cscli parsers install crowdsecurity/aws-cloudfrontA parser for AWS CloudFront access logs.
Cloudfront delivers logs to S3, so you can use crowdsec S3 datasource to read the logs.
An example of the configuration is:
source: s3
polling_method: sqs
sqs_name: my-queue
sqs_format: s3notification
aws_region: eu-west-1
use_time_machine: true
labels:
type: aws-cloudfrontBecause CloudFront will not deliver the logs in real time, you must set the use_time_machine option to force crowdsec to use the timestamp in the log itself, or you are very likely to run into false positives.
1onsuccess: next_stage2filter: "evt.Line.Labels.type == 'aws-cloudfront'"3name: crowdsecurity/aws-cloudfront4description: "Parse AWS CloudFront access logs"5grok:6 pattern: '%{YEAR:year}-%{MONTHNUM2:month}-%{MONTHDAY:day}\s+%{TIME:time}\s+%{DATA:x_edge_location}\s+%{NUMBER:sc_bytes}\s+%{IP:c_ip}\s+%{WORD:cs_method}\s+%{HOSTNAME:cs_host}\s+%{DATA:cs_uri_stem}\s+%{NUMBER:sc_status}\s+%{DATA:cs_referer}\s+%{DATA:cs_user_agent}\s+%{DATA:cs_uri_query}\s+%{DATA:cs_cookie}\s+%{WORD:x_edge_result_type}\s+%{DATA:x_edge_request_id}\s+%{HOSTNAME:x_host_header}\s+%{WORD:cs_protocol}\s+%{NUMBER:cs_bytes}\s+%{NUMBER:time_taken}\s+%{DATA:x_forwarded_for}\s+%{DATA:ssl_protocol}\s+%{DATA:ssl_cipher}\s+%{WORD:x_edge_response_result_type}\s+%{DATA:cs_protocol_version}\s+%{DATA:fle_status}\s+%{DATA:fle_encrypted_fields}\s+%{NUMBER:c_port}\s+%{NUMBER:time_to_first_byte}\s+%{WORD:x_edge_detailed_result_type}\s+%{DATA:sc_content_type}\s+%{DATA:sc_content_len}\s+%{DATA:sc_range_start}\s+%{DATA:sc_range_end}'7 apply_on: message8statics:9 - meta: service10 value: http11 - meta: log_type12 value: http_access-log13 - target: evt.StrTime14 expression: "evt.Parsed.year + '-' + evt.Parsed.month + '-' + evt.Parsed.day + 'T' + evt.Parsed.time + 'Z'"15 - meta: source_ip16 expression: "evt.Parsed.c_ip"17 - meta: http_status18 expression: "evt.Parsed.sc_status"19 - meta: http_path20 expression: |21 evt.Parsed.cs_uri_query == "-" ? evt.Parsed.cs_uri_stem : evt.Parsed.cs_uri_stem + '?' + evt.Parsed.cs_uri_query22 - meta: http_verb23 expression: "evt.Parsed.cs_method"24 - meta: http_user_agent25 expression: "evt.Parsed.cs_user_agent"