Add support for parsing AWS Network Filrewall logs to opentelemetry-collector-contrib #43642
Description
Component(s)
extension/encoding/awslogsencoding
Describe the issue you're reporting
Similar to https://github.com/elastic/observability-dev/issues/4434, we need to support ingesting AWS Network Firewall logs with EDOT Cloud Forwarder. We can achieve this by adding support for a new "networkfirewall" log format to https://github.com/open-telemetry/opentelemetry-collector-contrib/tree/main/extension/encoding/awslogsencodingextension
Use OpenTelemetry Semantic Conventions (SemConv) wherever possible.
To extend, AWS network firewall (ANF) logs support 3 types of logs: flow, alert and TLS. ANF utilizes Suricata threat detection engine. AFN combines Suricata standard with its own (especially in case of TLS when using TLS inspection with custom rules) standard (e.g: SNI becomes event level mapping).
The references:
- General: https://docs.aws.amazon.com/network-firewall/latest/developerguide/firewall-logging-contents.html
- TLS inspection: https://docs.aws.amazon.com/network-firewall/latest/developerguide/tls-inspection-logging.html
- Flow type: https://docs.suricata.io/en/latest/output/eve/eve-json-format.html#event-type-netflow
- TLS type: https://docs.suricata.io/en/latest/output/eve/eve-json-format.html#event-type-tls
- Alert: https://docs.suricata.io/en/latest/output/eve/eve-json-format.html#event-type-alert
Tip
React with 👍 to help prioritize this issue. Please use comments to provide useful context, avoiding +1 or me too, to help us triage it. Learn more here.