diff --git a/.clabot b/.clabot index 8d7ef92e41..f14568b825 100644 --- a/.clabot +++ b/.clabot @@ -169,7 +169,8 @@ "Hellfire4959", "antonymartinsumo", "amee-sumo", - "chetanchoudhary-sumo" + "chetanchoudhary-sumo", + "JamoCA" ], "message": "Thank you for your contribution! As this is an open source project, we require contributors to sign our Contributor License Agreement and do not have yours on file. To proceed with your PR, please [sign your name here](https://forms.gle/YgLddrckeJaCdZYA6) and we will add you to our approved list of contributors.", "label": "cla-signed", diff --git a/docs/integrations/saas-cloud/fastly.md b/docs/integrations/saas-cloud/fastly.md index ae557b247f..4045dbe58e 100644 --- a/docs/integrations/saas-cloud/fastly.md +++ b/docs/integrations/saas-cloud/fastly.md @@ -11,12 +11,11 @@ import useBaseUrl from '@docusaurus/useBaseUrl'; Fastly is a content delivery network (CDN) that provides you control over how and where you serve content, access to real-time performance analytics, and the ability to cache unpredictably changing content at the edge. - ## Log types The Fastly app uses the following log types: * Fastly CDN logs -* Fastly WAF Request and Debug logs. For information about WAF, logging see [Fastly WAF logging](https://docs.fastly.com/guides/web-application-firewall/fastly-waf-logging). +* Fastly WAF Request and Debug logs. For information about WAF logging, refer to the [Fastly WAF logging](https://docs.fastly.com/guides/web-application-firewall/fastly-waf-logging). ### Sample queries @@ -33,12 +32,10 @@ _sourceCategory=fastly cacheStatus | parse "\"cacheStatus\":\"*\"" as status | w _sourceCategory=fastly waf denyRules reqHost | parse "\"denyRules\":\"*\"" as deny, "\"reqHost\":\"*\"" as host | where deny != "" | timeslice 1m | count by host, _timeslice | transpose row _timeslice column host ``` - ## Collecting logs for Fastly This section has instructions for setting up log collection for the Fastly app. - ### Step 1: Configure collector and source In this step, you configure a collector and source to receive Fastly logs. @@ -57,82 +54,78 @@ Ensure that the data is sent to Sumo Logic in [Log format version 2](https://doc When you configure the Sumo Logic endpoint in Fastly: 1. **Name**. Enter a name for the connection. For example, “Prod Fastly”. -2. **Log format**. Enter the [Fastly log variables](https://docs.fastly.com/en/guides/useful-variables-to-log). Use this format string, which generates the necessary JSON output. - +2. **Log format**. Enter the [Fastly log variables](https://docs.fastly.com/en/guides/useful-variables-to-log). Use this format string, which generates the necessary JSON output.
