Collect Fastly CDN logs
Supported in:
This document explains how to ingest Fastly CDN logs to Google Security Operations using Amazon S3.
Fastly is a content delivery network (CDN) and edge cloud platform that provides real-time content delivery, security, and edge computing services. Fastly's Real-Time Log Streaming feature can send CDN access logs, WAF events, and other telemetry data to various destinations including Amazon S3 for security monitoring and analysis.
Before you begin
Make sure that you have the following prerequisites:
- A Google SecOps instance
- Privileged access to Fastlycontrol panel or API
- Privileged access to AWS(S3, IAM)
- A Fastly API token with
globalorglobal:readscope
Create Fastly API token
- Sign in to the Fastly control panelat https://manage.fastly.com.
- Click your user iconin the upper-right corner.
- Go to Account > Personal API tokens.
- Click Create Token.
- In the Create API Tokendialog, provide the following:
- Name: Enter a descriptive name (for example,
Google SecOps S3 Logging Configuration). - Type: Select User token.
- Scope: Select Global access(required to configure logging endpoints).
- Expiration: Select Never expireor set an appropriate expiration date.
- Name: Enter a descriptive name (for example,
- Click Create Token.
- Copy and save the API token securely.
Configure AWS S3 bucket and IAM for Google SecOps
- Create Amazon S3 bucketfollowing this user guide: Creating a bucket .
- Save bucket Nameand Regionfor future reference (for example,
fastly-cdn-logs). - Create a Userfollowing this user guide: Creating an IAM user .
- Select the created User.
- Select Security credentialstab.
- Click Create Access Keyin section Access Keys.
- Select Third-party serviceas Use case.
- Click Next.
- Optional: Add description tag.
- Click Create access key.
- Click Download .csv fileto save the Access Keyand Secret Access Keyfor future reference.
- Click Done.
- Select the Permissionstab.
- Click Add permissionsin section Permissions policies.
- Select Add permissions.
- Select Attach policies directly.
- Search for AmazonS3FullAccesspolicy.
- Select the policy.
- Click Next.
- Click Add permissions.
Configure Fastly S3 logging endpoint
Option A: Configure via Fastly control panel
- Sign in to the Fastly control panelat https://manage.fastly.com
- Select the serviceyou want to configure logging for.
- Click Edit configurationand select Clone active versionto create a new draft version.
- Click Loggingin the left navigation menu.
- In the Amazon Web Services S3section, click Create endpoint.
-
In the Create an Amazon S3 endpointform, provide the following configuration details:
-
Basic settings:
- Name: Enter a descriptive name (for example,
secops-s3-logs). - Placement: Select Format Version Default(recommended).
-
Log format: Enter the following JSON format string:
{"timestamp":"%{begin:%Y-%m-%dT%H:%M:%S%z}t","client_ip":"%{req.http.Fastly-Client-IP}V","geo_country":"%{client.geo.country_name}V","geo_city":"%{client.geo.city}V","geo_region":"%{client.geo.region}V","datacenter":"%{server.datacenter}V","host":"%{if(req.http.Fastly-Orig-Host, req.http.Fastly-Orig-Host, req.http.Host)}V","url":"%{json.escape(req.url)}V","request_method":"%{json.escape(req.method)}V","request_protocol":"%{json.escape(req.proto)}V","request_referer":"%{json.escape(req.http.referer)}V","request_user_agent":"%{json.escape(req.http.User-Agent)}V","response_state":"%{json.escape(fastly_info.state)}V","response_status":%{resp.status}V,"response_reason":%{if(resp.response, "\"%22\"+json.escape(resp.response)+\"%22\", \"null\")}V,"response_body_size":%{resp.body_bytes_written}V,"response_header_size":%{resp.header_bytes_written}V,"request_body_size":%{req.body_bytes_read}V,"request_header_size":%{req.header_bytes_read}V,"cache_status":"%{fastly_info.state}V","is_tls":"%{if(req.is_ssl, \"true\", \"false\")}V","tls_protocol":"%{cstr_escape(tls.client.protocol)}V","tls_cipher":"%{cstr_escape(tls.client.cipher)}V","server_identity":"%{json.escape(server.identity)}V","is_edge":%{if(fastly.ff.visits_this_service == 0, "true", "false")}V,"time_elapsed_usec":%{time.elapsed.usec}V,"time_start_sec":%{time.start.sec}V}
- Timestamp format: Leave as default (strftime compatible string).
- Name: Enter a descriptive name (for example,
S3 bucket configuration:
- Bucket name: Enter the S3 bucket name (for example,
fastly-cdn-logs). - Domain: Leave empty if your bucket is in US Standard region. For other regions, enter the appropriate S3 endpoint (for example,
s3-us-west-2.amazonaws.comfor us-west-2 region). - Access method: Select User Credentials
- Access key: Enter the AWS access key from step 11.
- Secret key: Enter the AWS secret access key from step 11.
- Period: Enter
3600(logs are finalized every hour).
-
-
Click Advanced optionsto expand additional settings:
Advanced settings:
- Path: Enter
fastly-cdn/(optional prefix for organizing logs within the bucket). - PGP public key: Leave empty (encryption not required for this integration).
- Select a log line format: Select Blank(we're using custom JSON format).
- Compression: Select gzip(recommended to reduce storage costs).
