All AWS WAF event goes to message field even after using correct mapping

HI, I'm using Logstash to ingest AWS WAF Logs from S3 using S3 Input login with SQS and logs are going through to elasticsearch. I can see those in Kibana but all the waf event goes to message filed. I have tried to use the following mapping but it's not working. Still all the log goes to message filed. Same goes with AWS WAF integration.

But if I manually upload the log file then it works well.

Can someone please help me? Thanks

{
  "properties": {
    "@timestamp": {
      "type": "date"
    },
    "action": {
      "type": "keyword"
    },
    "formatVersion": {
      "type": "long"
    },
    "httpRequest": {
      "type": "object"
    },
    "httpSourceId": {
      "type": "keyword"
    },
    "httpSourceName": {
      "type": "keyword"
    },
    "labels": {
      "type": "object"
    },
    "ruleGroupList": {
      "type": "object"
    },
    "terminatingRuleId": {
      "type": "keyword"
    },
    "terminatingRuleType": {
      "type": "keyword"
    },
    "timestamp": {
      "type": "date",
      "format": "epoch_millis"
    },
    "webaclId": {
      "type": "keyword"
    }
  }
}

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.