Using xarf with text files

[mcr0cx]

Hello,

Is there a guide on how to use this tool with AWS ELB logs to be converted in into XARF format. The logs generated from ELB are in text format. Any help is appreciated.

best, -m

[FrederikP]

Hi, can I have some more information about your use case? What kind of abuse are you detecting from the AWS ELB logs? Did you find a matching xarf report type for that kind of abuse? If yes, then the actual Logs would only be added to the report in the form of "Samples" and the other required parts of the report need to be filled according to their description (by before parsing the logs for important information). If no, maybe a new report type should be added to xarf.

Keep in mind, xarf is not meant for sending a huge amount of logs without any further preprocessing. It needs to be clear what kind of abuse happened and what the source is, without the need to read raw log files.

There is no specific guide for using xarf with ELB logs currently.

Cheers, Frederik

[mcr0cx]

Hi Frederik, thanks for responding. We are looking to use XARF for AWS Load balancer logs where we suspect DDoS is happening. XARF format is what we are looking as the output after using this tool. AWS Load balancer logs are in text format and trying to feed them into XARF is not working as it expects json format. Thus wanted to understand if there is something we are missing here. We need XARF format to work effectively with our abuse team. Let me know if there are any details you can share? thank again!

[FrederikP]

XARF is a format specification that uses json schema (as you can find in this repo) to describe the format. We don't (currently) provide tooling that can create xarf reports from AWS ELB logs, so you'll need to write your own.

You can take a look at the ddos sample in the repo:

https://github.com/abusix/xarf/blob/master/samples/positive/1/ddos_sample.json

When you create the xarf report you can write the "raw" log lines into the "Samples" field, so that the recipient can review the evidence. But you also need to fill out other mandatory fields so that the receiving side doesn't have to go through finding out more details by themselves.

I don't really know what else to say other than: xarf is not a software but a report format. Generating the xarf report is something that will look very differently depending on the scenario where you detect abuse (type of abuse, software involved, etc.).