-Click to expand snippet - - ``` + Click to expand snippet + ```json { - "service_id":"%{req.service_id}V", - "service_version":"%{fastly_info.version}V", - "time_start":"%{begin:%Y-%m-%dT%H:%M:%S%Z}t", - "time_end":"%{end:%Y-%m-%dT%H:%M:%S%Z}t", - "time_elapsed":%{time.elapsed.usec}V, - "client_ip":"%{req.http.Fastly-Client-IP}V", - "request":"%{req.request}V", - "protocol":"%{req.proto}V", - "host":"%{req.http.Fastly-Orig-Host}V", - "origin_host":"%{req.http.Host}V", - "url":"%{cstr_escape(req.url)}V", - "is_ipv6":%{if(req.is_ipv6, "true", "false")}V, - "is_tls":%{if(req.is_ssl, "true", "false")}V, - "tls_client_protocol":"%{cstr_escape(tls.client.protocol)}V", - "tls_client_servername":"%{cstr_escape(tls.client.servername)}V", - "tls_client_cipher":"%{cstr_escape(tls.client.cipher)}V", - "tls_client_cipher_sha":"%{cstr_escape(tls.client.ciphers_sha )}V", - "tls_client_tlsexts_sha":"%{cstr_escape(tls.client.tlsexts_sha)}V", - "is_h2":%{if(fastly_info.is_h2, "true", "false")}V, - "is_h2_push":%{if(fastly_info.h2.is_push, "true", "false")}V, - "h2_stream_id":"%{fastly_info.h2.stream_id}V", - "request_referer":"%{cstr_escape(req.http.Referer)}V", - "request_user_agent":"%{cstr_escape(req.http.User-Agent)}V", - "request_accept_content":"%{cstr_escape(req.http.Accept)}V", - "request_accept_language":"%{cstr_escape(req.http.Accept-Language)}V", - "request_accept_encoding":"%{cstr_escape(req.http.Accept-Encoding)}V", - "request_accept_charset":"%{cstr_escape(req.http.Accept-Charset)}V", - "request_connection":"%{cstr_escape(req.http.Connection)}V", - "request_dnt":"%{cstr_escape(req.http.DNT)}V", - "request_forwarded":"%{cstr_escape(req.http.Forwarded)}V", - "request_via":"%{cstr_escape(req.http.Via)}V", - "request_cache_control":"%{cstr_escape(req.http.Cache-Control)}V", - "request_x_requested_with":"%{cstr_escape(req.http.X-Requested-With)}V", - "request_x_forwarded_for":"%{cstr_escape(req.http.X-Forwarded-For)}V", - "status":"%{resp.status}V", - "content_type":"%{cstr_escape(resp.http.Content-Type)}V", - "cache_status":"%{regsub(fastly_info.state, "^(HIT-(SYNTH)|(HITPASS|HIT|MISS|PASS|ERROR|PIPE)).*", "\\2\\3")}V", - "is_cacheable":%{if(fastly_info.state ~"^(HIT|MISS)$", "true", "false")}V, - "response_age":"%{cstr_escape(resp.http.Age)}V", - "response_cache_control":"%{cstr_escape(resp.http.Cache-Control)}V", - "response_expires":"%{cstr_escape(resp.http.Expires)}V", - "response_last_modified":"%{cstr_escape(resp.http.Last-Modified)}V", - "response_tsv":"%{cstr_escape(resp.http.TSV)}V", - "geo_datacenter":"%{server.datacenter}V", - "geo_city":"%{client.geo.city}V", - "geo_country_code":"%{client.geo.country_code}V", - "geo_continent_code":"%{client.geo.continent_code}V", - "geo_region":"%{client.geo.region}V", - "req_header_size":%{req.header_bytes_read}V, - "req_body_size":%{req.body_bytes_read}V, - "resp_header_size":%{resp.header_bytes_written}V, - "resp_body_size":%{resp.body_bytes_written}V, - "socket_cwnd":%{client.socket.cwnd}V, - "socket_nexthop":"%{client.socket.nexthop}V", - "socket_tcpi_rcv_mss":%{client.socket.tcpi_rcv_mss}V, - "socket_tcpi_snd_mss":%{client.socket.tcpi_snd_mss}V, - "socket_tcpi_rtt":%{client.socket.tcpi_rtt}V, - "socket_tcpi_rttvar":%{client.socket.tcpi_rttvar}V, - "socket_tcpi_rcv_rtt":%{client.socket.tcpi_rcv_rtt}V, - "socket_tcpi_rcv_space":%{client.socket.tcpi_rcv_space}V, - "socket_tcpi_last_data_sent":%{client.socket.tcpi_last_data_sent}V, - "socket_tcpi_total_retrans":%{client.socket.tcpi_total_retrans}V, - "socket_tcpi_delta_retrans":%{client.socket.tcpi_delta_retrans}V, - "socket_ploss":%{client.socket.ploss}V -} - ``` - + "service_id": "%{req.service_id}V", + "service_version": "%{fastly_info.version}V", + "time_start": "%{begin:%Y-%m-%dT%H:%M:%S%Z}t", + "time_end": "%{end:%Y-%m-%dT%H:%M:%S%Z}t", + "time_elapsed": "%{time.elapsed.usec}V", + "client_ip": "%{req.http.Fastly-Client-IP}V", + "request": "%{req.request}V", + "protocol": "%{req.proto}V", + "host": "%{req.http.Fastly-Orig-Host}V", + "origin_host": "%{req.http.Host}V", + "url": "%{cstr_escape(req.url)}V", + "is_ipv6": "%{if(req.is_ipv6, \"true\", \"false\")}V", + "is_tls": "%{if(req.is_ssl, \"true\", \"false\")}V", + "tls_client_protocol": "%{cstr_escape(tls.client.protocol)}V", + "tls_client_servername": "%{cstr_escape(tls.client.servername)}V", + "tls_client_cipher": "%{cstr_escape(tls.client.cipher)}V", + "tls_client_cipher_sha": "%{cstr_escape(tls.client.ciphers_sha)}V", + "tls_client_tlsexts_sha": "%{cstr_escape(tls.client.tlsexts_sha)}V", + "is_h2": "%{if(fastly_info.is_h2, \"true\", \"false\")}V", + "is_h2_push": "%{if(fastly_info.h2.is_push, \"true\", \"false\")}V", + "h2_stream_id": "%{fastly_info.h2.stream_id}V", + "request_referer": "%{cstr_escape(req.http.Referer)}V", + "request_user_agent": "%{cstr_escape(req.http.User-Agent)}V", + "request_accept_content": "%{cstr_escape(req.http.Accept)}V", + "request_accept_language": "%{cstr_escape(req.http.Accept-Language)}V", + "request_accept_encoding": "%{cstr_escape(req.http.Accept-Encoding)}V", + "request_accept_charset": "%{cstr_escape(req.http.Accept-Charset)}V", + "request_connection": "%{cstr_escape(req.http.Connection)}V", + "request_dnt": "%{cstr_escape(req.http.DNT)}V", + "request_forwarded": "%{cstr_escape(req.http.Forwarded)}V", + "request_via": "%{cstr_escape(req.http.Via)}V", + "request_cache_control": "%{cstr_escape(req.http.Cache-Control)}V", + "request_x_requested_with": "%{cstr_escape(req.http.X-Requested-With)}V", + "request_x_forwarded_for": "%{cstr_escape(req.http.X-Forwarded-For)}V", + "status": "%{resp.status}V", + "content_type": "%{cstr_escape(resp.http.Content-Type)}V", + "cache_status": "%{regsub(fastly_info.state, \"^(HIT-(SYNTH)|(HITPASS|HIT|MISS|PASS|ERROR|PIPE)).*\", \"\\2\\3\")}V", + "is_cacheable": "%{if(fastly_info.state~\"^(HIT|MISS)$\", \"true\", \"false\")}V", + "response_age": "%{cstr_escape(resp.http.Age)}V", + "response_cache_control": "%{cstr_escape(resp.http.Cache-Control)}V", + "response_expires": "%{cstr_escape(resp.http.Expires)}V", + "response_last_modified": "%{cstr_escape(resp.http.Last-Modified)}V", + "response_tsv": "%{cstr_escape(resp.http.TSV)}V", + "geo_datacenter": "%{server.datacenter}V", + "geo_city": "%{client.geo.city}V", + "geo_country_code": "%{client.geo.country_code}V", + "geo_continent_code": "%{client.geo.continent_code}V", + "geo_region": "%{client.geo.region}V", + "req_header_size": "%{req.header_bytes_read}V", + "req_body_size": "%{req.body_bytes_read}V", + "resp_header_size": "%{resp.header_bytes_written}V", + "resp_body_size": "%{resp.body_bytes_written}V", + "socket_cwnd": "%{client.socket.cwnd}V", + "socket_nexthop": "%{client.socket.nexthop}V", + "socket_tcpi_rcv_mss": "%{client.socket.tcpi_rcv_mss}V", + "socket_tcpi_snd_mss": "%{client.socket.tcpi_snd_mss}V", + "socket_tcpi_rtt": "%{client.socket.tcpi_rtt}V", + "socket_tcpi_rttvar": "%{client.socket.tcpi_rttvar}V", + "socket_tcpi_rcv_rtt": "%{client.socket.tcpi_rcv_rtt}V", + "socket_tcpi_rcv_space": "%{client.socket.tcpi_rcv_space}V", + "socket_tcpi_last_data_sent": "%{client.socket.tcpi_last_data_sent}V", + "socket_tcpi_total_retrans": "%{client.socket.tcpi_total_retrans}V", + "socket_tcpi_delta_retrans": "%{client.socket.tcpi_delta_retrans}V", + "socket_ploss": "%{client.socket.ploss}V" + } + ```
- 3. **Collector URL**. Enter the URL for the HTTP source you created in [Step 1](#step-1-configure-collector-and-source) above. 4. Click **Advanced options**. 5. By default the log line format is set to **Classic**. Change it to **Blank.** @@ -145,155 +138,99 @@ When you configure the Sumo Logic endpoint in Fastly: If you have Fastly's Web Application Firewall (WAF), perform these steps to update the configuration of the endpoint you created in [Step 2](#step-2-configure-endpoint-in-fastly-for-cdn-logs) above. You are updating the endpoint to receive WAF Request logs as well as CDN logs. 1. Use the JSON object below into the Log format field instead of the one specified in [Configure endpoint in Fastly for CDN logs](#step-2-configure-endpoint-in-fastly-for-cdn-logs). - -
-Click to expand snippet - - ``` - { - "service_id":"%{req.service_id}V", - "service_version":"%{fastly_info.version}V", - "time_start":"%{begin:%Y-%m-%dT%H:%M:%S%Z}t", - "time_end":"%{end:%Y-%m-%dT%H:%M:%S%Z}t", - "time_elapsed":"%"{ - "time.elapsed.usec" - }"V", - "client_ip":"%{req.http.Fastly-Client-IP}V", - "request":"%{req.request}V", - "protocol":"%{req.proto}V", - "host":"%{req.http.Fastly-Orig-Host}V", - "origin_host":"%{req.http.Host}V", - "url":"%{cstr_escape(req.url)}V", - "is_ipv6":"%"{ - if(req.is_ipv6, - "true", - "false"")" - }"V", - "is_tls":"%"{ - "if(req.is_ssl", - "true", - "false"")" - }"V", - "tls_client_protocol":"%{cstr_escape(tls.client.protocol)}V", - "tls_client_servername":"%{cstr_escape(tls.client.servername)}V", - "tls_client_cipher":"%{cstr_escape(tls.client.cipher)}V", - "tls_client_cipher_sha":"%{cstr_escape(tls.client.ciphers_sha)}V", - "tls_client_tlsexts_sha":"%{cstr_escape(tls.client.tlsexts_sha)}V", - "is_h2":"%"{ - if(fastly_info.is_h2, - "true", - "false"")" - }"V", - "is_h2_push":"%"{ - if(fastly_info.h2.is_push, - "true", - "false"")" - }"V", - "h2_stream_id":"%{fastly_info.h2.stream_id}V", - "request_referer":"%{cstr_escape(req.http.Referer)}V", - "request_user_agent":"%{cstr_escape(req.http.User-Agent)}V", - "request_accept_content":"%{cstr_escape(req.http.Accept)}V", - "request_accept_language":"%{cstr_escape(req.http.Accept-Language)}V", - "request_accept_encoding":"%{cstr_escape(req.http.Accept-Encoding)}V", - "request_accept_charset":"%{cstr_escape(req.http.Accept-Charset)}V", - "request_connection":"%{cstr_escape(req.http.Connection)}V", - "request_dnt":"%{cstr_escape(req.http.DNT)