Handle WAF organization logs

Open adrien-goetz-wmx opened this issue 10 months ago • 1 comments

Hi (:

I have multiple AWS accounts that are in one organization. I activated WAF in each account and I centralized WAF logs in the same bucket. We ingest them in an OpenSearch but we have a time retention of 5 days because of the size ( > 500go/day).

I want to use your tool to grep some IP in past logs but log type is not handle.

Log format is jsonl ( each line of the file is a valid json ).

Thanks

Apr 02 '25 16:04 adrien-goetz-wmx

Hello - Whilst the JSON may not be parsed, you should still be able to search the logs as raw text. Do you receive an error when searching the logs?

Apr 02 '25 17:04 chrisdoman