 bucket named DOC-EXAMPLE-BUCKET and the prefix alerts: "LogDestination": { "bucketName": "DOC-EXAMPLE-BUCKET", "prefix": "alerts" }

            • For a CloudWatch log group, provide the name of the CloudWatch log group, with key logGroup. The following example specifies a log group named alert-log-group: "LogDestination": { "logGroup": "alert-log-group" }

            • For a Firehose delivery stream, provide the name of the delivery stream, with key deliveryStream. The following example specifies a delivery stream named alert-delivery-stream: "LogDestination": { "deliveryStream": "alert-delivery-stream" }

            • (string) –

              • (string) –

Exceptions