Documentation Center
AlienVault® USM Anywhere™

CloudFront WEB

When you configure CloudFront WEB to send log data to an S3 bucket and create a log collection job in USM Anywhere, you can use the CloudFront WEB plugin to translate the raw log data into normalized events for analysis.

Device Details
Device vendor Amazon
Device type Dynamic content storage and streaming
Connection type Syslog
Vendor link http://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/AccessLogs.html#access-logs-choosing-s3-bucket

CloudFront WEB Integration

When you enable logging for a distribution in AWS, you specify the Amazon S3 bucket in which you want CloudFront WEB to store log files.

Plugin Enablement

To enable CloudFront WEB, perform the procedure Creating a New AWS S3 Access Collection Job and select CloudFront WEB as the plugin.

Available Plugin Fields

The following plugin fields are important attributes extracted from the syslog message. USM Anywhere reports use these fields, and you can also reference them when creating custom reports. In addition to reporting, the USM Anywhere correlation rules make use of these fields.

  • application_protocol

  • bytes_in

  • bytes_out

  • customfield_2 → edge-request-id*

  • destination_address

  • duration

  • event_name

  • http_hostname

  • http_referer

  • request_coockies

  • request_http_version

  • request_method

  • request_referer

  • request_url

  • request_user_agent

  • response_code

  • response_content_type

  • source_address

  • timestamp_occurred

  • tls_cipher

  • tls_version

*customfield_2 contains the word edge-request-id.

Troubleshooting

For troubleshooting, refer to the vendor documentation:

http://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/Troubleshooting.html