Logstash: parsing AWS WAF log

Hi. Can i use HTTP filter (or other filter) to parse some fields from json AWS WAF logs from s3 bucket?
logstash.conf:
input{
s3 {
bucket => "XXXX"
access_key_id => "XXXX"
secret_access_key => "XXXX"
region => "XXX"
codec => "json"
}
}

I recive messages like this:
image

Output in kibana should be like:

"httpRequest.headers.Host" => "test.example.com"
"httpRequest.headers.user-agent" => "Mozilla/5.0"

Is it possible to solve this task using the HTTP or any other filter?

I already read the previous discussion)

Thanks for any reply.

Take a look at this.

1 Like

Thank. I did everything according to the instructions, but maybe I was mistaken somewhere:

A result has not changed:
image

You need to adjust the ruby code to fit your use case. Your field is called [httpRequest][headers] and [name] and [value] are lowercase.

1 Like

Thank! Everything is working!
But, i found a small mistake. Need to add "[" and "]":
image

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.