我有一个 WAF 日志
{
"terminatingRuleId": "Default_Action",
"action": "ALLOW",
"nonTerminatingMatchingRules": [{
"ruleId": "AWS-AWSManagedRulesSQLiRuleSet",
"action": "COUNT",
"ruleMatchDetails": [{
"conditionType": "SQL_INJECTION",
"location": "BODY",
"matchedData": ["{", "limit", ":100}"]
}]
}],
"requestHeadersInserted": null,
"responseCodeSent": null,
"httpRequest": {
"uri": "/v0.1/updates",
"args": "",
"httpVersion": "HTTP/1.1",
"httpMethod": "POST",
}
}
现在httpRequest_uriandhttpRequest_httpMethod被设置为标签,但我们没有设置nonTerminatingMatchingRules为标签。我正在寻找一种显示日志行的方法
POST - /v0.1/updates
-- ruleId | COUNT | contents of ruleMatchDetails
我试过像
{s3="aws-waf-logs", action="ALLOW"}
| json match="nonTerminatingMatchingRules"
| line_format "{{ .httpRequest_uri }}"
httpRequest_uri因为我将匹配设置为嵌入的 json,所以我似乎无法再引用它。