cscli parsers install openappsec/openappsec-logsA parser for open-appsec waf logs. It supports logs from the prevention action.
1name: openappsec/openappsec-logs2description: "Parse openappsec logs"3filter: "evt.Parsed.program == 'openappsec' && UnmarshalJSON(evt.Parsed.message, evt.Unmarshaled, 'openappsec') in ['', nil] && evt.Unmarshaled.openappsec.eventAudience == 'Security' && Lower(evt.Unmarshaled.openappsec.eventSeverity) in ['critical', 'high'] && Lower(evt.Unmarshaled.openappsec.eventData.practiceSubType) in ['web application','web api']"4debug: false5onsuccess: next_stage6statics:7 - meta: service8 value: openappsec9 - meta: log_type10 value: openappsec_security_log11 - target: evt.StrTimeFormat12 value: "2006-01-02T15:04:05"13 - target: evt.StrTime14 expression: evt.Unmarshaled.openappsec.eventTime15 - meta: event_name16 expression: evt.Unmarshaled.openappsec.eventName17 - meta: event_severity18 expression: evt.Unmarshaled.openappsec.eventSeverity19 - meta: event_priority20 expression: evt.Unmarshaled.openappsec.eventPriority21 - meta: event_audience22 expression: evt.Unmarshaled.openappsec.eventAudience23 - meta: source_ip24 expression: evt.Unmarshaled.openappsec.eventData.httpSourceId25 - meta: event_confidence26 expression: evt.Unmarshaled.openappsec.eventData.eventConfidence27 - meta: security_action28 expression: evt.Unmarshaled.openappsec.eventData.securityAction29 - meta: source_identifier30 expression: evt.Unmarshaled.openappsec.eventData.httpSourceId31 - meta: target_fqdn32 expression: evt.Unmarshaled.openappsec.eventData.httpHostName33 - meta: matched_sample34 expression: evt.Unmarshaled.openappsec.eventData.matchedSample35 - meta: matched_parameter36 expression: evt.Unmarshaled.openappsec.eventData.matchedParameter37 - meta: matched_location38 expression: evt.Unmarshaled.openappsec.eventData.matchedLocation39 - meta: incident_type40 expression: evt.Unmarshaled.openappsec.eventData.waapIncidentType41