fastly-logs Log Parser

« fastly-logs »
v0.6 by crowdsecurity
Log parser

fastly logs parser

Installation

cscli parsers install crowdsecurity/fastly-logs

Description

Parser for fastly logs with default format (see faslty documentation)

Mandatory You need to add those labels on the acquisition:

labels:
  type: syslog
  external_format: fastly

YAML Configuration

1filter: "evt.Line.Labels.external_format == 'fastly'"
2onsuccess: next_stage
3#debug: true
4name: crowdsecurity/fastly-logs
5description: fastly logs parser
6pattern_syntax:
7  DOUBLE_NUM: "[0-9]{2}"
8grok:
9  pattern: "%{GREEDYDATA:fastly_timestamp}\\+%{DOUBLE_NUM:tz_part1}%{DOUBLE_NUM:tz_part2}"
10  expression: JsonExtract(evt.Parsed.message, "timestamp")
11statics:
12  - meta: service
13    value: http
14  - meta: log_type
15    value: http_access-log
16  - target: evt.StrTime
17    expression: evt.Parsed.fastly_timestamp + ".00+" + evt.Parsed.tz_part1 + ":" + evt.Parsed.tz_part2
18  - meta: source_ip
19    expression: JsonExtract(evt.Parsed.message, "client_ip")
20  - target: evt.Parsed.request
21    expression: JsonExtract(evt.Parsed.message, "url")
22  - meta: http_path
23    expression: JsonExtract(evt.Parsed.message, "url")
24  - parsed: verb
25    expression: JsonExtract(evt.Parsed.message, "request_method")
26  - meta: verb
27    expression: JsonExtract(evt.Parsed.message, "request_method")
28  - parsed: http_referer
29    expression: JsonExtract(evt.Parsed.message, "request_referer")
30  - parsed: http_user_agent
31    expression: JsonExtract(evt.Parsed.message, "request_user_agent")
32  - meta: http_user_agent
33    expression: JsonExtract(evt.Parsed.message, "request_user_agent")
34  - meta: http_status
35    expression: JsonExtract(evt.Parsed.message, "response_status")
36  - parsed: body_bytes_sent
37    expression: JsonExtract(evt.Parsed.message, "response_body_size")

Hub configuration

« fastly-logs »v0.6 by crowdsecurityLog parser

« fastly-logs »
v0.6 by crowdsecurity
Log parser