The waf log type monitors web application firewall (WAF) logs. The role of a WAF is to monitor and filter HTTP traffic flowing between a web application and the internet. A WAF prevents common security attacks, such as cross-site scripting (XSS) and SQL injection (SQLi).

    The following code snippet contains all the raw_field and ecs mappings for this log type:

    1. "mappings": [
    2. {
    3. "raw_field":"cs-method",
    4. "ecs":"waf.request.method"
    5. },
    6. {
    7. "raw_field":"httpRequest.httpMethod",
    8. "ecs":"waf.request.method"
    9. },
    10. {
    11. "raw_field":"cs-uri-query",
    12. "ecs":"waf.request.uri_query"
    13. },
    14. {
    15. "raw_field":"httpRequest.uri",
    16. "ecs":"waf.request.uri_query"
    17. },
    18. {
    19. "raw_field":"httpRequest.args",
    20. "ecs":"waf.request.uri_query"
    21. },
    22. {
    23. "raw_field":"cs-user-agent",
    24. "ecs":"waf.request.headers.user_agent"
    25. },
    26. {
    27. "raw_field":"httpRequest.headers",
    28. "ecs":"waf.request.headers"
    29. },
    30. {
    31. "raw_field":"sc-status",
    32. "ecs":"waf.response.code"
    33. },
    34. {
    35. "raw_field":"responseCodeSent",
    36. "ecs":"waf.response.code"
    37. },
    38. {
    39. "raw_field":"timestamp",
    40. "ecs":"timestamp"
    41. },
    42. {
    43. "raw_field":"httpRequest.headers.value",
    44. "ecs":"waf.request.headers.value"
    45. },
    46. {
    47. "raw_field":"httpRequest.headers.name",
    48. "ecs":"waf.request.headers.name"
    49. }
    50. ]