Parser Example
Parser Example: WAF Access Log (JSON Format)
Parser Example: WAF Access Log (JSON Format)
Input Log Sample
{"@timestamp":"2026-03-16T07:16:57.278Z","@version":"1","agent":{"ephemeral_id":"00000000-0000-0000-0000-000000000001","id":"00000000-0000-0000-0000-000000000002","name":"waf-node-01","type":"filebeat","version":"8.9.0"},"body_bytes_sent":"183891","ecs":{"version":"8.0.0"},"fields":{"env":"production","log_type":"waf_access_log_v2"},"headers":{},"host":{"name":"waf-node-01"},"host_header":"webapp.example.com","http_referer":"https://webapp.example.com/products/item-details.html","http_user_agent":"Mozilla/5.0 (iPad; CPU OS 26_3_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/145.0.7632.108 Mobile/15E148 Safari/604.1","http_x_forwarded_for":"-","input":{"type":"log"},"log":{"file":{"path":"/log/access.log"},"offset":1234567890},"message":"203.0.113.10 - - [16/Mar/2026:07:16:57 +0000] \"GET /api/employers?page=1 HTTP/1.1\" 200 183891 \"https://webapp.example.com/products/item-details.html\" \"Mozilla/5.0 (iPad; CPU OS 26_3_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/145.0.7632.108 Mobile/15E148 Safari/604.1\" \"-\" \"webapp.example.com\" sn=\"webapp.example.com\" rt=1.389 ua=\"198.51.100.100:443\" us=\"200\" ut=\"1.390\" ul=\"183913\" cs=- rid=abcdef1234567890abcdef1234567890","message_key":null,"raw_data":"203.0.113.10 - - [16/Mar/2026:07:16:57 +0000] \"GET /api/employers?page=1 HTTP/1.1\" 200 183891 \"https://webapp.example.com/products/item-details.html\" \"Mozilla/5.0 (iPad; CPU OS 26_3_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/145.0.7632.108 Mobile/15E148 Safari/604.1\" \"-\" \"webapp.example.com\" sn=\"webapp.example.com\" rt=1.389 ua=\"198.51.100.100:443\" us=\"200\" ut=\"1.390\" ul=\"183913\" cs=- rid=abcdef1234567890abcdef1234567890","remote_addr":"203.0.113.10","remote_user":"-","request":"GET /api/employers?page=1 HTTP/1.1","request_id":"abcdef1234567890abcdef1234567890","request_time":"1.389","server_name":"webapp.example.com","status":"200","tags":["beats_input_codec_plain_applied"],"time_iso":"2026-03-16 07:16:57.278","timestamp":"2026-03-16T07:17:00.124Z","upstream_addr":"198.51.100.100:443","upstream_cache_status":"-","upstream_response_length":"183913","upstream_response_time":"1.390","upstream_status":"200"}
Parser Configuration
#regex
#conditional
event_timestamp = ""
src_ip = ""
http_method = ""
url_full = ""
url_path = ""
url_query = ""
http_protocol = ""
http_status = ""
response_bytes = ""
http_referer = ""
user_agent = ""
server_hostname = ""
host_header = ""
request_duration = ""
request_id = ""
upstream_server = ""
upstream_status = ""
upstream_duration = ""
upstream_bytes = ""
log_env = ""
log_type = ""
agent_name = ""
agent_type = ""
agent_version = ""
log_file_path = ""
event_timestamp = .timestamp
src_ip = .remote_addr
request_parts = split!(.request, " ")
http_method = request_parts[0]
url_full = request_parts[1]
http_protocol = request_parts[2]
if (contains(to_string(url_full), "?")) {
url_parts = split(to_string(url_full), "?")
url_path = url_parts[0]
url_query = url_parts[1]
} else {
url_path = url_full
url_query = ""
}
http_status = .status
response_bytes = .body_bytes_sent
http_referer = .http_referer
user_agent = .http_user_agent
host_header = .host_header
server_hostname = .server_name
request_duration = .request_time
request_id = .request_id
upstream_server = .upstream_addr
upstream_status = .upstream_status
upstream_duration = .upstream_response_time
upstream_bytes = .upstream_response_length
log_env = .fields.env
log_type = .fields.log_type
agent_name = .agent.name
agent_type = .agent.type
agent_version = .agent.version
log_file_path = .log.file.path
#normalize
timestamp: format_timestamp!(parse_timestamp!(event_timestamp, "%Y-%m-%dT%H:%M:%S.%3fZ"), "%Y-%m-%d %H:%M:%S")
source.ip: src_ip
http.request.method: http_method
url.full: url_full
url.path: url_path
url.query: url_query
http.version: http_protocol
http.response.status_code: http_status
destination.bytes: response_bytes
http.request.referrer: http_referer
user_agent.original: user_agent
url.domain: host_header
host.name: server_hostname
event.duration: request_duration
http.request.id: request_id
server.address: upstream_server
labels: {"env": log_env, "log_type": log_type, "upstream_status": upstream_status, "upstream_duration": upstream_duration, "upstream_bytes": upstream_bytes}
agent.name: agent_name
agent.type: agent_type
agent.version: agent_version
log.file.path: log_file_path
Output (ECS Format)
{
"timestamp": "2026-03-16 07:17:00",
"source.ip": "203.0.113.10",
"http.request.method": "GET",
"url.full": "/api/employers?page=1",
"url.path": "/vi/employers",
"url.query": "_rsc=1vs0z",
"http.version": "HTTP/1.1",
"http.response.status_code": "200",
"destination.bytes": "183891",
"http.request.referrer": "https://webapp.example.com/products/item-details.html",
"user_agent.original": "Mozilla/5.0 (iPad; CPU OS 26_3_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/145.0.7632.108 Mobile/15E148 Safari/604.1",
"url.domain": "webapp.example.com",
"host.name": "webapp.example.com",
"event.duration": "1.389",
"http.request.id": "abcdef1234567890abcdef1234567890",
"server.address": "198.51.100.100:443",
"labels": {
"env": "production",
"log_type": "waf_access_log_v2",
"upstream_status": "200",
"upstream_duration": "1.390",
"upstream_bytes": "183913"
},
"agent.name": "waf-node-01",
"agent.type": "filebeat",
"agent.version": "8.9.0",
"log.file.path": "/log/access.log"
}