{ // specify a time zone if the timestamps in your log are not in GMT // timezone: "GMT-0800" attributes: { "dataSource.name": "Imperva WAF", "dataSource.vendor": "Imperva", "dataSource.category": "security" "metadata.product.name": "Imperva WAF", "metadata.product.vendor_name": "Imperva" }, patterns: { tsPattern: "\\d+", value: "[^\\s]+", toDrop: "^(?!CEF).*$" }, formats: [ //drop logs { id: "drop", format: "$unwanted=toDrop$", discard: true }, { format: "$unmapped.cef.version$\\|$metadata.vendor_name$\\|$metadata.product$\\|$metadata.product.version$\\|$unmapped.signature$\\|$event.type$\\|$severity$\\|", }, { format: ".*\\sstart=$timestamp=tsPattern$", }, { format: ".*requestClientApplication=$unmapped.requestClientApplication$\\sdeviceFacility", }, { format: ".*\\scs2=$unmapped.cs2$\\scs2Label=$unmapped.cs2Label$\\scs3=$unmapped.cs3$\\scs3Label=$unmapped.cs3Label$\\scs1=$unmapped.cs1$\\scs1Label=$unmapped.cs1Label$\\scs4=$unmapped.cs4$\\scs4Label=$unmapped.cs4Label$\\scs5=$unmapped.cs5$\\scs5Label=$unmapped.cs5Label$\\scs6=$unmapped.cs6$\\scs6Label=$unmapped.cs6Label$\\scs7=$unmapped.cs7$\\scs7Label=$unmapped.cs7Label$\\scs8=$unmapped.cs8$\\scs8Label=$unmapped.cs8Label$\\sCustomer", }, { format: ".*\\scs10=$unmapped.cs10$\\scs10Label=$unmapped.cs10Label$\\scpt", }, { format: ".*\\sver=$unmapped.ver$\\s$unmapped.cipher$\\s", }, { format: ".*$_=identifier$=$unmapped._=value$", repeat: true } ], mappings: { version: 0, mappings: [ { predicate: "", renames: [ { inputs : ["unmapped.dst"], output : "dst_endpoint.ip", type: "string" }, { inputs: ["unmapped.dpt"], output: "dst_endpoint.port", type: "string" }, { inputs: ["unmapped.src"], output: "src_endpoint.ip", type: "string" }, { inputs: ["unmapped.spt"], output: "src_endpoint.port", type: "string" }, { inputs: ["unmapped.Customer"], output: "Account Name", type: "string" } ] } ] } }