Document toolboxDocument toolbox

web.aws

Owned by Borja Moro Moreno, created
Last updated: May 30, 2024 by Juan Tomás Alonso Nieto (Deactivated)
1 min read
[ 1 Introduction ] [ 2 Valid tags and data tables  ] [ 3 Table structure ]

Introduction

The tags beginning with web.aws identify events generated by Amazon Web Services belonging to Amazon.

Valid tags and data tables 

The full tag must have at least 4 levels. The first two are fixed as web.aws. The third level identifies the type of events sent and the rest of them indicate the event subtypes.

These are the valid tags and corresponding data tables that will receive the parsers' data:

Product / Service

Tags

Data tables

Product / Service

Tags

Data tables

Amazon Web Services

web.aws.alb.access.eu-west-1.pro-frontend-elb

web.aws.alb.access

web.aws.alb.access

web.aws.alb.connection.a.b

web.aws.alb.connection

web.aws.cloudfront.access-w3c.eu-west-1.E3GOZ2B85X1Z7B

web.aws.cloudfront.accessW3c

web.aws.elb.access.eu-west-1.pro-frontend-elb

web.aws.elb.access

web.aws.elb.access.Application.133940059995.Application

web.aws.elb.access.eu-west-1.pro-frontend-elb.Classic

web.aws.elb.access.Network.133940059995.Network

web.aws.s3.access.eu-west-1.pro-frontend-elb

web.aws.s3.access

For more information, read more About Devo tags.

Table structure

These are the fields displayed in these tables:

web.aws.alb.access

Field

Type

Source field name

Extra fields

Field

Type

Source field name

Extra fields

eventdate

timestamp

 

 

region

str

vregion

 

instance

str

vinstance

 

connectionType

str

 

 

serverdate

timestamp

 

 

albId

str

 

 

srcIp

ip4

 

 

srcPort

int4

 

 

dstIp

ip4

 

 

dstPort

int4

 

 

elbStatusCode

int4

 

 

backendStatusCode

int4

 

 

method

str

 

 

url

str

 

 

protocol

str

 

 

requestTime

float8

 

 

backendTime

float8

 

 

responseTime

float8

 

 

requestLength

int8

 

 

responseLength

int8

 

 

userAgent

str

 

 

sslCipher

str

 

 

sslProtocol

str

 

 

targetGroupArn

str

 

 

traceId

str

 

 

SNIdomain

str

 

 

chosenCertArn

str

 

 

matchedRulePriority

int4

 

 

requestCreationTime

timestamp

 

 

actionsExecuted

str

 

 

redirectUrl

str

 

 

errorReason

str

 

 

targetList

str

 

 

targetStatusCodeList

str

 

 

classification

str

 

 

classificationReason

str

 

 

rawMessage

str

 

✓

hostchain

str

 

✓

tag

str

 

✓

web.aws.alb.connection

Field

Type

Extra fields

Field

Type

Extra fields

eventdate

timestamp

 

machine

str

 

event_timestamp

timestamp

 

client_ip

str

 

client_ipv4

ip4

 

client_ipv6

ip6

 

client_port

str

 

listener_port

str

 

tls_protocol

str

 

tls_cipher

str

 

tls_handshake_latency

str

 

leaf_client_cert_subject

str

 

leaf_client_cert_validity

str

 

leaf_client_cert_serial_number

str

 

tls_verify_status

str

 

hostchain

str

 ✓

tag

str

 ✓

rawMessage

str

 ✓

web.aws.cloudfront.accessW3c

Field

Type

Source field name

Extra fields

Field

Type

Source field name

Extra fields

eventdate

timestamp

 

 

region

str

vregion

 

instance

str

vinstance

 

serverdate

timestamp

 

 

edgeLocation

str

 

 

srcIp

ip4

 

 

xForwardedFor

ip4

 

 

cloudfrontHost

str

 

 

method

str

 

 

urlHost

str

 

 

url

str

 

 

urlQuery

str

 

 

protocol

str

 

 

statusCode

int4

 

 

edgeResultType

str

 

 

edgeResponseResultType

str

 

 

referer

str

 

 

userAgent

str

 

 

cookies

str

 

 

edgeRequestId

str

 

 

requestLength

int8

 

 

responseLength

int8

 

 

responseTime

float8

 

 

sslProtocol

str

 

 

sslCipher

str

 

 

rawMessage

str

 

✓

hostchain

str

 

✓

tag

str

 

✓

web.aws.elb.access

Field

Type

Field Transformation

Source field name

Extra fields

Field

Type

Field Transformation

Source field name

Extra fields

eventdate

timestamp

 

 

 

region

str

 

vregion

 

instance

str

 

vinstance

 

elb_type

str

 

 

 

serverdate

timestamp

ifthenelse(isnotnull(serverdate_standard), serverdate_standard, parsedate(serverdate_new, dateformat("YYYY-MM-DD[T]HH:mm:ss")))

serverdate_standard

serverdate_new

 

type

str

 

 

 

elbName

str

 

 

 

srcIp

ip4

 

 

 

srcPort

int4

 

 

 

dstIp

ip4

 

 

 

dstPort

int4

 

 

 

elbStatusCode

int4

 

 

 

backendStatusCode

int4

 

 

 

method

str

 

 

 

url

str

 

 

 

protocol

str

 

 

 

requestTime

float8

 

 

 

backendTime

float8

 

 

 

responseTime

float8

 

 

 

requestLength

int8

 

 

 

responseLength

int8

 

 

 

userAgent

str

 

 

 

sslCipher

str

 

 

 

sslProtocol

str

 

 

 

listener

str

 

 

 

target_group_arn

str

 

 

 

trace_id

str

 

 

 

domain_name

str

 

 

 

chosen_cert_arn

str

 

 

 

chosen_cert_serial

str

 

 

 

matched_rule_priority

int4

 

 

 

request_creation_time

timestamp

 

 

 

actions_executed

str

 

 

 

redirect_url

str

 

 

 

error_reason

str

 

 

 

target_port_list

str

 

 

 

target_status_code_list

str

 

 

 

classification

str

 

 

 

classification_reason

str

 

 

 

tls_handshake_time

float8

 

 

 

incoming_tls_alert

str

 

 

 

tls_cipher

str

 

 

 

tls_protocol_version

str

 

 

 

tls_named_group

str

 

 

 

alpn_fe_protocol

str

 

 

 

alpn_be_protocol

str

 

 

 

alpn_client_preference_list

str

 

 

 

serverdate_standard

timestamp

 

 

 

rawMessage

str

 

 

✓

hostchain

str

 

 

✓

tag

str

 

 

✓

web.aws.s3.access

Field

Type

Source field name

Extra fields

Field

Type

Source field name

Extra fields

eventdate

timestamp

 

 

region

str

vregion

 

accountid

str

vaccountid

 

bucketOwner

str

 

 

bucket

str

 

 

time

timestamp

 

 

remoteIp

ip4

 

 

requester

str

 

 

requestId

str

 

 

operation

str

 

 

key

str

 

 

url

str

 

 

statusCode

int4

 

 

errorCode

str

 

 

bytesSent

int8

 

 

objectSize

int8

 

 

totalTime

int8

 

 

turnAroundTime

int8

 

 

referer

str

 

 

userAgent

str

 

 

versionId

str

 

 

hostId

str

 

 

signatureVersion

str

 

 

cipherSuite

str

 

 

authenticationType

str

 

 

hostHeader

str

 

 

TLSversion

str

 

 

rawMessage

str

 

✓

hostchain

str

 

✓

tag

str

 

✓