Metadata-Version: 2.1
Name: accompanist
Version: 1.1.2
Summary: Analysis AWS WAF logs and generate a report
Author: itsuki
License: MIT
Description-Content-Type: text/markdown
License-File: LICENSE
Requires-Dist: click
Requires-Dist: boto3
Requires-Dist: datetime
Requires-Dist: pandas
Requires-Dist: matplotlib
Requires-Dist: PdfPages


# Introduction

## What is Accomapnist?
It's an accompanist on AWS WAF log analysis.
You can analysis AWS WAF log and generate analysis report automatically with only 3 steps.
When you use AWS WAF and CloudWatch Logs, this tool may be helpful for instant log analysis and understanding tendency of blocked or counted accesses.

- The feature & Report Item
    - Histgram of requests
    - Top 5 of below items
        - Blocked or counted rule group
        - URI path
        - IP address
        - Country code
    - The hit count on specific paths
    - Comment (An optionally writable area)

## Prerequisite

- Target WAF
    - AWS WAFv2
        - Logging: CloudWatch Logs
        - Action: BLOCK or COUNT
    - Third Party WAF (using WebACL)
        - Logging: CloudWatch Logs
        - Action: BLOCK or COUNT

- Requirement of Client Environment
    - IAM Role/User: including permissions to execute as follows
        - (1) `start_query` of Logs Insights
        - (2) `get_query_result` of Logs Insights
        - The example policy is noted the last

# Get Started

## Install

```bash
$ pip install accompanist
```

## Usage

1. Configure settings with a following command, then config.json file is generated.

```bash
$ accompanist init
```

- The log group name must be set with this command or you can edit the config.json directly.

2. Get query result

(e.g.) To get BLOCK log for 3 days

```bash
$ accompanist listen -a BLOCK -d 3
```

3. Generate report (PDF format)

```bash
$ accompanist play
```

## Uninstall

```bash
$ pip uninstall accompanist
```
# Subcommnads

## init

### Usage:

```bash
accompanist init  # interactive inputting process
```

### Feature:

- Configure CWL log group setting.

### Options:

```bash
  -l, --log-group TEXT  Set a CloudWatch Logs Log group name.  [required]
  -p, --path TEXT       Set a URI path for counts that is blocked/counted.[required]
  -c, --comment TEXT    Set a comment for report.  [required]
  -h, --help            Show this message and exit.
```
## listen

### Usage:
```
accompanist listen [OPTIONS]
```
### Feature:

- Get a WAF log file in CSV format.

### Options:

```
  -a, --action [BLOCK|COUNT]  Chose an action type of AWS WAF. The default is
                              "BLOCK".  [required]
  -d, --days INTEGER          Set a number of the past days until today for
                              analysis target period.
  -s, --start_time INTEGER    Set a UNIX time of the oldest time for analysis
                              target period (instead of "--days").
  -e, --end_time INTEGER      Set a UNIX time of the latest time for analysis
                              target period (instead of "--days").
  -r, --raw-log               Output raw log file and the excerpted log file
                              for debugging.
  -h, --help                  Show this message and exit.
```

## play

### Usage:
```
accompanist play [OPTIONS]
```

### Feature:

- Analysis WAF logs and generate a report.

### Options:
```
  -c, --colorful                  Set a random color of report theme (instead
                                  of color).
  -d, --color TEXT                Customize a color of report theme with color
                                  code,  (e.g.) #cccccc.
  -m, --mask-ip                   Mask IP addresses on pie chart.
  -u, --utc-offset INTEGER        Set a number of UTC offest. The defaut
                                  offset is UTC+9 (Asia/Tokyo).
  -y, --y-limit [50|100|500|1000]
                                  Adjust a Y-axis max limitation for
                                  histograms due to many requests.
  -h, --help                      Show this message and exit.
```

# Appendix

## IAM Policy

Here is a sample of IAM policy with minimum permissions.

```json
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "logs:StartQuery",
            "Resource": [
                "arn:aws:logs:<region>:<aws-acount>:log-group:<log-group-name>:*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": "logs:GetQueryResults",
            "Resource": "*"
        }
    ]
}
```

Note: The `<region>`, `<aws-acount>` and `<log-group-name>` in this sample policy should be replaced.

## License

### The MIT License

Copyright 2023 Itsuki Yutaka

Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the “Software”), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED “AS IS”, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.


