Created
December 13, 2024 16:52
-
-
Save JamoCA/3dd64a83072a3b6a49c0bcfca81fc258 to your computer and use it in GitHub Desktop.
Fastly configuration to collect WAF request logs for Sumo Logic (2021-12-13)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| { | |
| "service_id":"%{req.service_id}V", | |
| "service_version":"%{fastly_info.version}V", | |
| "time_start":"%{begin:%Y-%m-%dT%H:%M:%S%Z}t", | |
| "time_end":"%{end:%Y-%m-%dT%H:%M:%S%Z}t", | |
| "time_elapsed":%{time.elapsed.usec}V, | |
| "client_ip":"%{req.http.Fastly-Client-IP}V", | |
| "request":"%{req.request}V", | |
| "protocol":"%{req.proto}V", | |
| "host":"%{req.http.Fastly-Orig-Host}V", | |
| "origin_host":"%{req.http.Host}V", | |
| "url":"%{cstr_escape(req.url)}V", | |
| "is_ipv6":%{if(req.is_ipv6,"true","false")}V, | |
| "is_tls":%{if(req.is_ssl,"true","false")}V, | |
| "tls_client_protocol":"%{cstr_escape(tls.client.protocol)}V", | |
| "tls_client_servername":"%{cstr_escape(tls.client.servername)}V", | |
| "tls_client_cipher":"%{cstr_escape(tls.client.cipher)}V", | |
| "tls_client_cipher_sha":"%{cstr_escape(tls.client.ciphers_sha)}V", | |
| "tls_client_tlsexts_sha":"%{cstr_escape(tls.client.tlsexts_sha)}V", | |
| "is_h2":%{if(fastly_info.is_h2,"true","false")}V, | |
| "is_h2_push":%{if(fastly_info.h2.is_push,"true","false")}V, | |
| "h2_stream_id":"%{fastly_info.h2.stream_id}V", | |
| "request_referer":"%{cstr_escape(req.http.Referer)}V", | |
| "request_user_agent":"%{cstr_escape(req.http.User-Agent)}V", | |
| "request_accept_content":"%{cstr_escape(req.http.Accept)}V", | |
| "request_accept_language":"%{cstr_escape(req.http.Accept-Language)}V", | |
| "request_accept_encoding":"%{cstr_escape(req.http.Accept-Encoding)}V", | |
| "request_accept_charset":"%{cstr_escape(req.http.Accept-Charset)}V", | |
| "request_connection":"%{cstr_escape(req.http.Connection)}V", | |
| "request_dnt":"%{cstr_escape(req.http.DNT)}V", | |
| "request_forwarded":"%{cstr_escape(req.http.Forwarded)}V", | |
| "request_via":"%{cstr_escape(req.http.Via)}V", | |
| "request_cache_control":"%{cstr_escape(req.http.Cache-Control)}V", | |
| "request_x_requested_with":"%{cstr_escape(req.http.X-Requested-With)}V", | |
| "request_x_forwarded_for":"%{cstr_escape(req.http.X-Forwarded-For)}V", | |
| "status":"%{resp.status}V", | |
| "content_type":"%{cstr_escape(resp.http.Content-Type)}V", | |
| "cache_status":"%{regsub(fastly_info.state,"^(HIT-(SYNTH)|(HITPASS|HIT|MISS|PASS|ERROR|PIPE)).*","\\2\\3")}V", | |
| "is_cacheable":%{if(fastly_info.state~"^(HIT|MISS)$","true","false")}V, | |
| "response_age":"%{cstr_escape(resp.http.Age)}V", | |
| "response_cache_control":"%{cstr_escape(resp.http.Cache-Control)}V", | |
| "response_expires":"%{cstr_escape(resp.http.Expires)}V", | |
| "response_last_modified":"%{cstr_escape(resp.http.Last-Modified)}V", | |
| "response_tsv":"%{cstr_escape(resp.http.TSV)}V", | |
| "geo_datacenter":"%{server.datacenter}V", | |
| "geo_city":"%{client.geo.city}V", | |
| "geo_country_code":"%{client.geo.country_code}V", | |
| "geo_continent_code":"%{client.geo.continent_code}V", | |
| "geo_region":"%{client.geo.region}V", | |
| "req_header_size":%{req.header_bytes_read}V, | |
| "req_body_size":%{req.body_bytes_read}V, | |
| "resp_header_size":%{resp.header_bytes_written}V, | |
| "resp_body_size":%{resp.body_bytes_written}V, | |
| "socket_cwnd":"%{client.socket.cwnd}V", | |
| "socket_nexthop":"%{client.socket.nexthop}V", | |
| "socket_tcpi_rcv_mss":"%{client.socket.tcpi_rcv_mss}V", | |
| "socket_tcpi_snd_mss":"%{client.socket.tcpi_snd_mss}V", | |
| "socket_tcpi_rtt":"%{client.socket.tcpi_rtt}V", | |
| "socket_tcpi_rttvar":"%{client.socket.tcpi_rttvar}V", | |
| "socket_tcpi_rcv_rtt":"%{client.socket.tcpi_rcv_rtt}V", | |
| "socket_tcpi_rcv_space":"%{client.socket.tcpi_rcv_space}V", | |
| "socket_tcpi_last_data_sent":"%{client.socket.tcpi_last_data_sent}V", | |
| "socket_tcpi_total_retrans":"%{client.socket.tcpi_total_retrans}V", | |
| "socket_tcpi_delta_retrans":"%{client.socket.tcpi_delta_retrans}V", | |
| "socket_ploss":"%{client.socket.ploss}V", | |
| "type":"request_logs", | |
| "request_id":"%{req.http.x-request-id}V", | |
| "waf_logged":"%{waf.logged}V", | |
| "waf_block":"%{waf.blocked}V", | |
| "waf_failures":"%{waf.failures}V", | |
| "waf_rule_id":"%{waf.rule_id}V", | |
| "waf_severity":"%{waf.severity}V", | |
| "waf_passed":"%{waf.passed}V", | |
| "waf_logdata":"%{cstr_escape(waf.logdata)}V", | |
| "waf_executed":"%{waf.executed}V", | |
| "waf_anomaly_score":"%{waf.anomaly_score}V", | |
| "waf_sql_score":"%{waf.sql_injection_score}V", | |
| "waf_rfi_score":"%{waf.rfi_score}V", | |
| "waf_lfi_score":"%{waf.lfi_score}V", | |
| "waf_xss_score":"%{waf.xss_score}V", | |
| "waf_http_score":"%{waf.http_violation_score}V", | |
| "waf_php_score":"%{waf.php_injection_score}V", | |
| "waf_rce_score":"%{waf.rce_score}V", | |
| "waf_session_fixation_score":"%{waf.session_fixation_score}V", | |
| "waf_message":"%{cstr_escape(waf.message)}V" | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment