# AWS Web Application Firewall Add-on

Download the [AWS Web Application Firewall Add-on](https://splunkbase.splunk.com/app/4714/)

Install onto CM and SH

## Installing onto cluster master:

```
scp aws-web-application-firewall-add-on_101.tgz dev-moose-splunk-cm:
ssh dev-moose-splunk-cm
tar xvzf aws-web-application-firewall-add-on_101.tgz
sudo mv TA-aws_waf /opt/splunk/etc/master-apps/
sudo mkdir /opt/splunk/etc/master-apps/TA-aws_waf/local
sudo vim /opt/splunk/etc/master-apps/TA-aws_waf/local/inputs.conf
```

Generate a HEC token via `uuidgen` (or `uuidgen | tr '[:upper:]' '[:lower:]'` if you prefer lowercase)

```
[http://aws_waf_logs]
disabled = 0
index = test
indexes = test
sourcetype = aws:waf
useACK = 1
token = <TOKEN_HERE>
```

```
sudo chown -R splunk:splunk /opt/splunk/etc/master-apps/TA-aws_waf/
sudo -u splunk /opt/splunk/bin/splunk btool check
sudo -u splunk /opt/splunk/bin/splunk validate cluster-bundle
sudo -u splunk /opt/splunk/bin/splunk show cluster-bundle-status
sudo -u splunk /opt/splunk/bin/splunk 
```

## Installing onto SH

```
scp aws-web-application-firewall-add-on_101.tgz dev-moose-splunk-sh:
ssh dev-moose-splunk-sh
tar xvzf aws-web-application-firewall-add-on_101.tgz
sudo mv TA-aws_waf /opt/splunk/etc/apps/
sudo chown -R splunk:splunk /opt/splunk/etc/apps/TA-aws_waf
sudo -u splunk /opt/splunk/bin/splunk restart
```