}V", - "request_forwarded":"%{cstr_escape(req.http.Forwarded)}V", - "request_via":"%{cstr_escape(req.http.Via)}V", - "request_cache_control":"%{cstr_escape(req.http.Cache-Control)}V", - "request_x_requested_with":"%{cstr_escape(req.http.X-Requested-With)}V", - "request_x_forwarded_for":"%{cstr_escape(req.http.X-Forwarded-For)}V", - "status":"%{resp.status}V", - "content_type":"%{cstr_escape(resp.http.Content-Type)}V", - "cache_status":"%{regsub(fastly_info.state,""^(HIT-(SYNTH)|(HITPASS|HIT|MISS|PASS|ERROR|PIPE)).*"","\\2\\3")}V", - "is_cacheable":"%"{ - "if(fastly_info.state~""^(HIT|MISS)$", - "true", - "false"")" - }"V", - "response_age":"%{cstr_escape(resp.http.Age)}V", - "response_cache_control":"%{cstr_escape(resp.http.Cache-Control)}V", - "response_expires":"%{cstr_escape(resp.http.Expires)}V", - "response_last_modified":"%{cstr_escape(resp.http.Last-Modified)}V", - "response_tsv":"%{cstr_escape(resp.http.TSV)}V", - "geo_datacenter":"%{server.datacenter}V", - "geo_city":"%{client.geo.city}V", - "geo_country_code":"%{client.geo.country_code}V", - "geo_continent_code":"%{client.geo.continent_code}V", - "geo_region":"%{client.geo.region}V", - "req_header_size":"%"{ - "req.header_bytes_read" - }"V", - "req_body_size":"%"{ - "req.body_bytes_read" - }"V", - "resp_header_size":"%"{ - "resp.header_bytes_written" - }"V", - "resp_body_size":"%"{ - "resp.body_bytes_written" - }"V", - "socket_cwnd":"%"{ - "client.socket.cwnd" - }"V", - "socket_nexthop":"%{client.socket.nexthop}V", - "socket_tcpi_rcv_mss":"%"{ - "client.socket.tcpi_rcv_mss" - }"V", - "socket_tcpi_snd_mss":"%"{ - "client.socket.tcpi_snd_mss" - }"V", - "socket_tcpi_rtt":"%"{ - "client.socket.tcpi_rtt" - }"V", - "socket_tcpi_rttvar":"%"{ - "client.socket.tcpi_rttvar" - }"V", - "socket_tcpi_rcv_rtt":"%"{ - "client.socket.tcpi_rcv_rtt" - }"V", - "socket_tcpi_rcv_space":"%"{ - "client.socket.tcpi_rcv_space" - }"V", - "socket_tcpi_last_data_sent":"%"{ - "client.socket.tcpi_last_data_sent" - }"V", - "socket_tcpi_total_retrans":"%"{ - "client.socket.tcpi_total_retrans" - }"V", - "socket_tcpi_delta_retrans":"%"{ - "client.socket.tcpi_delta_retrans" - }"V", - "socket_ploss":"%"{ - "client.socket.ploss" - }"V", - "type":"request_logs", - "request_id":"%{req.http.x-request-id}V", - "waf_logged":"%{waf.logged}V", - "waf_block":"%{waf.blocked}V", - "waf_failures":"%{waf.failures}V", - "waf_rule_id":"%{waf.rule_id}V", - "waf_severity":"%{waf.severity}V", - "waf_passed":"%{waf.passed}V", - "waf_logdata":"%{cstr_escape(waf.logdata)}V", - "waf_executed":"%{waf.executed}V", - "waf_anomaly_score":"%{waf.anomaly_score}V", - "waf_sql_score":"%{waf.sql_injection_score}V", - "waf_rfi_score":"%{waf.rfi_score}V", - "waf_lfi_score":"%{waf.lfi_score}V", - "waf_xss_score":"%{waf.xss_score}V", - "waf_http_score":"%{waf.http_violation_score}V", - "waf_php_score":"%{waf.php_injection_score}V", - "waf_rce_score":"%{waf.rce_score}V", - "waf_session_fixation_score":"%{waf.session_fixation_score}V", - "waf_message":"%{cstr_escape(waf.message)}V" -} - ``` - -
- +
