Metadata-Version: 2.1
Name: accompanist
Version: 1.1.4
Summary: Analysis AWS WAF logs and generate a report
Author: itsuki
License: MIT
Description-Content-Type: text/markdown
License-File: LICENSE
Requires-Dist: click
Requires-Dist: boto3
Requires-Dist: datetime
Requires-Dist: pandas
Requires-Dist: matplotlib
Requires-Dist: PdfPages


# Introduction

## What is Accomapnist?
Accompanist is an AWS WAF log analysis tool.  
It enables you to analyze AWS WAF logs and automatically generate comprehensive analysis reports in just three simple steps. If you're using AWS WAF and CloudWatch Logs, this tool can be helpful for instant log analysis and help you understand the trends of blocked or counted accesses.

- Features & Report Items
    - Histgram of requests
        - Total number
        - Number by each provider
    - Top 5 for the following categories:
        - Rule group
        - URI Paths
        - IP addressws
        - Country codes
    - Hit count on specific paths
    - Comment
        - An optional field where you can write additional notes

## Prerequisite

- Target WAF
    - AWS WAFv2
        - Logging: CloudWatch Logs
        - Action: BLOCK or COUNT
    - Third Party WAF (using WebACL)
        - Logging: CloudWatch Logs
        - Action: BLOCK or COUNT

- Requirement of Client Environment
    - IAM Role/User: including permissions to execute as follows
        - (1) `start_query` of Logs Insights
        - (2) `get_query_result` of Logs Insights
        - The example policy is noted the last

# Get Started

## Install

```bash
$ pip install accompanist
```

## Usage

1. First, configure the settings using the following command; this will generate a `config.json` file. 

```bash
$ accompanist init
```

- You must set the log group name using this command, or you can choose to edit the `config.json` file directly.

2. Second, retrieve the query results with the following commnad. 

- For example, to retrieve the `BLOCK` log for the past three days

```bash
$ accompanist listen -a BLOCK -d 3
```

3. Finally, generate a report in PDF format.

```bash
$ accompanist play
```

## Uninstall

```bash
$ pip uninstall accompanist
```
# Subcommnads

## init

### Usage:

```bash
accompanist init  # interactive inputting process
```

### Feature:

- Configure CWL log group setting.

### Options:

```bash
  -l, --log-group TEXT  Set a CloudWatch Logs Log group name.  [required]
  -p, --path TEXT       Set a URI path for counts that is blocked/counted.[required]
  -c, --comment TEXT    Set a comment for report.  [required]
  -h, --help            Show this message and exit.
```
## listen

### Usage:
```
accompanist listen [OPTIONS]
```
### Feature:

- Get a WAF log file in CSV format.

### Options:

```
  -a, --action [BLOCK|COUNT]  Chose an action type of AWS WAF. The default is
                              "BLOCK".  [required]
  -d, --days INTEGER          Set a number of the past days until today for
                              analysis target period.
  -s, --start_time INTEGER    Set a UNIX time of the oldest time for analysis
                              target period (instead of "--days").
  -e, --end_time INTEGER      Set a UNIX time of the latest time for analysis
                              target period (instead of "--days").
  -r, --raw-log               Output raw log file and the excerpted log file
                              for debugging.
  -h, --help                  Show this message and exit.
```

## play

### Usage:
```
accompanist play [OPTIONS]
```

### Feature:

- Analysis WAF logs and generate a report.

### Options:
```
  -c, --colorful                  Set a random color of report theme (instead
                                  of color).
  -d, --color TEXT                Customize a color of report theme with color
                                  code,  (e.g.) #cccccc.
  -m, --mask-ip                   Mask IP addresses on pie chart.
  -u, --utc-offset INTEGER        Set a number of UTC offest. The defaut
                                  offset is UTC+9 (Asia/Tokyo).
  -y, --y-limit [50|100|500|1000]
                                  Adjust a Y-axis max limitation for
                                  histograms due to many requests.
  -h, --help                      Show this message and exit.
```

# Appendix

## IAM Policy

Here is a sample of IAM policy with minimum permissions.

```json
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "logs:StartQuery",
            "Resource": [
                "arn:aws:logs:<region>:<aws-acount>:log-group:<log-group-name>:*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": "logs:GetQueryResults",
            "Resource": "*"
        }
    ]
}
```

Note: The `<region>`, `<aws-acount>` and `<log-group-name>` in this sample policy should be replaced.

## License

### The MIT License

Copyright 2023 Itsuki Yutaka

Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the “Software”), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED “AS IS”, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

