cscli parsers install openappsec/openappsec-logsA parser for open-appsec waf logs. It supports logs from the prevention action.
1name: openappsec/openappsec-logs2description: "Parse openappsec logs"3filter: "evt.Parsed.program == 'openappsec' && JsonExtract(evt.Parsed.message, 'eventAudience') == 'Security' && Lower(JsonExtract(evt.Parsed.message, 'eventSeverity')) in ['critical', 'high'] && Lower(JsonExtract(evt.Parsed.message, 'eventData.practiceSubType')) in ['web application','web api']"4debug: false5onsuccess: next_stage6statics:7 - meta: service8 value: openappsec9 - meta: log_type10 value: openappsec_security_log11 - target: evt.StrTimeFormat12 value: "2006-01-02T15:04:05"13 - target: evt.StrTime14 expression: JsonExtract(evt.Parsed.message, "eventTime")15 - meta: event_name16 expression: JsonExtract(evt.Parsed.message, "eventName")17 - meta: event_severity18 expression: JsonExtract(evt.Parsed.message, "eventSeverity")19 - meta: event_priority20 expression: JsonExtract(evt.Parsed.message, "eventPriority")21 - meta: event_audience22 expression: JsonExtract(evt.Parsed.message, "eventAudience")23 - meta: source_ip24 expression: JsonExtract(evt.Parsed.message, "eventData.httpSourceId")25 - meta: event_confidence26 expression: JsonExtract(evt.Parsed.message, "eventData.eventConfidence")27 - meta: security_action28 expression: JsonExtract(evt.Parsed.message, "eventData.securityAction")29 - meta: source_identifier30 expression: JsonExtract(evt.Parsed.message, "eventData.httpSourceId")31 - meta: matched_sample32 expression: JsonExtract(evt.Parsed.message, "eventData.matchedSample")33 - meta: matched_parameter34 expression: JsonExtract(evt.Parsed.message, "eventData.matchedParameter")35 - meta: matched_location36 expression: JsonExtract(evt.Parsed.message, "eventData.matchedLocation")37 - meta: incident_type38 expression: JsonExtract(evt.Parsed.message, "eventData.waapIncidentType")