Fix CloudFront logs parsing where Content-Length is provided as "-" (#…

…1076) * Fix CloudFront logs parsing where Content-Length is provided as "-" The "sc-content-len" field in the CloudFront logs format provides the value of the "Content-Length" response header, as sent by the server. This header is not a required header and in cases where it is not provided, CloudFront instead provides the default value of "-" in the log files. That does however not parse with the CloudFront parser as it expects the field to always have a number in this column. This change fixes that by instead changing the column to be parsed via the "DATA" grok pattern instead of "NUMBER". An extra test line was added to check this case. * enhance: run index workflow manually because forked repo --------- Co-authored-by: Laurence <[email protected]>
crowdsecurity · Jul 11, 2024 · 438f04c · 438f04c
1 parent 58ce31d
commit 438f04c
Show file tree

Hide file tree

Showing 4 changed files with 116 additions and 9 deletions.
diff --git a/.index.json b/.index.json
@@ -6166,7 +6166,7 @@
   "crowdsecurity/aws-cloudfront": {
    "path": "parsers/s01-parse/crowdsecurity/aws-cloudfront.yaml",
    "stage": "s01-parse",
-   "version": "0.2",
+   "version": "0.3",
    "versions": {
     "0.1": {
      "digest": "795f0501182540325f30f3ca69ac7237653549989a65838d0c218fc03589ddcc",
@@ -6175,10 +6175,14 @@
     "0.2": {
      "digest": "62f22527304c1287f7c52b28b5fcbba9c4a7c18fdbf4299414c77b15f7bf5f8b",
      "deprecated": false
+    },
+    "0.3": {
+     "digest": "525b1d131081c2b35bc7ca97b9dfc4c2ebf2737f328ed91ae4c7882dc2c56705",
+     "deprecated": false
     }
    },
    "long_description": "IyBEZXNjcmlwdGlvbgpBIHBhcnNlciBmb3IgQVdTIENsb3VkRnJvbnQgYWNjZXNzIGxvZ3MuCgojIFVzYWdlCgpDbG91ZGZyb250IGRlbGl2ZXJzIGxvZ3MgdG8gUzMsIHNvIHlvdSBjYW4gdXNlIGNyb3dkc2VjIFtTMyBkYXRhc291cmNlXShodHRwczovL2RvY3MuY3Jvd2RzZWMubmV0L2RvY3MvbmV4dC9kYXRhX3NvdXJjZXMvczMvKSB0byByZWFkIHRoZSBsb2dzLgoKQW4gZXhhbXBsZSBvZiB0aGUgY29uZmlndXJhdGlvbiBpczoKCmBgYHlhbWwKc291cmNlOiBzMwpwb2xsaW5nX21ldGhvZDogc3FzCnNxc19uYW1lOiBteS1xdWV1ZQpzcXNfZm9ybWF0OiBzM25vdGlmaWNhdGlvbgphd3NfcmVnaW9uOiBldS13ZXN0LTEKdXNlX3RpbWVfbWFjaGluZTogdHJ1ZQpsYWJlbHM6CiAgdHlwZTogYXdzLWNsb3VkZnJvbnQKYGBgCgpCZWNhdXNlIENsb3VkRnJvbnQgd2lsbCBub3QgZGVsaXZlciB0aGUgbG9ncyBpbiByZWFsIHRpbWUsIHlvdSAqbXVzdCogc2V0IHRoZSBgdXNlX3RpbWVfbWFjaGluZWAgb3B0aW9uIHRvIGZvcmNlIGNyb3dkc2VjIHRvIHVzZSB0aGUgdGltZXN0YW1wIGluIHRoZSBsb2cgaXRzZWxmLCBvciB5b3UgYXJlIHZlcnkgbGlrZWx5IHRvIHJ1biBpbnRvIGZhbHNlIHBvc2l0aXZlcy4=",
-   "content": "b25zdWNjZXNzOiBuZXh0X3N0YWdlCmZpbHRlcjogImV2dC5MaW5lLkxhYmVscy50eXBlID09ICdhd3MtY2xvdWRmcm9udCciCm5hbWU6IGNyb3dkc2VjdXJpdHkvYXdzLWNsb3VkZnJvbnQKZGVzY3JpcHRpb246ICJQYXJzZSBBV1MgQ2xvdWRGcm9udCBhY2Nlc3MgbG9ncyIKZ3JvazoKICBwYXR0ZXJuOiAnJXtZRUFSOnllYXJ9LSV7TU9OVEhOVU0yOm1vbnRofS0le01PTlRIREFZOmRheX1ccysle1RJTUU6dGltZX1ccysle0RBVEE6eF9lZGdlX2xvY2F0aW9ufVxzKyV7TlVNQkVSOnNjX2J5dGVzfVxzKyV7SVA6Y19pcH1ccysle1dPUkQ6Y3NfbWV0aG9kfVxzKyV7SE9TVE5BTUU6Y3NfaG9zdH1ccysle0RBVEE6Y3NfdXJpX3N0ZW19XHMrJXtOVU1CRVI6c2Nfc3RhdHVzfVxzKyV7REFUQTpjc19yZWZlcmVyfVxzKyV7REFUQTpjc191c2VyX2FnZW50fVxzKyV7REFUQTpjc191cmlfcXVlcnl9XHMrJXtEQVRBOmNzX2Nvb2tpZX1ccysle1dPUkQ6eF9lZGdlX3Jlc3VsdF90eXBlfVxzKyV7REFUQTp4X2VkZ2VfcmVxdWVzdF9pZH1ccysle0hPU1ROQU1FOnhfaG9zdF9oZWFkZXJ9XHMrJXtXT1JEOmNzX3Byb3RvY29sfVxzKyV7TlVNQkVSOmNzX2J5dGVzfVxzKyV7TlVNQkVSOnRpbWVfdGFrZW59XHMrJXtEQVRBOnhfZm9yd2FyZGVkX2Zvcn1ccysle0RBVEE6c3NsX3Byb3RvY29sfVxzKyV7REFUQTpzc2xfY2lwaGVyfVxzKyV7V09SRDp4X2VkZ2VfcmVzcG9uc2VfcmVzdWx0X3R5cGV9XHMrJXtEQVRBOmNzX3Byb3RvY29sX3ZlcnNpb259XHMrJXtEQVRBOmZsZV9zdGF0dXN9XHMrJXtEQVRBOmZsZV9lbmNyeXB0ZWRfZmllbGRzfVxzKyV7TlVNQkVSOmNfcG9ydH1ccysle05VTUJFUjp0aW1lX3RvX2ZpcnN0X2J5dGV9XHMrJXtXT1JEOnhfZWRnZV9kZXRhaWxlZF9yZXN1bHRfdHlwZX1ccysle0RBVEE6c2NfY29udGVudF90eXBlfVxzKyV7TlVNQkVSOnNjX2NvbnRlbnRfbGVufVxzKyV7REFUQTpzY19yYW5nZV9zdGFydH1ccysle0RBVEE6c2NfcmFuZ2VfZW5kfScKICBhcHBseV9vbjogbWVzc2FnZQpzdGF0aWNzOgogICAgLSBtZXRhOiBzZXJ2aWNlCiAgICAgIHZhbHVlOiBodHRwCiAgICAtIG1ldGE6IGxvZ190eXBlCiAgICAgIHZhbHVlOiBodHRwX2FjY2Vzcy1sb2cKICAgIC0gdGFyZ2V0OiBldnQuU3RyVGltZQogICAgICBleHByZXNzaW9uOiAiZXZ0LlBhcnNlZC55ZWFyICsgJy0nICsgZXZ0LlBhcnNlZC5tb250aCArICctJyArIGV2dC5QYXJzZWQuZGF5ICsgJ1QnICsgZXZ0LlBhcnNlZC50aW1lICsgJ1onIgogICAgLSBtZXRhOiBzb3VyY2VfaXAKICAgICAgZXhwcmVzc2lvbjogImV2dC5QYXJzZWQuY19pcCIKICAgIC0gbWV0YTogaHR0cF9zdGF0dXMKICAgICAgZXhwcmVzc2lvbjogImV2dC5QYXJzZWQuc2Nfc3RhdHVzIgogICAgLSBtZXRhOiBodHRwX3BhdGgKICAgICAgZXhwcmVzc2lvbjogfAogICAgICAgIGV2dC5QYXJzZWQuY3NfdXJpX3F1ZXJ5ID09ICItIiA/IGV2dC5QYXJzZWQuY3NfdXJpX3N0ZW0gOiBldnQuUGFyc2VkLmNzX3VyaV9zdGVtICsgJz8nICsgZXZ0LlBhcnNlZC5jc191cmlfcXVlcnkKICAgIC0gbWV0YTogaHR0cF92ZXJiCiAgICAgIGV4cHJlc3Npb246ICJldnQuUGFyc2VkLmNzX21ldGhvZCIKICAgIC0gbWV0YTogaHR0cF91c2VyX2FnZW50CiAgICAgIGV4cHJlc3Npb246ICJldnQuUGFyc2VkLmNzX3VzZXJfYWdlbnQi",
+   "content": "b25zdWNjZXNzOiBuZXh0X3N0YWdlCmZpbHRlcjogImV2dC5MaW5lLkxhYmVscy50eXBlID09ICdhd3MtY2xvdWRmcm9udCciCm5hbWU6IGNyb3dkc2VjdXJpdHkvYXdzLWNsb3VkZnJvbnQKZGVzY3JpcHRpb246ICJQYXJzZSBBV1MgQ2xvdWRGcm9udCBhY2Nlc3MgbG9ncyIKZ3JvazoKICBwYXR0ZXJuOiAnJXtZRUFSOnllYXJ9LSV7TU9OVEhOVU0yOm1vbnRofS0le01PTlRIREFZOmRheX1ccysle1RJTUU6dGltZX1ccysle0RBVEE6eF9lZGdlX2xvY2F0aW9ufVxzKyV7TlVNQkVSOnNjX2J5dGVzfVxzKyV7SVA6Y19pcH1ccysle1dPUkQ6Y3NfbWV0aG9kfVxzKyV7SE9TVE5BTUU6Y3NfaG9zdH1ccysle0RBVEE6Y3NfdXJpX3N0ZW19XHMrJXtOVU1CRVI6c2Nfc3RhdHVzfVxzKyV7REFUQTpjc19yZWZlcmVyfVxzKyV7REFUQTpjc191c2VyX2FnZW50fVxzKyV7REFUQTpjc191cmlfcXVlcnl9XHMrJXtEQVRBOmNzX2Nvb2tpZX1ccysle1dPUkQ6eF9lZGdlX3Jlc3VsdF90eXBlfVxzKyV7REFUQTp4X2VkZ2VfcmVxdWVzdF9pZH1ccysle0hPU1ROQU1FOnhfaG9zdF9oZWFkZXJ9XHMrJXtXT1JEOmNzX3Byb3RvY29sfVxzKyV7TlVNQkVSOmNzX2J5dGVzfVxzKyV7TlVNQkVSOnRpbWVfdGFrZW59XHMrJXtEQVRBOnhfZm9yd2FyZGVkX2Zvcn1ccysle0RBVEE6c3NsX3Byb3RvY29sfVxzKyV7REFUQTpzc2xfY2lwaGVyfVxzKyV7V09SRDp4X2VkZ2VfcmVzcG9uc2VfcmVzdWx0X3R5cGV9XHMrJXtEQVRBOmNzX3Byb3RvY29sX3ZlcnNpb259XHMrJXtEQVRBOmZsZV9zdGF0dXN9XHMrJXtEQVRBOmZsZV9lbmNyeXB0ZWRfZmllbGRzfVxzKyV7TlVNQkVSOmNfcG9ydH1ccysle05VTUJFUjp0aW1lX3RvX2ZpcnN0X2J5dGV9XHMrJXtXT1JEOnhfZWRnZV9kZXRhaWxlZF9yZXN1bHRfdHlwZX1ccysle0RBVEE6c2NfY29udGVudF90eXBlfVxzKyV7REFUQTpzY19jb250ZW50X2xlbn1ccysle0RBVEE6c2NfcmFuZ2Vfc3RhcnR9XHMrJXtEQVRBOnNjX3JhbmdlX2VuZH0nCiAgYXBwbHlfb246IG1lc3NhZ2UKc3RhdGljczoKICAgIC0gbWV0YTogc2VydmljZQogICAgICB2YWx1ZTogaHR0cAogICAgLSBtZXRhOiBsb2dfdHlwZQogICAgICB2YWx1ZTogaHR0cF9hY2Nlc3MtbG9nCiAgICAtIHRhcmdldDogZXZ0LlN0clRpbWUKICAgICAgZXhwcmVzc2lvbjogImV2dC5QYXJzZWQueWVhciArICctJyArIGV2dC5QYXJzZWQubW9udGggKyAnLScgKyBldnQuUGFyc2VkLmRheSArICdUJyArIGV2dC5QYXJzZWQudGltZSArICdaJyIKICAgIC0gbWV0YTogc291cmNlX2lwCiAgICAgIGV4cHJlc3Npb246ICJldnQuUGFyc2VkLmNfaXAiCiAgICAtIG1ldGE6IGh0dHBfc3RhdHVzCiAgICAgIGV4cHJlc3Npb246ICJldnQuUGFyc2VkLnNjX3N0YXR1cyIKICAgIC0gbWV0YTogaHR0cF9wYXRoCiAgICAgIGV4cHJlc3Npb246IHwKICAgICAgICBldnQuUGFyc2VkLmNzX3VyaV9xdWVyeSA9PSAiLSIgPyBldnQuUGFyc2VkLmNzX3VyaV9zdGVtIDogZXZ0LlBhcnNlZC5jc191cmlfc3RlbSArICc/JyArIGV2dC5QYXJzZWQuY3NfdXJpX3F1ZXJ5CiAgICAtIG1ldGE6IGh0dHBfdmVyYgogICAgICBleHByZXNzaW9uOiAiZXZ0LlBhcnNlZC5jc19tZXRob2QiCiAgICAtIG1ldGE6IGh0dHBfdXNlcl9hZ2VudAogICAgICBleHByZXNzaW9uOiAiZXZ0LlBhcnNlZC5jc191c2VyX2FnZW50Ig==",
    "description": "Parse AWS CloudFront access logs",
    "author": "crowdsecurity",
    "labels": null

diff --git a/.tests/aws-cloudfront-logs/aws-cloudfront-logs.log b/.tests/aws-cloudfront-logs/aws-cloudfront-logs.log
@@ -1 +1,2 @@
-2024-03-12	15:22:28	CDG50-P2	703	1.2.3.4	GET	d6rcaj0q1hys9.cloudfront.net	/testseb	400	-	curl/7.81.0	query_param=42	-	Error	375WZmnR4hhhnlZKNn0D_LvkWhAqvWvBsUqySq8f_GOoAPP3k8R8fw==	hub-cdn.crowdsec.net	https	62	0.113	-	TLSv1.3	TLS_AES_128_GCM_SHA256	Error	HTTP/2.0	-	-	51754	0.113	Error	text/plain;%20charset=utf-8	20	-	-
+2024-03-12	15:22:28	CDG50-P2	703	1.2.3.4	GET	d6rcaj0q1hys9.cloudfront.net	/testseb	400	-	curl/7.81.0	query_param=42	-	Error	375WZmnR4hhhnlZKNn0D_LvkWhAqvWvBsUqySq8f_GOoAPP3k8R8fw==	hub-cdn.crowdsec.net	https	62	0.113	-	TLSv1.3	TLS_AES_128_GCM_SHA256	Error	HTTP/2.0	-	-	51754	0.113	Error	text/plain;%20charset=utf-8	20	-	-
+2024-03-12	15:22:28	CDG50-P2	703	1.2.3.4	GET	d6rcaj0q1hys9.cloudfront.net	/testseb	400	-	curl/7.81.0	query_param=42	-	Error	375WZmnR4hhhnlZKNn0D_LvkWhAqvWvBsUqySq8f_GOoAPP3k8R8fw==	hub-cdn.crowdsec.net	https	62	0.113	-	TLSv1.3	TLS_AES_128_GCM_SHA256	Error	HTTP/2.0	-	-	51754	0.113	Error	text/plain;%20charset=utf-8	-	-	-