Documentation Center
AlienVault® USM Anywhere™

CloudFront RTMP, Distribution W3C

When you configure CloudFront RTMP to send log data to an S3 bucket and create a log collection job in USM Anywhere, you can use the CloudFront RTMP plugin to translate the raw log data into normalized events for analysis.

Device Details
Vendor Amazon
Device type Dynamic content storage and streaming
Connection type S3
Vendor link http://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/AccessLogs.html#access-logs-choosing-s3-bucket

Integrating CloudFront RTMP

When you enable logging for a distribution, you specify the Amazon S3 bucket that you want CloudFront to use for file storage.

Plugin Enablement

Follow the procedure described in Creating a New AWS S3 Access Collection Job, choosing CloudFront RTMP for the plugin to monitor the S3 bucket.

Available Plugin Fields

The following plugin fields are important attributes extracted from the syslog message. USM Anywhere reports use these fields, and you can also reference them when creating custom reports. In addition to reporting, the USM Anywhere correlation rules make use of these fields.

  • bytes_in

  • customfield_0 → cs-uri-stem*

  • customfield_1 → cs-uri-query*

  • customfield_2 → c-cf-status

  • customfield_3 → x-cf-client-id

  • event_name

  • request_referer

  • request_url

  • request_user_agent

  • source_address

  • timestamp_occurred

* customfield_0 and 1 contain the actual values for cs-uri-stem and cs-uri-query.

customfield_2 and 3 contain the actual values for c-cf-status and x-cf-client-id.

Troubleshooting

For troubleshooting, refer to the vendor documentation:

http://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/Troubleshooting.html