The FirewallMatchesActions, FirewallMatchesRuleIDs, and FirewallMatchesSources fields are sent to S3 in an array.
The fields when processes through the lambda process are not being sent to Graylog, or are not being set because of the array.
This is an example message that Cloudflare sent to S3. None of the FirewallMatches fields are in Graylog, but the remaining fields are correctly ingested.
{"ClientIP":"61.3.x.x","ClientRequestHost":"www.example.com","ClientRequestMethod":"POST","ClientRequestURI":"/xmlrpc.php","EdgeResponseBytes":877,"EdgeResponseStatus":403,"RayID":"64ab64879fda6acf","CacheCacheStatus":"unknown","CacheResponseBytes":0,"ClientDeviceType":"desktop","ClientRequestBytes":2376,"ClientRequestPath":"/xmlrpc.php","ClientRequestProtocol":"HTTP/1.1","ClientRequestUserAgent":"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)","EdgeColoCode":"BOM","EdgePathingOp":"ban","EdgeRequestHost":"","EdgeResponseContentType":"text/plain","FirewallMatchesActions":["block"],"FirewallMatchesRuleIDs":["8f80cbfec3484efeb5d116f3c968e007"],"FirewallMatchesSources":["firewallRules"],"OriginIP":"","OriginResponseBytes":0,"OriginResponseStatus":0,"SecurityLevel":"unk","WAFAction":"unknown","WAFFlags":"0","WAFMatchedVar":"","WAFProfile":"unknown","WAFRuleID":"","ClientRequestScheme":"https","OriginResponseTime":0,"WAFRuleMessage":"","EdgePathingSrc":"filterBasedFirewall","EdgePathingStatus":"nr","CacheResponseStatus":0}
The FirewallMatchesActions, FirewallMatchesRuleIDs, and FirewallMatchesSources fields are sent to S3 in an array. The fields when processes through the lambda process are not being sent to Graylog, or are not being set because of the array.
This is an example message that Cloudflare sent to S3. None of the FirewallMatches fields are in Graylog, but the remaining fields are correctly ingested.