-
Notifications
You must be signed in to change notification settings - Fork 381
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Parse arrays of objects in AWS WAF logs #459
Conversation
26843ab
to
b950a48
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Overall looks good, just left a couple of small comments. I've suggested an alternate way to write the List => Dict
conversions which should make the code more readable (IMO).
d82470a
to
a0feb7c
Compare
Format with Black Add checks and implement feedback Add unit tests Format with Black
a0feb7c
to
9a87b05
Compare
if not group_id in message["ruleGroupList"]: | ||
message["ruleGroupList"][group_id] = {} | ||
|
||
# Extract the terminating rule and nest it under its own id |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Let's refactor the three following blocks (if conditions) into separate functions to reduce the length & complexity of the parse_aws_waf_logs
function.
@@ -233,6 +237,242 @@ def test_s3_source_if_none_found(self): | |||
self.assertEqual(parse_event_source({"Records": ["logs-from-s3"]}, ""), "s3") | |||
|
|||
|
|||
class TestParseAwsWafLogs(unittest.TestCase): |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can we add two more cases here where event comes in as a string:
- valid JSON
- invalid JSON
Not sure what's going on with the Black linter. It looks like the test is downloading version |
@NoisomePossum once I merge #481, you should be able to rebase your branch with the latest master, refresh your PR and see what styling changes black demands. |
@tianchu Awesome! I'll keep an eye on that thanks. I do know from the output that it's just the test file so I was thinking it should be easy to reformat it so that Black would be happy if I only knew what format it expects. :) |
@NoisomePossum that PR has been merged. |
Format with Black Add checks and implement feedback Add unit tests Format with Black
What does this PR do?
Parses four attributes in AWS WAF logs and converts them into nested JSON.
Motivation
AWS WAF logs use a lot of nested arrays of objects which Datadog doesn't currently parse out in the logs product. However, a lot of useful information is present in these arrays of objects and not having the ability to make facets from these attributes is a blocker for some customers.
Testing Guidelines
Tested on Datadog by sending AWS WAF logs through the Lambda Function (triggered by uploading them to an S3 bucket).
Additional Notes
Examples of proposed changes
httpRequest.headers:
from
to
nonTerminatingMatchingRules:
from
to
rateBasedRuleList
from
to
ruleGroupList
from
to
Unit tests need to be added pending review.
Types of changes
Check all that apply