在CloudWatch Insight中搜索键 /值对以获取WAF日志
因此,AWS CloudFront WAF日志被发送到AWS Cloud Insights。如何为HTTPREQUEST数组搜索密钥 /值对的随机位置?
示例日志看起来像这样:
httpRequest.headers.0.name host
httpRequest.headers.0.value www.somedomain.com
httpRequest.headers.1.name cache-control
httpRequest.headers.1.value no-cache
httpRequest.headers.2.name pragma
httpRequest.headers.2.value no-cache
httpRequest.headers.3.name accept
httpRequest.headers.3.value */*
httpRequest.headers.4.name accept-encoding
httpRequest.headers.4.value gzip, deflate
httpRequest.headers.5.name from
httpRequest.headers.5.value bingbot(at)microsoft.com
httpRequest.headers.6.name user-agent
httpRequest.headers.6.value Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)
所以,一个带有2个哈希的JSON数组。该数组中的顺序是随机的。有时用户代理将在1或3或X中。如何搜索与“用户代理”的“名称”字段相对应的“值”字段的值?即:我想搜索“ bingbot”,但特定于与“用户代理”匹配。我知道我只能在@message上对bingbot < / code>进行过滤器,但这似乎很昂贵,而不是特定 /容易出现错误的命中。
So, the AWS Cloudfront WAF logs get sent to AWS Cloud Insights. How can I search the random placement of the key / value pairs for the httpRequest array?
Example log looks like this:
httpRequest.headers.0.name host
httpRequest.headers.0.value www.somedomain.com
httpRequest.headers.1.name cache-control
httpRequest.headers.1.value no-cache
httpRequest.headers.2.name pragma
httpRequest.headers.2.value no-cache
httpRequest.headers.3.name accept
httpRequest.headers.3.value */*
httpRequest.headers.4.name accept-encoding
httpRequest.headers.4.value gzip, deflate
httpRequest.headers.5.name from
httpRequest.headers.5.value bingbot(at)microsoft.com
httpRequest.headers.6.name user-agent
httpRequest.headers.6.value Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)
So, a JSON array with 2 hashes. The order in that array is random. Sometimes user-agent will be in 1 or 3 or X. How can I search the value of the "value" field that corresponds to the value of the "name" field for "user-agent" ? ie: I want to search for "bingbot" but have it be specific to matching the "user-agent". I know I can just do a filter on @message for bingbot, but that just seems expensive and not specific / prone to false hits.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
好的,所以我认为“最简单的”方法是将@message视为字符串并写下自己的解析规则,将您想要的价值拉到自己的列中,然后您可以在此上搜索 /做任何事情。
如果有人有更好的主意,我全都是耳朵。
(?i)将其标记为情况不敏感。
Okay, so I think the "easiest" way is to treat @message as a string and write your own parse rule, pull the value you want into your own column via a regex and then you can search / do whatever on that.
If anyone has a better idea I'm all ears.
The (?i) marks it as case insensitive.
它由AWS给出:
个人对WAF我发现这很有用:
Its given by AWS:
Personally for WAF I found this is useful: