Collect Amazon CloudFront logs

Supported in:

This document describes how you can collect Amazon CloudFront logs by setting up a Google Security Operations feed.

For more information, see Data ingestion to Google Security Operations overview.

An ingestion label identifies the parser which normalizes raw log data to structured UDM format. The information in this document applies to the parser with the AWS_CLOUDFRONT ingestion label.

Before you begin

Ensure that the Amazon S3 bucket is created. For more information, see Create your first S3 bucket.

Configure Amazon CloudFront

  1. Sign in to the AWS Management console.
  2. Access the Amazon S3 console, and create the Amazon S3 bucket.
  3. To enable logging, select On.
  4. In the Bucket for logs field, specify the Amazon S3 bucket name.
  5. In the Log prefix field, specify an optional prefix.
  6. After the logs files are stored in the Amazon S3 bucket, create an SQS queue and attach it with the Amazon S3 bucket.

Identify the endpoints for connectivity

Check the required IAM user and KMS key policies for S3, SQS, and KMS.

Based on the service and region, identify the endpoints for connectivity by referring to the following AWS documentation:

Configure a feed in Google Security Operations to ingest the Amazon CloudFront logs

  1. Select SIEM Settings > Feeds.
  2. Click Add new.
  3. Enter a unique name for the Feed name.
  4. Select Amazon S3 or Amazon SQS as the Source type.
  5. Select AWS CloudFront as the Log type.
  6. Click Next.
  7. Google Security Operations supports log collection using access key ID and secret method. To create access key ID and secret, see Configure tool authentication with AWS.
  8. Based on the Amazon CloudFront configuration that you created, specify values for the following fields.
    • If you use Amazon S3, specify values for the following fields:
      • Region
      • S3 URI
      • URI is a
      • Source deletion option
    • If you use Amazon SQS, specify values for the following fields:
      • Region
      • Queue name
      • Account number
      • Queue access key ID
      • Queue secret access key
      • Source deletion option
  9. Click Next and then click Submit.

To send the Amazon CloudFront logs to the Amazon S3 bucket, see Configure and use standard logs (access logs).

For more information about Google Security Operations feeds, see Google Security Operations feeds documentation. For information about requirements for each feed type, see Feed configuration by type. If you encounter issues when you create feeds, contact Google Security Operations support.

Field mapping reference

This parser extracts fields from AWS CloudFront logs in either SYSLOG or JSON format, normalizing them into the UDM. It uses grok patterns to parse message strings, handles various data transformations (e.g., type conversions, renaming), and enriches the data with additional context like user agent parsing and application protocol identification.

UDM mapping table

Log Field UDM Mapping Logic
c-ip principal.ip Directly mapped. Also mapped to principal.asset.ip.
c-port principal.port Directly mapped.
cs(Cookie) additional.fields[].key: "cookie"
additional.fields[].value.string_value: Directly mapped.
Conditionally mapped if cs(Cookie) is present and agent does not contain "://".
cs(Host) principal.hostname Directly mapped. Also mapped to principal.asset.hostname. Used in constructing the target.url if other URL fields are not available.
cs(Referer) network.http.referral_url Directly mapped.
cs(User-Agent) network.http.user_agent Directly mapped. Also mapped to network.http.parsed_user_agent and parsed into its components if it does not contain "://".
cs-bytes network.sent_bytes Directly mapped. Converted to unsigned integer.
cs-method network.http.method Directly mapped.
cs-protocol network.application_protocol Mapped after converting to uppercase. If the value is not recognized as a standard application protocol and cs-protocol-version contains "HTTP", then network.application_protocol is set to "HTTP".
dport target.port Directly mapped. Converted to integer.
edge_location principal.location.name Directly mapped.
fle-encrypted-fields additional.fields[].key: "fle-encrypted-fields"
additional.fields[].value.string_value: Directly mapped.
Conditionally mapped if present.
fle-status additional.fields[].key: "fle-status"
additional.fields[].value.string_value: Directly mapped.
Conditionally mapped if present.
host principal.hostname, principal.asset.hostname Directly mapped.
id principal.asset_id Directly mapped with the prefix "id: ".
ip target.ip, target.asset.ip Directly mapped.
log_id metadata.product_log_id Directly mapped.
resource additional.fields[].key: "resource"
additional.fields[].value.string_value: Directly mapped.
Conditionally mapped if present.
result_type additional.fields[].key: "result_type"
additional.fields[].value.string_value: Directly mapped.
Conditionally mapped if present.
sc-bytes network.received_bytes Directly mapped. Converted to unsigned integer.
sc-content-len additional.fields[].key: "sc-content-len"
additional.fields[].value.string_value: Directly mapped.
Conditionally mapped if present.
sc-content-type additional.fields[].key: "sc-content-type"
additional.fields[].value.string_value: Directly mapped.
Conditionally mapped if present.
sc-status network.http.response_code Directly mapped. Converted to integer.
ssl-cipher network.tls.cipher Directly mapped.
ssl-protocol network.tls.version Directly mapped.
timestamp metadata.event_timestamp Parsed and mapped if available. Different formats are supported.
ts metadata.event_timestamp Parsed and mapped if available. ISO8601 format is expected.
url target.url Directly mapped.
url_back_to_product metadata.url_back_to_product Directly mapped.
x-edge-detailed-result-type additional.fields[].key: "x-edge-detailed-result-type"
additional.fields[].value.string_value: Directly mapped.
Conditionally mapped if present.
x-edge-location additional.fields[].key: "x-edge-location"
additional.fields[].value.string_value: Directly mapped.
Conditionally mapped if present.
x-edge-request-id additional.fields[].key: "x-edge-request-id"
additional.fields[].value.string_value: Directly mapped.
Conditionally mapped if present.
x-edge-response-result-type additional.fields[].key: "x-edge-response-result-type"
additional.fields[].value.string_value: Directly mapped.
Conditionally mapped if present.
x-edge-result-type additional.fields[].key: "x-edge-result-type"
additional.fields[].value.string_value: Directly mapped.
Conditionally mapped if present.
x-forwarded-for target.ip, target.asset.ip Directly mapped. If multiple IPs are present (comma-separated), they are split and merged into the respective UDM fields.
x-host-header target.hostname, target.asset.hostname Directly mapped. Set to "NETWORK_HTTP" if either ip or x-forwarded-for and http_verb are present. Otherwise, set to "GENERIC_EVENT". Hardcoded to "AWS_CLOUDFRONT". Hardcoded to "AWS CloudFront". Hardcoded to "AMAZON". The ingestion time of the log entry into Google Security Operations.