Parsing cloudfront access logs #14046
-
|
Hi, we are collecting CloudFront access logs via S3 bucket notifications to SQS, the collection part seems to be working fine, we want to do some extended parsing on the logs and transform/condition specific fields, this is easy with json based logs as Vector has json filters build in but it seems rather complicated with cloudfront access logs as they are in tab-separated values. Is there any pre build remap function to help parse default cloudfront logs into fields ? we are using standard aws cloudfront logs. Thanks. |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment
-
|
Hi @dannygueta ! I think the easiest way to parse CloudFront access logs is likely to be using a grok pattern with |
Beta Was this translation helpful? Give feedback.
Hi @dannygueta ! I think the easiest way to parse CloudFront access logs is likely to be using a grok pattern with
parse_grokin VRL . There looks to be an example grok pattern here: https://gist.github.com/mkleucker/35ba3a9a54cf976d4c9e2defb7288531