All AWS WAF event goes to message field even after using correct mapping

SSP1 · April 3, 2023, 2:55pm

HI, I'm using Logstash to ingest AWS WAF Logs from S3 using S3 Input login with SQS and logs are going through to elasticsearch. I can see those in Kibana but all the waf event goes to message filed. I have tried to use the following mapping but it's not working. Still all the log goes to message filed. Same goes with AWS WAF integration.

But if I manually upload the log file then it works well.

Can someone please help me? Thanks

{
  "properties": {
    "@timestamp": {
      "type": "date"
    },
    "action": {
      "type": "keyword"
    },
    "formatVersion": {
      "type": "long"
    },
    "httpRequest": {
      "type": "object"
    },
    "httpSourceId": {
      "type": "keyword"
    },
    "httpSourceName": {
      "type": "keyword"
    },
    "labels": {
      "type": "object"
    },
    "ruleGroupList": {
      "type": "object"
    },
    "terminatingRuleId": {
      "type": "keyword"
    },
    "terminatingRuleType": {
      "type": "keyword"
    },
    "timestamp": {
      "type": "date",
      "format": "epoch_millis"
    },
    "webaclId": {
      "type": "keyword"
    }
  }
}

system · May 1, 2023, 2:55pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
WAF logs Configuration from s3 bucket to Elasticsearch Using logstash s3 Plugin Logstash	3	612	November 16, 2022
Logstash: parsing AWS WAF log Logstash	5	3406	September 17, 2019
Logstash: ingest only message on elasticsearch Logstash	2	517	December 2, 2019
Beautifying the awslamda nested logs Using Logstash in Kibana Logstash	40	532	May 2, 2024
Getting 'Badly formatted index, after interpolation still contains placeholder' error when trying to ingest AWS WAF logs Logstash	4	1909	September 13, 2023

All AWS WAF event goes to message field even after using correct mapping

Related topics