This solution automatically deploys a single web access control list (web ACL) with a set of AWS WAF rules designed to filter common web-based attacks.
Seems to cause parse failure when used for cloudfront logs.
Should be LINE_FORMAT_CLOUD_FRONT
Steps to reproduce:
Using template for V 3.1.0
Deploy WAF stack for cloudfront
Attach WAF to cloudfront distribution
send traffic to cloudfront
check logs
See failure to parse line
https://github.com/awslabs/aws-waf-security-automations/blob/03caa391492f79169c8a45862f7171d196246ce1/source/log_parser/log-parser.py#L623
Seems to cause parse failure when used for cloudfront logs. Should be LINE_FORMAT_CLOUD_FRONT
Steps to reproduce: Using template for V 3.1.0 Deploy WAF stack for cloudfront Attach WAF to cloudfront distribution send traffic to cloudfront check logs See failure to parse line
[ERROR] 2021-04-07T17:33:06.963Z b20333f9-9e22-477c-b424-6bfae451b0ca [get_outstanding_requesters] Error to process line: 2021-04-07 17:29:49 ORD51-C2 616 GET d3q7qbrsc505o0.cloudfront.net /index.html.php 403 - Mozilla/5.0%20(Windows%20NT%2010.0;%20Win64;%20x64;%20rv:87.0)%20Gecko/20100101%20Firefox/87.0 - - Error UAw6lE5FKgRBwe8idtg5JNkWOqTe_wWCtOkh5yvCiQrOFlnjiEdwHA== .cloudfront.net http 407 0.037 - - - Error HTTP/1.1 - - 64461 0.037 Error application/xml - - -
Version 3.1.0