Fastly WAF events come in two flavors. The first is a 'waf' event, which means something in an incoming request triggered an alarm. You'll generally see one of these for every rule that was violated.
Fastly also sends a 'req' event, which has information about the request. This will come out as soon as the request completes.
These two entry types will come in at different times, but must be correlated to truly make sense of what triggered the waf, and to really understand what should be done about it.
This Event Correlation Engine (ECE), is really just a syslog server that receives the log streams from Fastly, and holds them for a certain amount of time (the TTL) waiting for the rest of the entries for a given request to arrive. Once the TTL expires, whatever is in memory is passed on, and the memory is flushed.
The default TTL is 20 seconds.
Correlated logs are written to STDERR and can be redirected as desired.
NOTE: This service is under development
go get github.com/scribd/fastly-waf-ece
You can get help at any time by running:
Run on a given address:
fastly-waf-ece -a 126.96.36.199:514
Run on a given address with a specific TTL:
fastly-waf-ece -a 188.8.131.52:514 -t 30
Run in debug mode (dumps every log entry seen to STDOUT)
fastly-waf-ece -a 184.108.40.206:514 -d
Copyright © 2018 Scribd Inc. <firstname.lastname@example.org>
Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at
Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.