Configure Imperva Collection

Collecting Imperva WAF logs enables Alert Logic to ingest and parse data from your Imperva devices. These analytics identify suspicious communication with internet hosts which Alert Logic considers threat actors. Significant security findings from your Imperva devices will result in the creation of incidents that can be managed in the Alert Logic console.

You must complete the following to send data from your Imperva WAF logs to Alert Logic:

  1. Configure Imperva device
  2. Configure S3 bucket ingestion with Alert Logic
  3. Verify log collection

Configure Imperva device

  1. In AWS, select an existing S3 bucket or create a new one.
  2. To configure the Imperva device to send logs, do the following:
    1. Sign in to the Imperva console.
    2. Select Logs > Log Setup.
    3. Select Amazon S3 and then enter the following:
      Note: You will need an AWS IAM user with the 'AmazonS3FullAccess' policy
      1. Access key: <from IAM user>
      2. Secret key: <from IAM user>
      3. Path: <your S3 bucket path> (for example, TestBucket/ImpervaLogs)
  3. Select the JSON format.
  4. Select the option to not compress files.

Configure S3 bucket ingestion with Alert Logic

The Imperva collector utilizes an IAM role and SNS topic to grant Alert Logic access to pull from your S3 bucket. To configure this access, see Configure collection in the Alert Logic console.

Verify log collection

Once you have configured an S3 bucket and your Imperva device, it is recommended to verify that log collection is successful. It may take up to 15 minutes for Alert Logic to begin receiving logs.

  1. Navigate to Configure > Application Registry > Configured Applications and click on the collector you created.
  2. After expanding the window, click View Logs.
  3. On the Search page, click Search.
  4. Verify logs display for the new collector.