- Redundancy level: Select Standard.
- ACL: Select private(recommended).
- Server side encryption: Select None(or configure as per your security requirements).
- Maximum bytes: Enter
0(no maximum file size limit).
- Path: Enter
-
Click Createto create the logging endpoint.
-
Click Activatein the top-right corner.
-
Select Activate on Productionto deploy your configuration changes.
-
In the confirmation dialog, click Activateto confirm.
Option B: Configure via Fastly API
If you prefer to configure logging via API, use the following approach:
-
Get your Fastly service ID from the control panel or by listing services:
curl -H "Fastly-Key: YOUR_FASTLY_TOKEN" https://api.fastly.com/service -
Clone the active version to create a new draft version:
curl -X PUT -H "Fastly-Key: YOUR_FASTLY_TOKEN" \ "https://api.fastly.com/service/SERVICE_ID/version/ACTIVE_VERSION/clone" -
Create the S3 logging endpoint on the new draft version:
curl -X POST -H "Fastly-Key: YOUR_FASTLY_TOKEN" \ -H "Content-Type: application/x-www-form-urlencoded" \ "https://api.fastly.com/service/SERVICE_ID/version/NEW_VERSION/logging/s3" \ --data-urlencode 'name=secops-s3-logs' \ --data-urlencode 'bucket_name=fastly-cdn-logs' \ --data-urlencode 'access_key=YOUR_AWS_ACCESS_KEY' \ --data-urlencode 'secret_key=YOUR_AWS_SECRET_KEY' \ --data-urlencode 'path=fastly-cdn/' \ --data-urlencode 'period=3600' \ --data-urlencode 'gzip_level=9' \ --data-urlencode 'format_version=2' \ --data-urlencode 'format={"timestamp":"%{begin:%Y-%m-%dT%H:%M:%S%z}t","client_ip":"%{req.http.Fastly-Client-IP}V","geo_country":"%{client.geo.country_name}V","geo_city":"%{client.geo.city}V","host":"%{if(req.http.Fastly-Orig-Host, req.http.Fastly-Orig-Host, req.http.Host)}V","url":"%{json.escape(req.url)}V","request_method":"%{json.escape(req.method)}V","response_status":%{resp.status}V,"cache_status":"%{fastly_info.state}V"}' -
Activate the new version:
curl -X PUT -H "Fastly-Key: YOUR_FASTLY_TOKEN" \ "https://api.fastly.com/service/SERVICE_ID/version/NEW_VERSION/activate"
Verify log delivery to S3
- Wait approximately 1 hour (based on the configured period) for the first log file to be finalized.
- In the AWS Console, go to S3 > Buckets.
- Click your bucket name (for example,
fastly-cdn-logs). - Navigate to the
fastly-cdn/prefix folder. -
Verify that log files are being created with naming pattern similar to:
fastly-cdn/YYYY-MM-DD-HH-MM-SS-RANDOM_STRING.log.gz -
Download a sample log file and verify the JSON format matches your configuration.
Configure a feed in Google SecOps to ingest Fastly CDN logs
- Go to SIEM Settings > Feeds.
- Click Add New Feed.
- On the next page, click Configure a single feed.
- Enter a unique name for the Feed name.
- Select Amazon S3 V2as the Source type.
- Select Fastly CDNas the Log type.
- Click Nextand then click Submit.
-
Specify values for the following fields:
- S3 URI:
s3://fastly-cdn-logs/fastly-cdn/. - Source deletion option: Select the deletion option according to your preference.
- Maximum File Age: Include files modified in the last number of days (default is 180 days).
- Access Key ID: User access key with access to the S3 bucket.
- Secret Access Key: User secret key with access to the S3 bucket.
- Asset namespace: The asset namespace .
- Ingestion labels: The label to be applied to the events from this feed.
- S3 URI:
-
Click Nextand then click Submit.
UDM mapping table
| Log field | UDM mapping | Logic |
|---|---|---|
|
request_protocol, response_state, response_reason, response_body_size, fastly_server, fastly_is_edge
|
additional.fields | Merged with labels created from each field if not empty |
| |
metadata.event_type | Set to "GENERIC_EVENT", then to "STATUS_UPDATE" if principal_mid_present is true |
|
request_method
|
network.http.method | Value copied directly |
|
request_user_agent
|
network.http.parsed_user_agent | Converted to parseduseragent then renamed |
|
request_referer
|
network.http.referral_url | Value copied directly |
|
response_status
|
network.http.response_code | Converted to string then to integer |
|
request_user_agent
|
network.http.user_agent | Value copied directly |
|
host
|
principal.asset.hostname | Value copied directly |
|
client_ip
|
principal.asset.ip | Value copied directly (after grok validation as IP) |
|
host
|
principal.hostname | Value copied directly |
|
client_ip
|
principal.ip | Value copied directly (after grok validation as IP) |
|
geo_city
|
principal.location.city | Value copied directly |
|
geo_country
|
principal.location.country_or_region | Value copied directly |
|
security_result
|
security_result | Value copied directly |
|
url
|
target.url | Value copied directly |
| |
metadata.product_name | Set to "FASTLY_CDN" |
| |
metadata.vendor_name | Set to "FASTLY_CDN" |
Need more help? Get answers from Community members and Google SecOps professionals.
