WAF Regex Filter help
Hi All, Posted this in the Slack channel but no bites.
We are trying to filter out data from an WAF log to decrease the log size ingested. I created a parser in the existing WAF pipeline using the “Extract” Operation Mode but I cant seem to get it to function correctly. I was told by support the "Mask Function" would work best, they said "Within that function you can specify the regex and replace it with "". "
Not sure how to go about that route. I'm essentially trying to drop data in the log using the following regex but like i said it doesnt seem to function when I test with sample log. The regex is the following -> nContent-Security-Policy-Report-Only.*?DFCspReportFunction\+blob:.*
Comments
-
Can you share a couple of sample events (sanitized) with how the event comes in and how you would like it to go out?
Also a screenshot of your pipeline.
0 -
Hi Paul,
Sorry for the delay… Logs are sent to Cribl via Syslog and out the same format. The logs are standard Akamai WAF logs, was there some specific data you are looking for? When review the sample and apply the pipeline I see the complete log crossed out. Is the data below what you are looking to see?
0 -
That first event is cross out more than likely because of your Sampling function. If you can share a snippet of what your are trying to remove via Mask from the "IN" side and not the "OUT" it would help either Paul or I write a regex to help remove that data.
Support is right. If you have a string/value in your event that you want to remove Mask is a great way to do that. Hit me up on Cribl slack if you want to as well. @Logan Carter
0