App Logging
•
400 ~ 500 Status Code 에러 요청 조회
fields @timestamp, @message
| parse @message "* | * | *" as method, statusCode
| filter statusCode >= 400 and statusCode <= 500
| sort @timestamp desc
| limit 10000
SQL
복사
fields @timestamp, @message, @logStream, @log
| filter @message not like /^정규표현식$/
| sort @timestamp desc
| limit 10000
SQL
복사
WAF Block Logging
•
모든 헤더 정보와 함께 차단된 요청 조회
fields @timestamp, terminatingRuleId, httpRequest.clientIp, httpRequest.uri,
httpRequest.headers.0.name, httpRequest.headers.0.value,
httpRequest.headers.1.name, httpRequest.headers.1.value,
httpRequest.headers.2.name, httpRequest.headers.2.value,
httpRequest.headers.3.name, httpRequest.headers.3.value
| filter action = "BLOCK"
| sort @timestamp desc
| limit 50
SQL
복사
•
User-Agent 헤더로 차단된 요청 분석
fields @timestamp, terminatingRuleId, httpRequest.clientIp, httpRequest.uri, httpRequest.headers.1.value as user_agent
| filter action = "BLOCK"
| filter httpRequest.headers.1.name = "user-agent"
| sort @timestamp desc
SQL
복사
•
Content-Type 헤더로 차단된 요청
fields @timestamp, terminatingRuleId, httpRequest.clientIp, httpRequest.uri, httpRequest.headers.2.value as content_type
| filter action = "BLOCK"
| filter httpRequest.headers.2.name = "content-type"
| sort @timestamp desc
SQL
복사