+ Click to expand snippet + ```json + { + "service_id": "%{req.service_id}V", + "service_version": "%{fastly_info.version}V", + "time_start": "%{begin:%Y-%m-%dT%H:%M:%S%Z}t", + "time_end": "%{end:%Y-%m-%dT%H:%M:%S%Z}t", + "time_elapsed": "%{time.elapsed.usec}V", + "client_ip": "%{req.http.Fastly-Client-IP}V", + "request": "%{req.request}V", + "protocol": "%{req.proto}V", + "host": "%{req.http.Fastly-Orig-Host}V", + "origin_host": "%{req.http.Host}V", + "url": "%{cstr_escape(req.url)}V", + "is_ipv6": "%{if(req.is_ipv6, \"true\", \"false\")}V", + "is_tls": "%{if(req.is_ssl, \"true\", \"false\")}V", + "tls_client_protocol": "%{cstr_escape(tls.client.protocol)}V", + "tls_client_servername": "%{cstr_escape(tls.client.servername)}V", + "tls_client_cipher": "%{cstr_escape(tls.client.cipher)}V", + "tls_client_cipher_sha": "%{cstr_escape(tls.client.ciphers_sha)}V", + "tls_client_tlsexts_sha": "%{cstr_escape(tls.client.tlsexts_sha)}V", + "is_h2": "%{if(fastly_info.is_h2, \"true\", \"false\")}V", + "is_h2_push": "%{if(fastly_info.h2.is_push, \"true\", \"false\")}V", + "h2_stream_id": "%{fastly_info.h2.stream_id}V", + "request_referer": "%{cstr_escape(req.http.Referer)}V", + "request_user_agent": "%{cstr_escape(req.http.User-Agent)}V", + "request_accept_content": "%{cstr_escape(req.http.Accept)}V", + "request_accept_language": "%{cstr_escape(req.http.Accept-Language)}V", + "request_accept_encoding": "%{cstr_escape(req.http.Accept-Encoding)}V", + "request_accept_charset": "%{cstr_escape(req.http.Accept-Charset)}V", + "request_connection": "%{cstr_escape(req.http.Connection)}V", + "request_dnt": "%{cstr_escape(req.http.DNT)}V", + "request_forwarded": "%{cstr_escape(req.http.Forwarded)}V", + "request_via": "%{cstr_escape(req.http.Via)}V", + "request_cache_control": "%{cstr_escape(req.http.Cache-Control)}V", + "request_x_requested_with": "%{cstr_escape(req.http.X-Requested-With)}V", + "request_x_forwarded_for": "%{cstr_escape(req.http.X-Forwarded-For)}V", + "status": "%{resp.status}V", + "content_type": "%{cstr_escape(resp.http.Content-Type)}V", + "cache_status": "%{regsub(fastly_info.state, \"^(HIT-(SYNTH)|(HITPASS|HIT|MISS|PASS|ERROR|PIPE)).*\", \"\\2\\3\")}V", + "is_cacheable": "%{if(fastly_info.state~\"^(HIT|MISS)$\", \"true\", \"false\")}V", + "response_age": "%{cstr_escape(resp.http.Age)}V", + "response_cache_control": "%{cstr_escape(resp.http.Cache-Control)}V", + "response_expires": "%{cstr_escape(resp.http.Expires)}V", + "response_last_modified": "%{cstr_escape(resp.http.Last-Modified)}V", + "response_tsv": "%{cstr_escape(resp.http.TSV)}V", + "geo_datacenter": "%{server.datacenter}V", + "geo_city": "%{client.geo.city}V", + "geo_country_code": "%{client.geo.country_code}V", + "geo_continent_code": "%{client.geo.continent_code}V", + "geo_region": "%{client.geo.region}V", + "req_header_size": "%{req.header_bytes_read}V", + "req_body_size": "%{req.body_bytes_read}V", + "resp_header_size": "%{resp.header_bytes_written}V", + "resp_body_size": "%{resp.body_bytes_written}V", + "socket_cwnd": "%{client.socket.cwnd}V", + "socket_nexthop": "%{client.socket.nexthop}V", + "socket_tcpi_rcv_mss": "%{client.socket.tcpi_rcv_mss}V", + "socket_tcpi_snd_mss": "%{client.socket.tcpi_snd_mss}V", + "socket_tcpi_rtt": "%{client.socket.tcpi_rtt}V", + "socket_tcpi_rttvar": "%{client.socket.tcpi_rttvar}V", + "socket_tcpi_rcv_rtt": "%{client.socket.tcpi_rcv_rtt}V", + "socket_tcpi_rcv_space": "%{client.socket.tcpi_rcv_space}V", + "socket_tcpi_last_data_sent": "%{client.socket.tcpi_last_data_sent}V", + "socket_tcpi_total_retrans": "%{client.socket.tcpi_total_retrans}V", + "socket_tcpi_delta_retrans": "%{client.socket.tcpi_delta_retrans}V", + "socket_ploss": "%{client.socket.ploss}V", + "type": "request_logs", + "request_id": "%{req.http.x-request-id}V", + "waf_logged": "%{waf.logged}V", + "waf_block": "%{waf.blocked}V", + "waf_failures": "%{waf.failures}V", + "waf_rule_id": "%{waf.rule_id}V", + "waf_severity": "%{waf.severity}V", + "waf_passed": "%{waf.passed}V", + "waf_logdata": "%{cstr_escape(waf.logdata)}V", + "waf_executed": "%{waf.executed}V", + "waf_anomaly_score": "%{waf.anomaly_score}V", + "waf_sql_score": "%{waf.sql_injection_score}V", + "waf_rfi_score": "%{waf.rfi_score}V", + "waf_lfi_score": "%{waf.lfi_score}V", + "waf_xss_score": "%{waf.xss_score}V", + "waf_http_score": "%{waf.http_violation_score}V", + "waf_php_score": "%{waf.php_injection_score}V", + "waf_rce_score": "%{waf.rce_score}V", + "waf_session_fixation_score": "%{waf.session_fixation_score}V", + "waf_message": "%{cstr_escape(waf.message)}V" + } + ``` +
1. Point the logging endpoint to the `waf_debug_log` subroutine using curl, as described in [waf_debug_log](https://docs.fastly.com/guides/web-application-firewall/fastly-waf-logging#waf_debug_log) in Fastly help. -2. Create a request_id header to track a single request. +1. Create a `request_id` header to track a single request. ### Step 4: Collect WAF Debug Logs @@ -304,46 +241,46 @@ If you have Fastly's Web Application Firewall (WAF), perform these steps to add 2. Create another logging endpoint in Fastly following the instructions [Step 2](#step-2-configure-endpoint-in-fastly-for-cdn-logs), but enter the JSON below in the **Log format** field.
-Click to expand snippet + Click to expand snippet - ``` + ```json { - "type":"debug_logs", - "service_id":"%{req.service_id}V", - "client_ip":"%{req.http.Fastly-Client-IP}V", - "request":"%{req.request}V", - "protocol":"%{req.proto}V", - "origin_host":"%{req.http.Host}V", - "url":"%{cstr_escape(req.url)}V", - "request_referer":"%{cstr_escape(req.http.Referer)}V", - "request_user_agent":"%{cstr_escape(req.http.User-Agent)}V", - "request_accept_content":"%{cstr_escape(req.http.Accept)}V", - "cache_status":"%{regsub(fastly_info.state, \"^(HIT-(SYNTH)|(HITPASS|HIT|MISS|PASS|ERROR|PIPE|NONE)).