Skip to content

Instantly share code, notes, and snippets.

@fefore
fefore / cloudfront_filter
Last active May 23, 2018
[LOGSTASH] Grok pattern for AWS Cloudfront logs
View cloudfront_filter
filter {
if [cloudfront_version] {
mutate {
gsub => ["message", "\t", " "]
}
dissect {
mapping => {"message" => "%{date} %{time} %{x_edge_location} %{sc_bytes} %{clientip} %{cs_method} %{cs_host} %{cs_uri_stem} %{sc_status} %{referrer} %{agent} %{cs_uri_query} %{cookies} %{x_edge_result_type} %{x_edge_request_id} %{x_host_header} %{cs_protocol} %{cs_bytes} %{time_taken} %{x_forwarded_for} %{ssl_protocol} %{ssl_cipher} %{x_edge_response_result_type} %{cs_protocol_version}"}
convert_datatype => {
sc_bytes => "int"
sc_status => "int"