*\", \"\\2\\3\")}V", - "geo_datacenter":"%{server.datacenter}V", - "geo_city":"%{client.geo.city}V", - "geo_country_code":"%{client.geo.country_code}V", - "geo_continent_code":"%{client.geo.continent_code}V", - "geo_region":"%{client.geo.region}V", - "request_id":"%{req.http.x-request-id}V", - "waf_logged":"%{waf.logged}V", - "waf_block":"%{waf.blocked}V", - "waf_failures":"%{waf.failures}V", - "waf_rule_id":"%{waf.rule_id}V", - "waf_severity":"%{waf.severity}V", - "waf_passed":"%{waf.passed}V", - "waf_logdata":"%{cstr_escape(waf.logdata)}V", - "waf_executed":"%{waf.executed}V", - "waf_anomaly_score":"%{waf.anomaly_score}V", - "waf_sql_score":"%{waf.sql_injection_score}V", - "waf_rfi_score":"%{waf.rfi_score}V", - "waf_lfi_score":"%{waf.lfi_score}V", - "waf_xss_score":"%{waf.xss_score}V", - "waf_http_score":"%{waf.http_violation_score}V", - "waf_php_score":"%{waf.php_injection_score}V", - "waf_rce_score":"%{waf.rce_score}V", - "waf_session_fixation_score":"%{waf.session_fixation_score}V", - "waf_message":"%{cstr_escape(waf.message)}V" -} + "type": "debug_logs", + "service_id": "%{req.service_id}V", + "client_ip": "%{req.http.Fastly-Client-IP}V", + "request": "%{req.request}V", + "protocol": "%{req.proto}V", + "origin_host": "%{req.http.Host}V", + "url": "%{cstr_escape(req.url)}V", + "request_referer": "%{cstr_escape(req.http.Referer)}V", + "request_user_agent": "%{cstr_escape(req.http.User-Agent)}V", + "request_accept_content": "%{cstr_escape(req.http.Accept)}V", + "cache_status": "%{regsub(fastly_info.state, \"^(HIT-(SYNTH)|(HITPASS|HIT|MISS|PASS|ERROR|PIPE|NONE)).*\", \"\\2\\3\")}V", + "geo_datacenter": "%{server.datacenter}V", + "geo_city": "%{client.geo.city}V", + "geo_country_code": "%{client.geo.country_code}V", + "geo_continent_code": "%{client.geo.continent_code}V", + "geo_region": "%{client.geo.region}V", + "request_id": "%{req.http.x-request-id}V", + "waf_logged": "%{waf.logged}V", + "waf_block": "%{waf.blocked}V", + "waf_failures": "%{waf.failures}V", + "waf_rule_id": "%{waf.rule_id}V", + "waf_severity": "%{waf.severity}V", + "waf_passed": "%{waf.passed}V", + "waf_logdata": "%{cstr_escape(waf.logdata)}V", + "waf_executed": "%{waf.executed}V", + "waf_anomaly_score": "%{waf.anomaly_score}V", + "waf_sql_score": "%{waf.sql_injection_score}V", + "waf_rfi_score": "%{waf.rfi_score}V", + "waf_lfi_score": "%{waf.lfi_score}V", + "waf_xss_score": "%{waf.xss_score}V", + "waf_http_score": "%{waf.http_violation_score}V", + "waf_php_score": "%{waf.php_injection_score}V", + "waf_rce_score": "%{waf.rce_score}V", + "waf_session_fixation_score": "%{waf.session_fixation_score}V", + "waf_message": "%{cstr_escape(waf.message)}V" + } ```
@@ -359,15 +296,13 @@ parse "\"reqMethod\":\"*\"" as method, "\"status\":\"*\"" as status, "\"fwdHost\ There is a 200 field name limit for Field Extraction Rules (FER) and once a field is persisted using a FER, it can’t be removed. You can assign different targets to the name, but do not create overlapping messages and source categories. - - ## Installing the Fastly app import AppInstall2 from '../../reuse/apps/app-install-v2.md'; -## Viewing Fastly dashboards +## Viewing the Fastly dashboards import ViewDashboards from '../../reuse/apps/view-dashboards.md'; @@ -390,7 +325,7 @@ The overview dashboard provides a high-level view of your Fastly traffic and ide ### CDN - Origin Performance -Focus in on Origin Host performance to check latencies, slow URLs and error-causing URLs. +Focus in on Origin Host performance to check latencies, slow URLs, and error-causing URLs. Fastly dashboards